Earlier this year, a security flaw identified as CVE-2021-41773 was disclosed to Apache HTTP Server Project, a path traversal and remote code execution (RCE) flaw in Apache HTTP Server 2.4.49. If this vulnerability is exploited, it allows attackers to map URLs to files outside the directories configured by Alias-like directives. Under certain configurations where Common Gateway Interface (CGI) scripts are enabled for aliased paths, attackers can also use it for RCE. As the initial fix was deemed insufficient, a bypass was later reported for the fix and tracked as CVE-2021-42013.
Official fixes have been rolled out by Apache HTTP Server Project. However, when we looked at the malicious samples abusing this vulnerability, we found more of these exploits being abused to target different gaps in products and packages for malicious mining of Monero. In this blog, we look into the abuse of GitHub and Netlify repositories and platforms for hosting cryptocurrency-mining tools and scripts. We have already informed GitHub and Netlify of the malicious activities and they have taken down the accounts.
We observed attackers targeting the following package and products via security vulnerabilities disclosed in 2020 and 2021 for malicious cryptocurrency-mining activities through samples caught in our honeypots:
Services abused: Targeting Windows hosts
The miner samples we found work on and abuse both Windows and Linux platforms. While the exploits used differ according to the infrastructure targeted, the batch scripts we identified works on both. We saw the usage of Netlify and GitHub as the malware file servers for downloading batch scripts from an attacker-controlled account. The batch script is renamed as a temporary file and deleted after it starts running in the background.
The scripts (c3.bat) are a modified version of Monero-mining helper scripts abridged from GitHub, and these begin checking if the current session has administrative privileges. If the privilege is of the Administrator, then the ADMIN flags are set. Afterward, the length of the Monero wallet address is calculated. If the length is not 106 or 95 characters, the script exits. If it is 106 or 95, it jumps to “WALLET_LEN_OK” statement.
The script further conducts a series of checks in the system, such as if the USERPROFILE environment variable is defined, and whether utilities like wmic, powershell, find, findstr, and tasklist are available or not.
The wmic utility is used to further enumerate specific parameters in the system, such as the number of processors, maximum clock speed, L2 and L3 cache sizes, and CPU sockets. These values are later used to calculate the Monero mining rate of the Windows host. For different mining rates, different ports are used on the mining pool.
After identifying the CPU’s computing power, the running c3pool_miner is removed from the host. The zipped miner (c3.zip) is then downloaded from the attacker-controlled GitHub repository and PowerShell is used to unzip the downloaded file. If the unzip attempt fails, 7z is downloaded to extract the zipped file, and both the downloaded files (7za.exe and c3.zip) are deleted after.
The script also goes on to install the latest version of XMRig for Windows from the official repository. After unzipping the downloaded file, the 7z binary and XMRig ZIP files are removed. Once the miner is successfully installed, the config files are modified using PowerShell.
If the miner is already running (c3.exe), the execution jumps to an ALREADY_RUNNING label. If not, the miner is executed using the “start” command in the IDLE priority class. If the current user has administrative privileges, then execution jumps to the label ADMIN_MINER_SETUP. If not, persistence is added by modifying the Startup directory with the batch scripts to execute c3pool XMR miner with the configuration file.
A service is created from the c3cache_worker using the Non-Sucking Service Manager (NSSM). NSSM is a service helper program that helps install applications as services, and with it a user can specify logging to user-defined files.
Targeting Linux hosts
The shell script starts with an infinite loop to remove all competing cryptominers found in the infected system, such as kinsing, kdevtmpfsi, pty86, and .javae.
After all the competing miners are wiped out, the attribute of /var/spool/cron/root is made immutable and crontab is reloaded. Then, if there are any processes except java, redis, weblogic, mongod, mysql, oracle, tomcat, grep, postgres, confluence, awk, and aux that are raking up more than 60% of CPU usage, they are terminated.
A function “func1” (redacted) is called and the loop is reiterated after every 30 seconds.
We observed two content delivery networks (CDNs) being used as the FILE_CC_SERVER in GitHub and Netlify. In func1, a process “java.xnk” is checked for and if the CPU usage is above or equal to 60%, the process ID is fetched into a variable “p”. If the variable is empty, then the process is killed and three directories are created, namely:
- a. /var/tmp/java.xnk
- b. /var/lock/java.xnk
- c. /tmp/java.xnk
Different paths for “wget” and “curl” binaries are checked for and assigned to variable Wget. A file “java.xnk.bionic” is checked in the path “$DIR”. If the file doesn’t exist, the valid Wget command is used to download and copy the file named “bionic” (a Monero miner) and “config.json,” which contains the Monero wallet address. Executable permissions are assigned for the downloaded binary and the binary is executed via nohup.
Similarly, the following binaries are downloaded and executed in place of the file “bionic” and repeat the process:
- focal as java.xnk.focal
- freebsd as java.xnk.freebsd
- linuxstatic as java.xnk.linux
- xenial as java.xnk.xenial
- xmr-stak as java.xnk.stak
Based on the frequency of attempts on the targeted products and the particular package in the past month, we believe there are more servers that remain unpatched and exposed to these exploits. More importantly, malicious actors will continue targeting these products and package for intrusion based on the availability of the proofs of concept, as well as the higher likelihood that these servers have yet to be patched. Moreover, due to the wide usage of Linux and Windows platforms and the fact that all the miners identified here work on both, illicit cryptocurrency mining makes for a lucrative business with regard to the high volume of systems that can be targeted.
The abuse of legitimate platforms such as GitHub and Netlify will continue due to the traffic being encrypted over HTTPS. If the machines targeted have intrusion detection and prevention solutions (IDS/IPS) in place, network artifacts will not contribute for detection. Moreover, IP reputation services will not flag these platforms as malicious because they are legitimate sources of programs and organizations. The CDNs of both platforms also offer ease and convenience in setting up an operation, as well as provide availability and speed — thus also aiding malicious actors with a wide and fast malware infection capability regardless of a victim’s location. These two factors in CDNs will likely prompt a development in the behavior of malicious actors who abuse these platforms for infection, even for routines and attacks unrelated to cryptocurrency mining.
From another perspective, the malicious actors targeting these devices can appear almost unsophisticated considering the use of public proofs for attacks. The actors also operate on a regular basis and target as many machines as they can, given that they continue operating and getting cryptocurrency in their respective wallets despite the suspension of their GitHub and Netlify accounts.
Trend Micro solutions
Enterprises should consider using security solutions such as the Trend Micro Cloud One™ platform, which protects cloud-native systems by securing continuous integration and continuous delivery (CI/CD) pipelines and applications. The platform includes:
- Workload Security: runtime protection for workloads. Trend Micro Cloud One clients are protected from this threat under these rules:
Intrusion Prevention Rules
- 1011171 – Apache HTTP Server Directory Traversal Vulnerability (CVE-2021-41773 and CVE-2021-42013)
- 1011183 – Apache HTTP Server Server-Side Request Forgery Vulnerability (CVE-2021-40438)
- 1011117 – Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
- 1011177 – Atlassian Confluence Server Arbitrary File Read Vulnerability (CVE-2021-26085)
- 1010850 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)
- 1010983 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21985)
- 1011167 – VMware vCenter Server File Upload Vulnerability (CVE-2021-22005)
- 1005934 – Identified Suspicious Command Injection Attack
- 1005933 – Identified Directory Traversal Sequence In Uri Query Parameter
- 1010388 – F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
- 1010590 – Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
- 1011212 – F5 BIG-IP and BIG-IQ iControl REST Authentication Bypass Vulnerability (CVE-2021-22986)
Log Inspection Rules
- 1003447 – Web Server – Apache
Integrity Monitoring Rules
- 1002851 – Application – Apache HTTP Server
- Network Security: cloud network layer intrusion prevention system (IPS) security. Trend Micro Cloud One clients are protected from this threat under these rules:
- 1125: HTTP: ../.. Directory Traversal
- 40260: HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability
- 40417: HTTP: Atlassian Confluence Server S Endpoint Information Disclosure Vulnerability
- 39077: TCP: VMware vSphere Client vropspluginui Code Execution Vulnerability
- 39923: HTTP: VMware vCenter Server Remote Code Execution Vulnerability
- 40382: HTTP: VMware vCenter AsyncTelemetryController Arbitrary File Write Vulnerability
- 40361: HTTP: VMware vCenter Analytics service File Upload
- 39352: HTTP: F5 BIG-IP iControl REST Interface Login Request
- 39364: HTTP: F5 BIG-IP bash Suspicious Command Execution Request
- 39313: HTTP: F5 BIG-IP TMM Buffer Overflow Vulnerability
- 22087: HTTPS: F5 iControl iCall Script Privilege Escalation Vulnerability
- 37841: HTTP: F5 BIG-IP TMUI Code Execution Vulnerability
- 39360: HTTP: F5 BIG-IP iControl REST filePath Command Injection Vulnerability
- 38380: HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability
Indicators of Compromise (IOCs)
View the full list of IOCs here.