ALPS blog

Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify

Earlier this year, a security flaw identified as CVE-2021-41773 was disclosed to Apache HTTP Server Project, a path traversal and remote code execution (RCE) flaw in Apache HTTP Server 2.4.49. If this vulnerability is exploited, it allows attackers to map URLs to files outside the directories configured by Alias-like directives. Under certain configurations where Common Gateway Interface (CGI) scripts are enabled for aliased paths, attackers can also use it for RCE. As the initial fix was deemed insufficient, a bypass was later reported for the fix and tracked as CVE-2021-42013.

Official fixes have been rolled out by Apache HTTP Server Project. However, when we looked at the malicious samples abusing this vulnerability, we found more of these exploits being abused to target different gaps in products and packages for malicious mining of Monero. In this blog, we look into the abuse of GitHub and Netlify repositories and platforms for hosting cryptocurrency-mining tools and scripts. We have already informed GitHub and Netlify of the malicious activities and they have taken down the accounts.

Technical details

We observed attackers targeting the following package and products via security vulnerabilities disclosed in 2020 and 2021 for malicious cryptocurrency-mining activities through samples caught in our honeypots:

1.       Atlassian Confluence (CVE-2021-26084 and CVE-2021-26085)

2.       F5 BIG-IP (CVE-2020-5902 and CVE-2021-22986)

3.       VMware vCenter (CVE-2021-22005, CVE-2021-21985, CVE-2021-21972, and CVE-2021-21973)

4.       Oracle WebLogic Server (CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883)

5.       Apache HTTP Server (CVE-2021-40438, CVE-2021-41773, and CVE-2021-42013)

figure1-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 1. Exploits attempting to abuse servers for malicious cryptocurrency mining from October 19 to November 19, 2021. Data taken from Trend Micro Cloud One™ – Workload Security.

We found it interesting that all the products and the particular package have had widely distributed public proofs of concept for pre-auth RCE. Looking at the Monero wallet from one such mining pool, we saw that the operation is still ongoing and actively accumulating Monero as of this writing.

figure2-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 2. Cryptocurrency-mining pool

Services abused: Targeting Windows hosts

figure3-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 3. Infection chain

The miner samples we found work on and abuse both Windows and Linux platforms. While the exploits used differ according to the infrastructure targeted, the batch scripts we identified works on both. We saw the usage of Netlify and GitHub as the malware file servers for downloading batch scripts from an attacker-controlled account. The batch script is renamed as a temporary file and deleted after it starts running in the background.

The scripts (c3.bat) are a modified version of Monero-mining helper scripts abridged from GitHub, and these begin checking if the current session has administrative privileges. If the privilege is of the Administrator, then the ADMIN flags are set. Afterward, the length of the Monero wallet address is calculated. If the length is not 106 or 95 characters, the script exits. If it is 106 or 95, it jumps to “WALLET_LEN_OK” statement.

figure4-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 4. The batch scripts observed are modified versions of helper scripts abridged from GitHub.
figure5-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 5. Checks for administrative privileges and “XMR WALLET” flag to calculate address length

The script further conducts a series of checks in the system, such as if the USERPROFILE environment variable is defined, and whether utilities like wmic, powershell, find, findstr, and tasklist are available or not.

figure6-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 6. Checking the system for availability of environment variable and utilities
figure7-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 7. Getting the results for utilities’ availability in the system

The wmic utility is used to further enumerate specific parameters in the system, such as the number of processors, maximum clock speed, L2 and L3 cache sizes, and CPU sockets. These values are later used to calculate the Monero mining rate of the Windows host. For different mining rates, different ports are used on the mining pool.

figure8-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 8. Enumerating the system’s parameters to determine cryptocurrency mining rate

After identifying the CPU’s computing power, the running c3pool_miner is removed from the host. The zipped miner (c3.zip) is then downloaded from the attacker-controlled GitHub repository and PowerShell is used to unzip the downloaded file. If the unzip attempt fails, 7z is downloaded to extract the zipped file, and both the downloaded files (7za.exe and c3.zip) are deleted after.

figure9-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 9. Removing traces of the downloaded files after extraction

The script also goes on to install the latest version of XMRig for Windows from the official repository. After unzipping the downloaded file, the 7z binary and XMRig ZIP files are removed. Once the miner is successfully installed, the config files are modified using PowerShell.

figure10-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 10. Installing the latest XMR version in the system
figure11-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 11. Configuring and modifying the installed miner

If the miner is already running (c3.exe), the execution jumps to an ALREADY_RUNNING label. If not, the miner is executed using the “start” command in the IDLE priority class. If the current user has administrative privileges, then execution jumps to the label ADMIN_MINER_SETUP. If not, persistence is added by modifying the Startup directory with the batch scripts to execute c3pool XMR miner with the configuration file.

figure12-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 12. Configuring the miner’s admin privileges and persistence

A service is created from the c3cache_worker using the Non-Sucking Service Manager (NSSM). NSSM is a service helper program that helps install applications as services, and with it a user can specify logging to user-defined files.

figure13-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 13. Using NSSM to constantly run the miner as a background application in the infected system

Targeting Linux hosts
The shell script starts with an infinite loop to remove all competing cryptominers found in the infected system, such as kinsing, kdevtmpfsi, pty86, and .javae.

figure14-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 14. Removing all the cryptocurrency-mining competitors and their components found in the infected system in a loop

After all the competing miners are wiped out, the attribute of /var/spool/cron/root is made immutable and crontab is reloaded. Then, if there are any processes except java, redis, weblogic, mongod, mysql, oracle, tomcat, grep, postgres, confluence, awk, and aux that are raking up more than 60% of CPU usage, they are terminated.

figure15-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 15. Stopping all other processes except those necessary for running a miner in the system

A function “func1” (redacted) is called and the loop is reiterated after every 30 seconds.

We observed two content delivery networks (CDNs) being used as the FILE_CC_SERVER in GitHub and Netlify. In func1, a process “java.xnk” is checked for and if the CPU usage is above or equal to 60%, the process ID is fetched into a variable “p”. If the variable is empty, then the process is killed and three directories are created, namely:

  • a.       /var/tmp/java.xnk
  • b.       /var/lock/java.xnk
  • c.       /tmp/java.xnk
figure16-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 16. The variable DIR contains the value of the valid TMP directory that was created.

Different paths for “wget” and “curl” binaries are checked for and assigned to variable Wget. A file “java.xnk.bionic” is checked in the path “$DIR”. If the file doesn’t exist, the valid Wget command is used to download and copy the file named “bionic” (a Monero miner) and “config.json,” which contains the Monero wallet address. Executable permissions are assigned for the downloaded binary and the binary is executed via nohup.

Similarly, the following binaries are downloaded and executed in place of the file “bionic” and repeat the process:

  1. focal as java.xnk.focal
  2. freebsd as java.xnk.freebsd
  3. linuxstatic as java.xnk.linux
  4. xenial as java.xnk.xenial
  5. xmr-stak as java.xnk.stak
figure17-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify
Figure 17. Assigning binaries to Wget and executable permissions

Conclusion

Based on the frequency of attempts on the targeted products and the particular package in the past month, we believe there are more servers that remain unpatched and exposed to these exploits. More importantly, malicious actors will continue targeting these products and package for intrusion based on the availability of the proofs of concept, as well as the higher likelihood that these servers have yet to be patched. Moreover, due to the wide usage of Linux and Windows platforms and the fact that all the miners identified here work on both, illicit cryptocurrency mining makes for a lucrative business with regard to the high volume of systems that can be targeted.

The abuse of legitimate platforms such as GitHub and Netlify will continue due to the traffic being encrypted over HTTPS. If the machines targeted have intrusion detection and prevention solutions (IDS/IPS) in place, network artifacts will not contribute for detection. Moreover, IP reputation services will not flag these platforms as malicious because they are legitimate sources of programs and organizations. The CDNs of both platforms also offer ease and convenience in setting up an operation, as well as provide availability and speed — thus also aiding malicious actors with a wide and fast malware infection capability regardless of a victim’s location. These two factors in CDNs will likely prompt a development in the behavior of malicious actors who abuse these platforms for infection, even for routines and attacks unrelated to cryptocurrency mining.

From another perspective, the malicious actors targeting these devices can appear almost unsophisticated considering the use of public proofs for attacks. The actors also operate on a regular basis and target as many machines as they can, given that they continue operating and getting cryptocurrency in their respective wallets despite the suspension of their GitHub and Netlify accounts.

Trend Micro solutions

Enterprises should consider using security solutions such as the Trend Micro Cloud One™ platform, which protects cloud-native systems by securing continuous integration and continuous delivery (CI/CD) pipelines and applications. The platform includes:

  • Workload Security: runtime protection for workloads. Trend Micro Cloud One clients are protected from this threat under these rules:

Intrusion Prevention Rules

  1. 1011171 – Apache HTTP Server Directory Traversal Vulnerability (CVE-2021-41773 and CVE-2021-42013)
  2. 1011183 – Apache HTTP Server Server-Side Request Forgery Vulnerability (CVE-2021-40438)
  3. 1011117 – Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
  4. 1011177 – Atlassian Confluence Server Arbitrary File Read Vulnerability (CVE-2021-26085)
  5. 1010850 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)
  6. 1010983 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21985)
  7. 1011167 – VMware vCenter Server File Upload Vulnerability (CVE-2021-22005)
  8. 1005934 – Identified Suspicious Command Injection Attack
  9. 1005933 – Identified Directory Traversal Sequence In Uri Query Parameter
  10. 1010388 – F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
  11. 1010590 – Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
  12. 1011212 – F5 BIG-IP and BIG-IQ iControl REST Authentication Bypass Vulnerability (CVE-2021-22986)

Log Inspection Rules

  1. 1003447 – Web Server – Apache

Integrity Monitoring Rules

  1. 1002851 – Application – Apache HTTP Server
  • Network Security: cloud network layer intrusion prevention system (IPS) security. Trend Micro Cloud One clients are protected from this threat under these rules:
  1. 1125: HTTP: ../.. Directory Traversal
  2. 40260: HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability
  3. 40417: HTTP: Atlassian Confluence Server S Endpoint Information Disclosure Vulnerability
  4. 39077: TCP: VMware vSphere Client vropspluginui Code Execution Vulnerability
  5. 39923: HTTP: VMware vCenter Server Remote Code Execution Vulnerability
  6. 40382: HTTP: VMware vCenter AsyncTelemetryController Arbitrary File Write Vulnerability
  7. 40361: HTTP: VMware vCenter Analytics service File Upload
  8. 39352: HTTP: F5 BIG-IP iControl REST Interface Login Request
  9. 39364: HTTP: F5 BIG-IP bash Suspicious Command Execution Request
  10. 39313: HTTP: F5 BIG-IP TMM Buffer Overflow Vulnerability
  11. 22087: HTTPS: F5 iControl iCall Script Privilege Escalation Vulnerability
  12. 37841: HTTP: F5 BIG-IP TMUI Code Execution Vulnerability
  13. 39360: HTTP: F5 BIG-IP iControl REST filePath Command Injection Vulnerability
  14. 38380: HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability

Indicators of Compromise (IOCs)

View the full list of IOCs here.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Featured News