New Miner Hijacker RDPMiner Adds Malicious Accounts to Victimized Hosts
By Fan Wu, Security Engineer, and Nianjing Wu, Senior Security Engineer
Credential stuffing is a popular technique of finding the entry point for intrusion into computer systems, where low IoT security creates a distributed platform to launch these attacks, while weak passwords serve as enablers for successful intrusions. This technique is widely applied to login points across a variety of exposed software, including Windows RDP (Remote Desktop Connection). Combined with digital coin mining and self-replication, RDPMiner became a powerful, almost self-sustaining network of infected machines monetized through the use of the resources.
While this attack is indiscriminate, created to harness the resources of thousands of server machines, we suspect that there might be a hidden layer of monetization. We estimate less than 10 dollars per day earned by attackers from the entire network of infected servers with current prices of digital coins, which is not high enough to justify the investment. It is quite possible, that affected servers undergo additional analysis to launch APT attacks on selected owners. While we do not have evidence of this, we strongly encourage to consider any intrusion, even as seemingly “benign”, as a serious breach of enterprise security, that can potentially lead to leakage of sensitive data or follow up attacks on the infrastructure. Companies should use proactively employ multiple layers of defense, starting from best practices in configuration and password protection, to enabling WAF for extra protection.
Head of Security Innovation Labs, Alibaba Cloud
Recently, Alibaba Cloud security engineers have detected a new type of cryptocurrency mining hijacker, RDPMiner, which spreads by launching brute-force attacks on the RDP service of Windows server port 3389. As a result of the attack, the host CPU usage increases rapidly, the computer slows down, and, even worse, a new account named “DefaultAccount” is silently created. This account allows attackers to easily log on the server remotely, threatening the user’s business and data security.
According to the hash rate published by a mining pool connected to RDPMiner, we estimate that this pool has over 2000 machines connecting for mining. Alibaba Cloud security experts believe that the malware continues to spread and is highly active. Weak passwords of user management accounts create favorable conditions for the attackers.
In this article we present our analysis of the intrusion process and describe the way RDPMiner is monetized, as well as show the countermeasure and preservation techniques the malware uses, reconstructing the whole RDPMiner intrusion chain. Finally, we make suggestions to how to make this attack less likely to succeed by adjusting the password settings.
Alibaba Cloud customers reported rapid increases in CPU usage and the inexplicable creation of an account named DefaultAccount on their Windows servers. At the same time, the Alibaba Cloud Firewall detected a large number of RDP requests from these servers. After an in-depth analysis, Alibaba Cloud security engineers found that a cryptocurrency mining program was running on the affected servers, sharply increasing their CPU usage.
Further analysis indicated that the attacker used”RDPMiner”malware to launch brute-force attacks on the RDP service, create DefaultAccounts, modify the registry, and start mining. Moreover, the attacker used infected servers to launch brute-force attacks on other hosts for intrusion, profiting, persistence, and other malicious activities.
In addition, RDPMiner attackers were very cautious. The attacker encrypted most binary programs as self-extracting archives (SFXRAR) and deleted these programs using a cleaned-up script after execution. Alibaba Cloud first detected this malware in November 2017, more than a year ago.
In the latest RDPMiner campaign, the number of attacking IP addresses was evenly distributed across Iran, U.S., and China. In China, most attacking IP addresses were botnet hosts used to initiate attacks after being infected. Therefore, the attack was initiated from IP addresses located in Iran and U.S.
Figure 1. Distribution of source IP address
Analysis of the RDPMiner Attack and Propagation
Figure 2. Malware attack chain diagram
As shown in the above figure, after an attacker successfully takes over a computer, a multi-function malicious program toolkit “sector-v1.exe”in “c:usersadministratordesktop” directory is first inserted and runs to initiate the next round of RDP brute-force attacks. All programs in the toolkit are encrypted as SFXRAR files, and passwords are required to start these programs.
Figure 3. Operation interface of the malicious toolkit
Based on the process startup record, the attacker uses “c-f 4 reza” in the toolkit to download “c-f4r.exe” from http://184.108.40.206:8082 and runs “c-f4r.exe” to extract multiple malicious executable programs, including d-f.exe, m-r.exe, res.exe, and A-C-M.exe. The payload server 220.127.116.11 is associated with many other malicious activities according to Alibaba Cloud security intelligence knowledge base. This IP address is also reported by AbuseIPDB. We suggest that special attentions should be paid to this IP address.
After A-C-M.exe is executed, more malicious programs, scripts, and configuration files are extracted, including svchost.exe, ds.exe, nl.exe, user.txt, pass.txt, and backdoor-reg-nl-restart.bat.
After svchost.exe, the mining program serverGui.exe is created and started. In addition, the commands shown in the following script are executed to add the malicious account DefaultAccount and modify the registry to add svchost.exe to System Startup in Windows, enabling persistent attacks.
Figure 4. How the svchost.exe file is generated
The original name of nl.exe is NLBrute.exe, which was one of the earliest software created by Russian-speaking actors (due to the Russian language user interface) to attack port 3389 of the Windows system. Attackers use nl.exe to further expand the attack scope by spreading the malware.
Figure 5. RDPMiner activity timeline
As shown in the figure, attackers have been using a variety of tools to initiate RDP brute-force attacks and mining attacks since November 2017. In addition to nl.exe (NLBrute.exe), other scan tools, such as kportscan3.exe, have been used. Similarly, to avoid the malware detection and mitigation on the cloud, the mining tool used by attackers has undergone at least two iterations.
Figure 6. Mining tool name change timeline
Despite the ever-changing names and hash values of the mining tools used by attackers, the tool is essentially a modified version of the open source mining software XMRig, and therefore is used in a way similar to XMRig.
Functions of Each RDPMiner Module
Step1. Intrusion: Launching RDP Brute-Force Attacks
A-C-M.exe is used to extract the files shown in the following figure. After A-C-M.exe is executed, nl.exe (widely known as NLBrute.exe) is called to launch brute-force attacks on port 3389.
Figure 7. Files released after A-C-M.exe is executed
After A-C-M.exe is executed, the IP addresses stored in files Part1 to Part17 are loaded. The total number of IP addresses is 427,975 before deduplication and 427,934 after deduplication. The nl.exe program loads these IP address and launches brute-force attacks continuously for half an hour. Then, backdoor-reg-nl-restart is called to delete the programs and IP addresses without leaving any trace on hosts, making it difficult to capture samples.
Step 2. Monetizing: Mining
Attackers run A-C-M.exe to release svchost.exe (path: C:/Windows/debug/svchost.exe), and then run svchost.exe to release ServerGUi.exe (path: C:/Users/Administrator/AppData/Local/Temp/2/ServerGUi.exe) for mining. ServerGUi.exe is a modified version of XMRig and supports the following commands:
Figure 8. List of commands supported by ServerGUi.exe
Currently, the average daily hash rate of the attacker’s wallet address on a mining pool is about 25 kH/s where thousands of servers on the Internet are connecting to this mining pool. This 25 kH/s mining rate means that an attacker’s daily profit is only about US$ 8.73. The mining profit is not as attractive as it used to be due to a massive cryptocurrency slump. This low mining profit, combined with a continuous operation, could be an indirect indication that attackers may already use, or soon seek, additional monetization approaches.
Figure 9. Records of an attacker’s wallet address in the supportxmr.com mining pool
Step 3. Countermeasures and Preservation: Creating RDP Accounts, Modifying the Registry, and Cleaning Up the Traces
To combat analysis by security researchers, the attacker encrypts all SFX files with a password. When A-C-M.exe is executed, the files are self-extracted and the related scripts are executed. The following figure shows the SFX script commands contained in the A-C-M.exe file. When A-C-M.exe is decrypted, nl.exe and backdoor-reg-nl-restart are executed.
;The comment below contains SFX script commands Path=C:\Users\Administrator\Desktop Setup=nl.exe Setup=backdoor-reg-nl-restart Overwrite=1 Silent=1
As mentioned earlier, the attackers run nl.exe to launch RDP brute-force attacks and add DefaultAccounts using the Opppps.bat script. To prevent these accounts from being detected and deleted by the system admin, svchost.exe also runs “cmd /c REG add HKLMSoftwareMicrosoftWindowsCurrentVersionRun /v” to add itself as a startup program.
In addition, to disable the Windows UAC prompt from being perceived by users when svchost.exe is running, svchost.exe also calls the registry commands shown in the following figure. This sets the “EnableLUA” registry key and disables the Windows build-in firewall.
After external scanning and registry modification, “backdoor-reg-nl-restart” script is executed to terminate all related processes and clean up the files released by the malware. The duration of the port 3389 scanning task is set to only 1,800 seconds (30 minutes) or 3,600 seconds (one hour) which makes it difficult to capture. The following figure shows the content of “backdoor-reg-nl-restart”:
start taskmgr net user administrator /active:no ...timeout 1800 DEL /F /Q "C:\Windows\debug\user.reg" DEL /F /Q "C:\Windows\debug\ta.reg" DEL /F /Q "C:\Windows\debug\Dwd.reg" taskkill /im nl.exe /f taskkill /im nl.exe /f taskkill /im nl.exe /f DEL /F /Q "C:\Users\%username%\Desktop\nl.exe" DEL /F /Q "C:\Users\%username%\Desktop\nl.exe" DEL /F /Q "C:\Users\%username%\Desktop\nl.exe" DEL /F /Q "C:\Users\%username%\Desktop\pass.txt" DEL /F /Q "C:\Users\%username%\Desktop\user.txt" DEL /F /Q "C:\Users\%username%\Desktop\settings.ini" taskkill /im A-C-M.exe /f DEL /F /Q "C:\Users\%username%\Desktop\A-C-M.exe" DEL /F /Q "C:\Users\%username%\Desktop\part1.txt" DEL /F /Q "C:\Users\%username%\Desktop\part2.txt" ... DEL /F /Q "C:\Users\%username%\Desktop\part17.txt" echo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options >>temp.ini regini temp.ini del temp.ini net user administrator /active:yes DEL "%~f0"
Alibaba Cloud security experts recommends making two security changes to help users protect themselves against RDPMiner:
- The success of brute-force attacks on the port 3389 is caused by administrators choosing weak RDP passwords. Even with a strong password, enabling Cloud Firewall from Alibaba Cloud will help protect against host brute-force attacks and implement additional security isolation.
- If your servers are already infected by RDPMiner, security experts from Alibaba Cloud Managed Security Service can help clean up viruses and enhance security.
We acknowledge Jincheng Liu for his contribution on malware reverse engineering and analysis.
Mining Pool Address
Malicious Program DNS Request