Source: Tencent Mimi Threat Intelligence Center
The Tencent Security Miami Threat Intelligence Center detected that the group used the Apache Struts 2 remote command execution vulnerability (CVE-2017-5638) to attack the windows server. From the list of files used by the group, the attack was mainly carried out through blasting or exploit, and targeted at windows About 270 servers have been controlled by the server. There are 44 servers that have been issued mining trojans. The group has earned 35,000 yuan from mining Monero coins.
- How to start a blockchain fairly or unfairly?
- Babbitt Column | Blockchain + Digging Mining: Collision between New and Old Mining
- Getting started with blockchain | Explosion is “mining”? 6 kinds of common mining types, which are not reliable?
- LAVA for your interpretation: Xiaobai can also understand the PoC capacity proof entry
- Jianan will be listed, and these 20 A-share “mining concept stocks” will know in advance?
- The rise of the PoS mechanism can bring "new mining market" to the fire?
Looking at the gang HFS server file list, you can see multiple scanning and blasting tools, exploit tools, password grabbing tools, remote control tools, and port forwarding tools.
The hacker used the 1433 scanning tool to blast the sqlserver server with the password table:
3389 Blasting tool NLBrute 1.2
Exploitation of Apache Struts2 Remote Command Execution Vulnerability (CVE-2017-5638)
After successfully invading the server, the mining module 2020.exe is issued.
Mining Pool: xmr.f2pool.com:13531
At present, 90 XMRs have been dug, with a market value of about 35886 RMB
Port forwarding tool ok.exe infected by ramnit worm
The port forwarding tool on the hacker server has been infected by ramnit, and the entry point has been modified in the last .text section
Ramnit C2: 220.127.116.11:447, 18.104.22.168:447, 22.214.171.124:80
After removing the ramnit infection code, it is actually a port forwarding tool
Therefore, the hacked windows server will also be infected with the Ramnit worm. The Ramnit worm is a computer worm that affects Windows systems. Ramnit infected removable media, such as USB drives, are also hidden in the master boot record. Mainly infect files with .exe, .dll, .htm, and .html extensions. During the peak of 2015, Ramnit had infected more than 3 million computers.
Third, homology analysis
According to the wallet address, it can be associated with the bulk wallets of the "CryptoSink" operation announced by the F5 research team in March last year. At that time, 70 Monero coins were mined. It can be seen that the mining attack activity is still the same as "CryptoSink" Big relationship.
Fourth, security recommendations
In view of the characteristics of this black gang, we recommend that corporate users refer to the following methods to relieve risks:
1. It is recommended to modify the default port of the remote desktop or restrict the IP addresses allowed to access;
2. Upgrade Apache Struts 2 to the latest version to fix security holes. Affected versions Struts 2.3.5-Struts 2.3.31, Struts 2.5-Struts 2.5.10;
3. Modify the sqlserver password. Do not use weak passwords. Weak passwords can be easily invaded by blasting. The compromise of the SQL server may also lead to a serious risk of information leakage.
Mining pool: xmr.f2pool.com:13531 Wallet: 48aZSQhyDBCZokwmVd5HG5Gp7UrAeLVuVmZbKcs4rTZTx1UXGECxbePXha3qncffYYhJjG5FRGxM1scV9dbN62VCGiPdtQ
URL hxxp: //126.96.36.199: 808 /
MD5 fabd73f8bf2bc803703778457c068936 81c965ac62471ab62e85ca441d0031e6