Search This Blog

Showing posts with label Monero. Show all posts

Chimaera Toolkit Found on Thousands of Windows and Linux Systems Worldwide

 

AT&T's Alien Labs security branch has raised the alarm about a TeamTNT malware campaign that has gone almost totally undiscovered by anti-virus systems and is converting target machines into bitcoin miners, according to the company. TeamTNT, dubbed "one of the most active threat organizations since 2020" by Alien Labs researcher Ofer Caspi, is notorious for its exploitation - and misuse - of open-source security tools for anything from identifying susceptible targets to dumping remote-control shells. 

Last year, TeamTNT was discovered and linked to bitcoin mining malware being installed on susceptible Docker containers. Trend Micro discovered that the organization tries to steal AWS credentials in order to spread to other servers, while Cado Security discovered TeamTNT targeting Kubernetes installations more recently. 

The port scanner Masscan, libprocesshider software for running the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne are among TeamTNT's open-source tools. 

Palo Alto Networks' Unit 42 found Chimaera, a software repository that "highlights the expanding scope of TeamTNT operations within cloud environments as well as a target set for current and future operations," according to the company.

Now, AT&T's Alien Labs has shed additional light on Chimaera, claiming that it has been in use since July and is "responsible for thousands of infections globally" across Windows, Linux, AWS, Docker, and Kubernetes targets, all while eluding detection by anti-virus and anti-malware programmes. 

The usage of Lazagne, an open-source application developed with one goal in mind: collecting credentials from major browsers, is a significant element of the Chimaera toolkit. Another programme tries to find and exfiltrate Amazon Web Services (AWS) credentials, while an IRC bot serves as a command and control server.

"In this case, most of the used files that are placed on disk at some point lack a clear malicious purpose by themselves," Caspi told of the reason the malware could go undetected for so long. "The malicious processes injected into memory without touching the disk are harder to identify if they don't share indicators with previous malicious activity or perform any clearly malevolent activity." 

TeamTNT's primary objective is to mine Monero, a privacy-focused cryptocurrency, on victim hardware rather than harvesting credentials. "Mining cryptocurrency has always been TeamTNT's major goal," Caspi stated.

'Sysrv' - New Crypto-Mining Botnet is Silently Expanding it's Reach

 

It appears that the developers of the ‘Sysrv’ botnet have been working hard in putting out a more sophisticated version of their malware, as the latest surge in the associated activity is accompanied by expanded capabilities and persistence. The actors’ goal is to install Monero crypto miners and make a profit by burdening the machines of others.

Researchers at Juniper Threat Labs have been following the activity and sampled several iterations of the Sysrv since the start of the year and noticed several changes along the way. First of all, during the surge of the attacks, the exploits that were modified into Sysrv concerned the following six vulnerabilities:

• Mongo Express RCE (CVE-2019-10758)
• XXL-JOB Unauth RCE 
• XML-RPC (CVE-2017-11610) 
• CVE-2020-16846 (Saltstack RCE)
• ThinkPHP RCE 
• CVE-2018-7600 (Drupal Ajax RCE) 

By using these flaws, the actors infect a vulnerable system and use it as a Monero miner as well as a point to help the menace spread further. The worming function relies on random public IP scans using the same list of exploits while the payload is fetched from a hardcoded IP or domain via wget, curl, or PowerShell. The researchers noticed the use of two loader scripts, namely ldr.sh or ldr.sp1. 

Sysrv has two binary payloads, one for Linux and one for Windows systems. The miner component is merged with the worm into a single binary in the most recent versions of the malware, whereas previously, it was in the form of a separate binary. The campaign’s effectiveness seems to be moderate, as the researchers were able to confirm that the actors have made at least a couple of thousand USD on each mining pool since December 2020. By looking into the Shodan search engine’s exploits, it becomes clear that Sysrv was tuned to target systems that have been “abandoned.”

However, Sysrv is being actively developed, and its authors are adding more exploits that target recent flaws. The newer versions of the malware include CVE-2021-3129 (Laravel), CVE-2020-14882 (Oracle Weblogic), and CVE-2019-3396 (Widget Connector macro in Atlassian Confluence Server). This alone tells us that Sysrv is here to stay, and it’s going to get nastier with time.

New Self-Spreading Golang Worm Dropping XMRig Miner on Servers

 

Security researchers at Intezer have found a new self-spreading worm written in GoLang. The malware variant has been actively targeting both Windows and Linux servers, predominantly since December 2020. Researchers noted that the worm developed by China-based hackers attempts to mine Monero, an open-source cryptocurrency launched in 2014 which gained immense popularity and wide acceptance for its privacy-oriented features.
 
GoLang's rich library ecosystem makes it a top preference for malware developers, who can infiltrate the systems without being detected while working with GoLang's smooth malware creation process. The language makes it easier for hackers to bypass security as the malware written in GoLang is large-sized and scanning large files is beyond the capabilities of most of the antivirus software.

The 'GoLang' malware that has been dropping XMRig cryptocurrency miners on Windows and Linux servers, has worm-like capabilities that let it propagate itself to other systems through brute-forcing. 

The worm attacks application servers, non-HTTP services, and web application frameworks; it has targeted public-facing services rather than "the end-users". MySQL, Tomcat admin panel, and Jenkins are some of its latest victims. Besides, these public-facing services with weak passwords, the malware operators have also tried to compromise Oracle WebLogic Server by exploiting its remote code execution vulnerability – CVE-2020-14882, in an older variant.

Attack Execution 

The worm on the Command and Control (C&C) server was periodically updated by the operators, signifying the current "active" status of the malware. Once the target is being successfully compromised, the attack proceeds with deploying the loader script, a Golang binary worm, and an XMRig Miner – three files hosted on the aforesaid C&C server.

While giving insights into the matter, Chad Anderson, Senior Security Researcher at DomainTools said, “While it’s certainly alarming that there were no detections for this worm’s initial sample, that’s not surprising as Golang malware analysis tooling has still been playing a bit of catch up in the automation space,” 
 
“We would expect that with the rise in cryptocurrency prices over the last few weeks that actors looking to cash in for a few extra dollars would cause a surge in mining malware,” he further added. 
 
“The fact that the worm’s code is nearly identical for both its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms,” the report by Intezer read.

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations' Networks


Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.

Blue Mockingbird , a cryptocurrancy mining campaign exploits web applications


Analysts at Red Canary, a cybersecurity firm have discovered a Monero cryptocurrency-mining campaign that exploits a deserialization vulnerability, CVE-2019-18935 in public-facing web applications built on ASP.NET web framework.


They named it "Blue Mockingbird", it uses the decentralized vulnerability found in Progress Telerik UI front-end offering for ASP.NET AJAX for remote code execution. AJAX (Asynchronous JavaScript and XML) is a tool used for adding the script to a webpage to be processed and executed by the browser.

This particular vulnerability CVE-2019-18935 is found in the RadAsyncUpload function, as stated by National Vulnerability Database. It is exploited by knowing the encryption key (by means of another attack or method).

The analyst traced backed the campaign to December and till April. The cybercriminals are using the unpatched versions of Telerik UI for ASP.NET, where the vulnerability has not been fixed and injecting the XMRig Monero-mining payload through the vulnerability and spreading it through the network.

XMRig is open-source and can be accumulated into custom tooling, as per the investigation by the analyst. Red Canary has discovered three unmistakable execution ways: Execution with rundll32.exe expressly calling the DLL trade fackaaxv; execution utilizing regsvr32.exe utilizing the/s command line choice, and execution with the payload arranged as a Windows Service DLL.

"Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,” state researchers at Red Canary, in a writeup. “So far, we’ve identified two wallet addresses used by Blue Mockingbird that are inactive circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.”

To set up persistence, Blue Mockingbird hackers should initially first gain login and hoist their privileges, which they do utilize different strategies; for example, utilizing a JuicyPotato exploit to raise benefits from an IIS Application Pool Personality virtual account to the NT Authority\SYSTEM account. In another case, the Mimikatz apparatus (the authority marked version) was utilized to get login credentials.

After getting these logins and privileges, the Blue Mockingbird used multiple techniques like COR_PROFILER COM to execute DLL.

“To use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,” the writeup briefed.

In preventing threats like these that exploit vulnerabilities, patches for web servers, web applications, and dependencies of the applications are the best firewall.