H2Miner virus invades Windows/Linux platform, beware of long-term persistence of mining programs

H2Miner

Level of caution★★★

Affected platforms: Windows/Linux

Virus execution body description

Attackers use vulnerabilities to invade Windows and Linux platforms. On the Windows platform, the attacking host downloads and executes the XML file wbw.xml, executes a PowerShell command in the XML file, and downloads a script named 1.ps1. This script downloads the mining program and mining configuration file and renames it for execution. , create a scheduled task and execute the 1.ps1 script every 30 minutes to achieve persistence and stay on the attack host all year round; on the Linux platform, the attack host downloads and executes an XML file named wb.xml, which is embedded using the same method. A bash script is created, and after execution, the mining script is downloaded. Its main functions include removing competing mining programs and scheduled tasks, MD5 calibration, uninstalling security software, and downloading and executing the Kinsing malware. In addition to its mining function, the Kinsing malware will open side doors and masscan port scanning functions on the crashed host, and connect to the C2 server to upload information such as version number, number of cores, memory information, operating system information, whether Root permissions and Uuid are obtained, etc. And will download subsequent scripts for vertical connection, etc.

Windows platform communication channel

On the Windows platform, the attacker sends a constructed data packet to the victim host, and places the executable code part in the packet in the XML file of the remote server. When the vulnerability is successfully exploited, the victim host will access The attacker sets up an XML file on the remote server and parses it for execution.

Linux platform communication channel

Linux platform propagation is the same as Windows platform propagation. It also sends a constructed data packet to the victim host, and installs the executable code part in the packet in the XML file of the remote server. When the vulnerability is successfully exploited, the victim The host will access the XML file linux e-book of the remote server set up by the attacker, and parse and execute it.

After sorting out the samples according to the attack scandal, we got the following information:

Anatomy of Windows Samples

1.ps1

Define the download path of the Monero mining program address and configuration file, as well as the saving path, mining program name and other information:

Download the mining program and save the mining program in the TMP directory and rename it to sysupdate.exe.

Download the mining configuration file, save the configuration file in the TMP directory, and rename it to config.json.

Update the program and create a scheduled task, create a scheduled task named Updateservice for WindowsService, and repeat it every 30 minutes indefinitely. This scheduled task uses PowerShell to execute the 1.ps1 script.

Configuration file config.json

There are 5 mining pool addresses in the configuration file. The wallet addresses are all 4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC. The following is part of the content in the configuration file:

Linux sample analysis

md.sh

Download two script files. The function of the two script files is to uninstall the security software on the infected host.

Remove the mining program of competing products.

Remove scheduled tasks of competing products.

kinsing malware

Mining

After the sample is executed, a mining program named kdevtmpfsi will be created in the tmp directory and executed.

Side door function

This side door code can execute arbitrary commands on the host.

masscan scan

Create a script file named firewire.sh. This script file has an external MD5 hash value, which is verified as a masscan scanner. masscan is a high-performance port scanner that functions similarly to the nmap tool.

C2 Communications

The malware communicates with the C2 server through HTTP, and the attacking host will request to send system status and system resource information, such as the number of cores, memory information, operating system information, whether to obtain Root permissions and UUID, etc. All those parameters are sent to the C2 server using custom HTTP headers.

The attacking host continuously requests the C2 server through get, and the Sign array is the malicious Shell script passed after the server responds.

The attacking host will use /mg to request the C2 server. The C2 server will respond with a few characters. The attacking host uses JSON-RPC to send the host information through HTTP.

Download the cron.sh script, whose function is to end the competing product mining program.

Download the spre.sh script. The script will search and match from /.ssh/config, .bash_history, /.ssh/known_hosts to discover the attack target, find the corresponding identity verification information, and detect ~/. ssh/config, ~/.bash_history and .ssh/known_hosts try to perform operations such as vertical connection.

Relationship Analysis

Through correlation analysis, we found another script file xx.sh on the organization’s assets. The function of xx.sh is to download a Rootkit named libsystem.so and other malware from 194.38.20.199/libsystem.so. Other scripts then preload the rootkit into /etc/ld.so.preload.

The script also registers a system service for persistence that periodically re-infects the host.

Prevention, treatment and elimination:

Do not click on unknown websites; open unknown email attachments; regularly update the virus database of your anti-virus software. It is best to turn on the manual virus database update function of your anti-virus software. Turn off the notebook sharing function and turn off the function that allows remote connection to the notebook. Install the latest system patches.

Trojan.Linux.MINER.C

Level of caution★★★

Affected platforms:Linux

Virus execution body description

Recentlylinux online games, the latest variant file of the DDG mining Trojan was seized. This variant is mainly aimed at cloud hosts. Based on previous versions, a layer of elf release virus shell script is embedded. This variant will terminate competing products. Mining to achieve the purpose of exclusive mining of system resources. Its name is: Trojan.Linux.MINER.C.

The virus body is an elf file:

Use readlink to read the path of your own process file:

Reveal the shell codes in the resources. The revealed codes are all base64 encrypted shells:

Create the 01 file in the folder .X11-unix. This file is used to store the virus process pid after running the shell later:

The shell that finally executes the secret:

The first shell reveal:

This script is the daemon process of the mining program. It is mainly used to monitor whether the mining program is running. If it stops running, it will download the mining program.

This script uses don to resolve domain names and download and mine through tor proxy. Like other variants, its main function is to bypass the IDS defense of major security vendors.

The way to determine whether the mining program is running is as shown in the picture on the right. You can determine whether mining is happening by getting the mining process recorded in .x11-unix/01. If this pid does not exist, a mining will be restarted:

The first line of this script 20ossFopossFop88vsbHvsbHvsbH1fjszMJoolZE2929S is the file name of the shell file saved locally and related scheduled tasks:

After opening it, I found this script:

The second shell script is basically the same as the first shell script.

The third shell script is mainly used to delete competing product mining viruses.

Delete the scheduled tasks and files of competing mining viruses to monopolize system resources. We found the unix.db variant in it, and AsiaInfo had captured this variant as early as mid-2020

End processes related to the following outreach:

Delete the shell files of competing mining products and end the high CPU usage processes in the system.

End the process with the following string, among which processes such as kthreadi are also common mining viruses in Linux.

The fourth shell is the propagation module and the end of some cloud host services.

End cloud host related services and files.

knifessh calls SSH commands on all nodeslinux online games. After the command is revealed, it is the first shell

Utilisez le module cmd.run de saltstack pour exécuter uniformément le minage sur les machines subordonnées.

Répandre avec pssh

Récupérez les hôtes avec lesquels vous avez communiqué et essayez de vous connecter.

La saisie interactive du mot de passe ne sera pas affichée lors de la connexion à un hôte distant. La clé privée de l'autre partie sera activement ajoutée aux hôtes connus sans demander à l'utilisateur s'il doit enregistrer ces informations. Et lorsque la clé privée de l'hôte distant change, la saisie du mot de passe interactif ne sera pas affichée lors de la connexion à un hôte distant. Le pilote du port série Linux sera toujours connecté et il n'y aura aucun échec de connexion dû à des clés privées incompatibles.

ansibleall-mshell-a se connecte à d'autres hôtes et se propage :

Prévention, traitement et élimination :

Ne cliquez pas sur des sites Web inconnus ; ouvrez les pièces jointes inconnues ; mettez régulièrement à jour la base de données virale de votre logiciel antivirus. Désactivez la fonction de partage de l'ordinateur portable et désactivez la fonction permettant la connexion à distance à l'ordinateur portable. Installez les derniers correctifs système.

Conseils pour les sites de pêche :

1. Faux filet de pêche Amazon :

Inconvénients : Obtention des informations sur le compte de messagerie et le mot de passe de l'utilisateur.

2. Faux réseau de phishing PDF :

Inconvénients : Obtention des informations sur le compte utilisateur et le mot de passe.

3. Faux filet de pêche Paypal :

Inconvénients : Obtention des informations sur le compte utilisateur et le mot de passe.

4. Faux site Web de phishing de jeux Tencent :

Inconvénients : obtention des informations sur le numéro de carte de crédit et le mot de passe de l'utilisateur.

5. Faux site de phishing Gmail

Inconvénients : Obtention des informations sur le compte de messagerie et le mot de passe de l'utilisateur.

N’ouvrez jamais de sites Web comme celui ci-dessus et laissez le pare-feu réseau de votre ordinateur ouvert.

Les informations ci-dessus sont fournies par le Centre de gestion des urgences du réseau et de la sécurité de l'information de Tianjin

The above is the detailed content of H2Miner virus invades Windows/Linux platform, beware of long-term persistence of mining programs. For more information, please follow other related articles on the PHP Chinese website!