Illicit cryptocurrency mining or cryptojacking has become popular with cyber criminals as an easy way to fund their operations as the use and value of digital currencies increase.
The attacks usually involve malware that is used to install legitimate cryptocurrency mining software on targeted systems and send the generated digital coins to wallets controlled by the criminals.
Businesses have been urged to be on the lookout for cryptojacking as a sign of security vulnerabilities and to avoid degraded computing performance, processor burnout and increased electricity consumption.
A newly-discovered cryptojacking attack is more complex than its forerunners in terms of evasion techniques and capabilities, and heralds a new generation of crytojacking attacks that are aimed at both database servers and application servers, according to researchers at security firm Imperva.
The attack was dubbed RedisWannaMine because it is powered by the open source Redis in-memory data structure store and the EternalBlue exploit used by WannaCry.
RedisWannaMine demonstrates a worm-like behaviour combined with advanced exploits to increase the attackers’ infection rate and coin generation capacity.
“In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute,” the researchers wrote in a blog post.
They tracked down RedisWannaMine through a remote code execution (RCE) detected by Imperva’s web application sensors.
A shell script file used in the attack is a downloader that is similar to older cryptojacking downloaders in the way it downloads a crypto miner malware from an external location and gains persistency and remote access, but the researchers said the downloader is unlike any other they have seen.
Firstly, the script installs a lot of packages using Linux standard package managers such as apt and yum, which the researchers believe is to make it self-sufficient and able to operate without depending on local libraries on the victim’s machine.
Secondly, the script downloads a publicly available tool, named masscan, from a Github repository, then compiles and installs it. Masscan is described as a “TCP port scanner, spews SYN packets asynchronously, scanning entire internet in under five minutes”.
Thirdly, the script launches another process, named “redisscan.sh”, which uses the masscan tool to discover and infect publicly available Redis servers. “It does so by creating a large list of IPs, internal and external and scanning port 6379, which is the default listening port of Redis,” the researchers said.
If one of the IPs in the list is publicly available, the script launches the “redisrun.sh” process to infect it with the same cryptominer malware (“transfer.sh”).
“The infection is done using the redis-cli command line tool that the downloader previously installed, that runs the “runcmd” payload,” the researchers said.
The “runcmd” payload is a 10-line Redis command script that creates new entries in the Redis server crontab directory and so infects the server and gains persistency in case the malware is detected and deleted.
After the script completes the Redis scan, the researches said it launches another scan process called “ebscan.sh” which uses the masscan tool to discover and infect publicly available Windows servers with the vulnerable version of the SMB (server message block) protocol.
“It does so by creating a large list of IPs, internal and external, and scanning port 445, which is the default listening port of SMB,” the researchers said.
The SMB vulnerability this script is scanning for was used by the US National Security Agency (NSA) to create the Eternal Blue exploit, which was adapted to carry out the global WannaCry attacks in May 2017.
When the script finds a vulnerable server, it launches the “ebrun.sh” process to infect it, which then runs a Python implementation of the Eternal Blue exploit and drops the file “x64.bin” in the vulnerable machine.
The dropped file creates and runs a malicious VBScript file named “poc.vbs” that downloads a cryptominer malware executable from an external location, saves it in the vulnerable server as “admissioninit.exe” and runs it.
The Imperva researchers said that in the light of their discovery, businesses should:
- Protect web applications and databases because the initial attack vector was introduced through a web application vulnerability, and a properly patched application or an application protected by a web application firewall (WAF) should be safe.
- Make sure they do not expose their Redis servers to the world by applying a simple firewall rule.
- Make sure they do not run machines with the vulnerable SMB version.