RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits


Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks [hold roughly 90% of all remote code execution attacks in web applications](<https://www.imperva.com/blog/2018/02/new-research-crypto-mining-drives-almost-90-remote-code-execution-attacks/>). Having said that, all of the attacks we have seen so far, were somewhat limited in their complexity and capability. The attacks contained malicious code that downloaded a cryptominer executable file and ran it with a basic evasion technique or none at all. This week we saw a new generation of cryptojacking attacks aimed at _both_ database servers and application servers. We dubbed one of these attacks _RedisWannaMine._ _RedisWannaMine_ is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets. [![](https://www.imperva.com/blog/wp-content/uploads/2018/03/Screen-Shot-2018-03-08-at-7.43.49-AM.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Screen-Shot-2018-03-08-at-7.43.49-AM.png>) In a nutshell, **cryptojacking attackers have upped their game and they are getting crazier by the minute!** ## Cryptojacking 2.0/ RedisWannaMine Imperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>): [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic1.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic1.png>) When we probed the remote server we found a list of suspicious files: [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/Picture2-300x202.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Picture2.png>) The list includes known malicious files, like _minerd, _but also some unknown suspicious files like _transfer.sh._ When we submitted _transfer.sh_ hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines: ![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic3-300x227.png) This shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know: * It downloads a crypto miner malware from an external location * It gains persistency in the machine through new entries in _crontab_ * It gains remote access to the machine through a new ssh key entry in _/root/.ssh/authorized_keys _and new entries in the system’s _iptables_ However, this downloader is unlike any downloader we’ve seen before. In the following sections, we will list the new capabilities it offers. ## Self-sufficient The script installs a lot of packages using Linux standard package managers like _apt _and _yum_. This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim’s machine. As a hint to things to follow we saw it installs packages like _git, python, redis-tools, wget, gcc_ and _make_. ## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic4-300x111.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic4.png>) ## Github integration The script downloads a publicly available tool, named _masscan_, from a Github repository, then compiles and installs it. [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic5-300x17.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic5.png>) The project page <https://github.com/robertdavidgraham/masscan> describes it as “TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.” Also, it offers simple usage examples: ## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic6-300x73.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic6.png>) ## Redis scan and infection The script then launches another process named “_redisscan.sh_”. The new process uses the _masscan_ tool mentioned above to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, **internal** and **external** and scanning port 6379 which is the default listening port of Redis. [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic7.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic7.png>) If one of the IPs in the list is publicly available, the script launches the “_redisrun.sh_” process to infect it with the same crypto miner malware (“_transfer.sh_”). The infection is done using _redis-cli_ command line tool, that the downloader previously installed, that runs the “_runcmd_” payload. [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic8-300x37.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic8.png>) “_runcmd_” is a 10-line Redis command script that creates new entries in the Redis server crontab directory and thus infects the server and gains persistency in case someone notices the malware and deletes it. [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic9-300x42.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic9.png>) Notice that the attacker uses line feeds, “_\n_”, at the beginning and at the end of each key value. If you run these commands in a Redis server, a file with the following content will be created: ## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic10-300x49.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic10.png>) ## SMB scan and infection After the script completed the Redis scan, it launches another scan process named “_ebscan.sh_”. This time the new process uses the _masscan_ tool to discover and infect publicly available Windows servers with the vulnerable SMB version. It does so by creating a large list of IPs, **internal** and **external**, and scanning port 445 which is the default listening port of SMB. [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.1.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.1.png>) [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.2-300x92.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.2.png>) In case you’ve been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous “_Eternal Blue_” exploit. This exploit was later on adapted to carry out “_WannaCry_”, one the biggest cyberattacks in the world. When the script finds a vulnerable server, it launches the “_ebrun.sh_” process to infect it. “_ebrun.sh_” runs a Python implementation of the aforementioned “_Eternal Blue_” exploit and drops the file “_x64.bin” _in the vulnerable machine. [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic12-300x60.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic12.png>) We used the _strings_ command to print all the strings of printable characters in the file and found a code that creates a malicious VBScript file named “_poc.vbs_” and runs it. “_poc.vbs_” downloads an executable from an external location, saves it in the vulnerable server as “_admissioninit.exe_” and runs it. Needless to say, “_admissioninit.exe” _is a well-known crypto miner malware. [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic13-300x87.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic13.png>) ## What should I do? * Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe. * Make sure you don’t expose your Redis servers to the world. This can be achieved with a simple firewall rule. * Make sure you don’t run machines with the vulnerable SMB version in your organization. You can use [this](<http://omerez.com/eternalblues/>) awesome tool to do check it ## IOC **Hosts:** http://ipfs.io/ http://admission.fri3nds.in/ **IPs:** **Files:** 615f70c80567aab97827f1a0690987061e105f004fbc6ed8db8ebee0cca59113 transfer.sh 260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79 clay 2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2 minerd eb010a63650f4aa58f58a66c3082bec115b2fec5635fa856838a43add059869d admission.exe f8428b0ceb5eaf1e496d79824a9c2b6c685fdeb2ddc36b036748ea71b15a5d79 xmr-32.exe e1c9ffc6677c7c2a6edec5d47bdff5e572d8fdf57675c41ff9e63a8c20bb18db xmr-64.exe cdadd649c42d28264277dd8edd5b6de23c8070fbf7b5a5ecdcbe03d99613efba ebrun.sh b2f5abb708c3481ad69aa459e3107c892bceafd26122129c84338cac92bf4797 ebscan.sh 99a4ded26895422707f7c92eca9c9d64212cc033c50010fb027fe32ab55386d9 eternalblue_exploit7.py 34022a65a3eb93b109ed4c6e1233c6404197818a70f51ab654e2c7e474ee2539 eternalblue_exploit8.py 9040274f28d8dbe9e2372fec6482964fa2de8a790c818a3238d0af5fda6c3dbf order.py c7ed3da4e8d29474909bb0c57e788799fbd3ff96a00e2a0d8f752ed494b9773f rangeip.py e74e8b14e00de1cdf14d885e3b8a85d33e33e0b239e202243fc4edeeb84a1325 redisrun.sh 794a891cae3374bf28c78eeb3ca39bd59f6ed927f28477561cc0fd11909f34fb redisscan.sh 1bca0088f84d9642002e8d403efb77f75596a9d9c50f171e587a66cc804fa971 runcmd e3d2088d0cf68efe57babddd7a6973ca5187a127f5e8932436a781391de0320c x64.bin