Apache Struts2 high-risk vulnerabilities cause the Enterprise Server is the invasion mounted KoiMiner mining Trojan-vulnerability warning-the black bar safety net


0×1 Overview Many business websites use the Apache open source project to build a http server, which is most of the use of the Apache sub-project of Struts in. But since the Apache Struts2 Product code there are more risks, beginning in 2007, Struts2 will frequently broke multiple high-risk vulnerabilities. From the Apache official data, from 2007 to 2018 total published number S2-001 to S2-056 total of 56 vulnerabilities, of which only a remote code execution vulnerability Remote Code Execution on a 9. ! [](/Article/UploadPic/2018-7/2018710164555841. png? www. myhack58. com) 2017 3 months was reported out of the S2-045(CVE-2017-5638 high-risk vulnerabilities, based on Jakarta Multipart parser implementation file upload may lead to an RCE, the impact of the range of the Struts 2.3.5 – Struts 2.3.31, as well as the Struts 2.5 – Struts 2.5.10 version, persists to be utilized for an attack. 2018 year 4 months Tencent Yu see Threat Intelligence Center had been monitoring the hacker group exploit this vulnerability bulk of the invasion[the web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)implantation mining Trojan(for more details, see the enterprise not fix Apache Struts 2 vulnerability-induced[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)is the bulk of the invasion article, the recent Royal to see the Threat Intelligence Center is again monitored a similar attack. This attack, hackers use attack tools WinStr045 detecting the presence on the network vulnerability[web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), found that the presence of vulnerability of the machine through a remote execution of various types of instruction provide the right to, create, account, system information gathering, and then will be used to download the Trojan mas. exe the implant, then the use of mas. exe this Trojan Downloader from the plurality of C&C;address to download more Trojans: the 利用提权木马o3/o6.exe and 挖矿木马netxmr4.0.exe the. Since the bitcoin mining Trojan netxmr the decryption code after the module name“koi”is loaded, therefore, Tencent Yu see Threat Intelligence Center will be named for KoiMiner it. Interestingly, intruders to ensure your mining success, it will check the system processes, CPU resource consumption, and if CPU usage exceeds 40%, it will be the end of the Run, will save the system resources for the mining of. According to the code traceability analysis, Tencent Yu see Threat Intelligence Center researchers believe that this KoiMiner series mining Trojan is probably some hacker forums, underground mining organizations to share in the community more people cooperation of the“practice”works. ! [](/Article/UploadPic/2018-7/2018710164555994. png? www. myhack58. com) Attack process Note: Struts is based on MVC design pattern Web application framework, the user use of the framework can be business logic code from the presentation layer clearly separated, so as to focus on the business logic and the mapping relationship between the configuration file. Struts2 is Struts and WebWork combination, a combination of Struts and WebWork advantages, the use of interceptor mechanisms to process the user's request, so that business logic can with ServletAPI completely out of the opening. 0×2 a detailed analysis of the 0 x 2.1 intrusion The detection of the target system whether the presence of S2-045 vulnerability ! [](/Article/UploadPic/2018-7/2018710164555176. png? www. myhack58. com) The presence of the vulnerability of the system to attack ! [](/Article/UploadPic/2018-7/2018710164555748. png? www. myhack58. com) Invasion tool for the selection of osmotic command ! [](/Article/UploadPic/2018-7/2018710164555749. png? www. myhack58. com) The invasion can be selected when execution of the command can also be self-defined,choose the command Windows, linux, penetration of commonly used commands, including viewing system version information, network connection status, port open status and add to the system with administrator privileges to the new user, open the remote connection service and other operations. ! [](/Article/UploadPic/2018-7/2018710164555928. png? www. myhack58. com) Through the directory view command to confirm C:\Windows\Help directory and C:\ProgramData whether the directory has been implanted Trojan, if not then the mas. exe Trojan infection. The time of implantation to first create the C#code to text mas. cs, 然后使用.NET程序将其编译为可执行文件mas.exe the. First execute the command to create a mas. cs and write The for download code. ! [](/Article/UploadPic/2018-7/2018710164555437. png? www. myhack58. com) 然后执行命令将mas.cs通过.NET程序编译为mas.exe the. ! [](/Article/UploadPic/2018-7/2018710164555672. png? www. myhack58. com) Command in the use of mas. exe download mining Trojan netxmr4. To 0. ! [](/Article/UploadPic/2018-7/2018710164555433. png? www. myhack58. com) Part of the attack objectives are as follows: ! [](/Article/UploadPic/2018-7/2018710164555651. jpg? www. myhack58. com) Implantation of mas. the exe size is only 4k,is stored in the directory ProgramData. From Yu see Threat Intelligence Center monitoring and recording can be seen, mas.exe从多个C2地址下载了netxmr4.exe(mining Trojan), the o3.exe/o6.exe(providing the right to Trojans)and other Trojans. ! [](/Article/UploadPic/2018-7/2018710164555713. png? www. myhack58. com) **[1] [[2]](<90758_2.htm>) [[3]](<90758_3.htm>) [[4]](<90758_4.htm>) [next](<90758_2.htm>)**