FireEye researchers recently observed threat actors abusing
CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists
in the WebLogic Server Security Service (WLS Security) in Oracle
WebLogic Server versions 22.214.171.124.0 and prior, and attackers can
exploit it to remotely execute arbitrary code. Oracle released a Critical
Patch Update that reportedly fixes this vulnerability. Users who
failed to patch their systems may find themselves mining
cryptocurrency for threat actors.
FireEye observed a high volume of activity associated with the
exploitation of CVE-2017-10271 following the public posting of proof
of concept code in December 2017. Attackers then leveraged this
vulnerability to download cryptocurrency miners in victim environments.
We saw evidence of organizations located in various countries –
including the United States, Australia, Hong Kong, United Kingdom,
India, Malaysia, and Spain, as well as those from
nearly every industry vertical – being impacted by this activity.
Actors involved in cryptocurrency mining operations mainly exploit
opportunistic targets rather than specific organizations. This coupled
with the diversity of organizations potentially affected by this
activity suggests that the external targeting calculus of these
attacks is indiscriminate in nature.
The recent cryptocurrency boom has resulted in a growing number of
operations – employing diverse tactics – aimed at stealing
cryptocurrencies. The idea that these cryptocurrency mining operations
are less risky, along with the potentially nice profits, could lead
cyber criminals to begin shifting away from ransomware campaigns.
Tactic #1: Delivering the miner directly to a vulnerable server
Some tactics we’ve observed involve exploiting CVE-2017-10271,
leveraging PowerShell to download the miner directly onto the victim’s
system (Figure 1), and executing it using ShellExecute().
Figure 1: Downloading the payload directly
Tactic #2: Utilizing PowerShell scripts to deliver the miner
Other tactics involve the exploit delivering a PowerShell script,
instead of downloading the executable directly (Figure 2).
Figure 2: Exploit delivering PowerShell script
This script has the following functionalities:
- Downloading miners from remote servers
Figure 3: Downloading cryptominers
As shown in Figure 3, the .ps1 script
tries to download the payload from the remote server to a vulnerable server.
- Creating scheduled tasks for persistence
Figure 4: Creation of scheduled task
- Deleting scheduled tasks of other known cryptominers
Figure 5: Deletion of scheduled tasks
related to other miners
In Figure 4, the cryptominer creates a
scheduled task with name “Update service for Oracle
products1”. In Figure 5, a different variant deletes this task
and other similar tasks after creating its own, “Update service for
From this, it’s quite clear that
different attackers are fighting over the resources available in the system.
- Killing processes matching certain strings associated with other
Figure 6: Terminating processes directly
Figure 7: Terminating processes matching
Similar to scheduled tasks deletion,
certain known mining processes are also terminated (Figure 6 and
- Connects to mining pools with wallet key
Figure 8: Connection to mining pools
The miner is then executed with
different flags to connect to mining pools (Figure 8). Some of the
other observed flags are: -a for algorithm, -k for keepalive to
prevent timeout, -o for URL of mining server, -u for wallet key, -p
for password of mining server, and -t for limiting the number of miner threads.
- Limiting CPU usage to avoid suspicion
Figure 9: Limiting CPU Usage
To avoid suspicion, some attackers are
limiting the CPU usage of the miner (Figure 9).
Tactic #3: Lateral movement across Windows environments using
Mimikatz and EternalBlue
The malware checks whether its running on a 32-bit or 64-bit system
to determine which PowerShell script to grab from the command and
control (C2) server. It looks at every network adapter, aggregating
all destination IPs of established non-loopback network connections.
Every IP address is then tested with extracted credentials and a
credential-based execution of PowerShell is attempted that downloads
and executes the malware from the C2 server on the target machine.
This variant maintains persistence via WMI (Windows Management Instrumentation).
The malware also has the capability to perform a Pass-the-Hash
attack with the NTLM information derived from Mimikatz in order to
download and execute the malware in remote systems.
Additionally, the malware exfiltrates stolen credentials to the
attacker via an HTTP GET request to:
If the lateral movement with credentials fails, then the malware
uses PingCastle MS17-010 scanner (PingCastle is a French Active
Directory security tool) to scan that particular host to determine if
its vulnerable to EternalBlue, and uses it to spread to that host.
After all network derived IPs have been processed, the malware
generates random IPs and uses the same combination of PingCastle and
EternalBlue to spread to that host.
Tactic #4: Scenarios observed in Linux OS
We’ve also observed this vulnerability being exploited to deliver
shell scripts (Figure 10) that have functionality similar to the
Figure 10: Delivery of shell scripts
The shell script performs the following activities:
- Attempts to kill already running cryptominers
Figure 11: Terminating processes matching
- Downloads and executes cryptominer malware
Figure 12: Downloading CryptoMiner
- Creates a cron job to maintain persistence
Figure 13: Cron job for persistence
- Tries to kill other potential miners to hog the CPU
Figure 14: Terminating other potential miners
The function shown in Figure 14 is used
to find processes that have high CPU usage and terminate them. This
terminates other potential miners and maximizes the utilization of resources.
Use of cryptocurrency mining malware is a popular tactic leveraged
by financially-motivated cyber criminals to make money from victims.
We’ve observed one threat actor mining around 1 XMR/day, demonstrating
the potential profitability and reason behind the recent rise in such
attacks. Additionally, these operations may be perceived as less risky
when compared to ransomware operations, since victims may not even
know the activity is occurring beyond the slowdown in system performance.
Notably, cryptocurrency mining malware is being distributed using
various tactics, typically in an opportunistic and indiscriminate
manner so cyber criminals will maximize their outreach and profits.
FireEye HX, being a behavior-based solution, is not affected by
cryptominer tricks. FireEye HX detects these threats at the initial
level of the attack cycle, when the attackers attempt to deliver the
first stage payload or when the miner tries to connect to mining pools.
At the time of writing, FireEye HX detects this activity with the
MONERO MINER (METHODOLOGY)
MIMIKATZ (CREDENTIAL STEALER)
Indicators of Compromise
Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their
help in the analysis.
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog