Juniper Threat Labs has been monitoring a campaign that delivered multiple stages of malware to install a cryptocurrency miner and ransomware. On March 16, 2019, we identified a surge in attacks that target an Apache Struts vulnerability to deliver their payload.

The attack appears to come from the following two IP addresses, 87.120.36.165 and 87.120.36.222, with 99 percent of the attacks coming from the former.

As any Apache web server can be configured to be accessed on different ports, the attacker essentially tried to deliver the exploit on mostly all ports, with the attack on port 80 being slightly higher.

“>Previous Attacks

We looked back at previous attacks of this campaign and found similar attacks in November and December.

During this period, the following IPs were the source of attacks:

• 204.44.78.61
• 54.37.196.121
• 86.106.102.155
• 111.90.141.97
• 192.200.208.66
• 61.155.158.71

Exploitation
Apache Struts Vulnerability
The Apache Struts vulnerability is well known as it is the one exploited in the infamous Equifax breach. There are two Apache Struts RCE vulnerabilities that are actively exploited.
CVE-2017-5638
This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition or Content-Length HTTP header with a Content-Type header containing a #cmd= string. The attacks are as follows:

CVE-2018-11776

This vulnerability allows remote code execution on Apache Struts 2.
WebShell
Another way of attacking their targets is by uploading a webshell. If a web application is vulnerable to this attack, it allows the attacker to upload any file, which it will access later on.

To trigger the webshell, the attacker will issue an HTTP GET request on the uploaded file.

Payload

The payload is downloaded from http://111[.]90[.]159.106/d/fast.exe. In turn, this file will download three additional files from the same download server and install them into C:\Program Files\Common Files\System.
Cpt.exe (Ransomware)
This file is the Satan ransomware version 5.1. It encrypts files with the following extensions:

After encryption, it displays the following ransom note including the bitcoin wallet address to pay the ransom. However, it does not indicate the amount of bitcoin to pay. This is a first indication that the attacker may not be interested in collecting the ransom.

Translated to English:

Additionally, this malware replaces all the executables in non-critical Windows folders with its own. The replaced executables are not saved anywhere. This will make your installed applications unusable. This is a stronger indication that this is more of a destroyer rather than a ransomware.

To protect its own files and to ensure that the operating system will still work after infection, it will not replace or encrypt files or folders with the following names in them:

Srv.exe (Module Manager)

The function of this file is to continuously update the modules (Ransomware, Miner and Spreader) and make sure that all of its modules are running. It first starts installing itself as a service named “Logs Service”.

It enters into a loop, constantly checking for updates of all the modules and beacons out to its CnC server 111.90.159.106.

Conn.exe (Spreader)

This is the largest file among the modules and it carries with it the EternalBlue file and Doublepulsar backdoor, including all of its dependencies. Its main function is to spread laterally using the EternalBlue exploit along with the DoublePulsar backdoor to drop and execute down64.dll, which will download and install http://111[.]90[.]159.106/d/fast.exe.

Down64.dll will get loaded into memory and will download and execute fast.exe to start the infection chain all over again.

It can also spread using other exploits including the Apache Struts2 exploit and Weblogic exploit.

Svchost.exe (XMRig Miner)

This XMRig miner joins the mining pool 111.90.159.106.443, which is the same as the download server.

Linux Component
The attack also has a Linux version when it identifies that the OS is Linux. The payload downloaded is http://111[.]90[.]159[.]106/d/ft32 or ft64 depending on the system. It installs itself as .loop. To ensure its persistence, it creates a cron job to run itself every five minutes. This file is the equivalent of srv.exe, which downloads and installs all of the other components.

The spreader module for this case does not include the eternalblue/doublepulsar. Instead, it uses an SSH brute-forcer module with hardcoded credentials.

Usernames for the SSH-Bruteforce:

Passwords:

In conclusion, this campaign has a lot of similarities to the bulehero attack, which we blogged about last month pointing to their usage of web application exploits and spreading capability via EternalBlue and DoublePulsar with the payload being a Cryptominer. The difference in this attack is that it includes a ransomware, which appears to be a destructive malware as it replaces all non-critical executables with the ransomware file, which could make most applications on the infected system unusable. It also includes a Linux version for the payload and its modules, which increases its attack surface. Another difference is that bulehero attacks are daily while this campaign appears to be sporadic.

Looking at the bitcoin wallet’s activity, it seems the campaign on November 26 may have generated one payment of 0.6 BTC. This is the only transaction into this wallet followed by a withdrawal from the wallet a few days later.

Juniper Threat Labs is constantly monitoring for cyberattacks and making sure that we create protection against these attacks.

Juniper Advanced Threat Prevention (JATP) Appliance and Juniper Sky ATP detects the file as follows:

Indicators of Compromise
9076abe37b87935759b2b300734e84e488fb7636ec224109dd5bf24713b0d7c9

2023f148ce2d9669c656e7cb678e99eb68397cfbab5ddea1f2f362375cdb6a3c

10ec2b718cdcf914fb19cda90f27c0a8475af4920d265f06cfe8ba4b50329457

b8c903f9d41335d25ac04cc81d3635b6692163bdbead07d81d8178d3484ba9e7

f7a83fb80016e3598147e6fd1d472a5f2af89f7559d46b846e8739416ceb1eb1

bcd7d7696f16c670c12fb9ed5e37b7b5663ca0921f3aa9249f306ca04debe861

fdb335f1d5ddb899b0a9dd316712831417a2eabae0a7370c7830fcaf4f9aa914

52c93e117f8e718002df0048b358284871fc4ec24ab329e162a3b045662f7249

f433f3bcf152539c06839780786fd405d64de3e02e69bb0cc1300fcaaa500536

b1d5b19147748b6f597cffe1bb24e2cc1ed491acef928a95d8f92cc4ff32b116

170abb31fd18cb81b85f89757c44b837499306d8f3be6436e8a41af599d67a57

c87cdf3460fb33374d6bb30765026e77b6ee35a50715890286f99809e5718590

b1d5b19147748b6f597cffe1bb24e2cc1ed491acef928a95d8f92cc4ff32b116

6a5eb4f72b9177e6a353dfa36502521c2d06bcb54a6f61f31c46118922f1a4f6

828d011761c08d233db5eaa95790b288029605039891354b7df3e2a6b9b182a5

15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

976ca910563e0d458edbf209e9c255f41f368cdf17010f3c247c070901804d80

B1d5b19147748b6f597cffe1bb24e2cc1ed491acef928a95d8f92cc4ff32b116

http://111[.]90[.]159.106/d/fast.exe

http://111[.]90[.]159.106/d/cpt.exe

http://111[.]90[.]159.106/d/srv.exe

http://111[.]90[.]159.106/d/conn.exe

http://111[.]90[.]159.106/d/ft32

http://111[.]90[.]159.106/d/ft64

http://111[.]90[.]159.106/d/cry32

http://111[.]90[.]159.106/d/cry64

http://111[.]90[.]159.106/d/conn64

http://111[.]90[.]159.106/d/conn32

http://111[.]90[.]159.106/d/mn32

http://111[.]90[.]159.106/d/mn64

111.90.159.106