A newly discovered and unusually sophisticated cryptojacking attack attempts to install cryptominers on both database and application servers by targeting misconfigured Redis servers, as well as Windows servers that are susceptible to the EternalBlue NSA exploit.
Researchers with Imperva uncovered the threat when its web application sensors detected signs of a remote code execution attack exploiting an Apache Struts vulnerability. Dubbing the attack "RedisWannaMine," Imperva warns in a Mar. 8 blog post that compared to most cryptojacking threats, this one is "more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers' infection rate and fatten their wallets."
After probing the remote host associated with the attack, Imperva's researchers found several suspicious files, including "transfer.sh," a cryptominer downloader. Upon successful infection, this shell script file installs a publicly available tool called "masscan" that is billed on GitHub as an Internet port scanner that can sweep the entire internet in five minutes.
Armed with the masscan tool, transfer.sh can now launch a process called "redisscan.sh" to discover and infect public Redis servers included within a large list of IPs, via port 6379. (Redis describes itself as an "open source, in-memory data structure store, used as a database, cache and message broker.") using redis-cli command line tool, that the downloader previously installed, that runs the “runcmd” payload command script, which infects the server and gains persistence.
But this is just the first of two attack vectors. Next, the script runs another scan process called “ebscan.sh” that again uses the masscan tool to discover, via port 445, publicly available Windows servers with the Server Message Block (SMB) vulnerability CVE-2017-0144. It then exploits this vulnerability with a Python implementation of EternalBlue -- the exploit that was prominently used to spread WannaCry ransomware.
This process drops the file “x64.bin," which contains code to create a malicious VBScript file, which in turn downloads an executable from an external location. Imperva describes the executable as a "well-known cryptominer malware," but does not specify which one it is.
To guard against this threat, Imperva recommends that users patch their web applications and databases, properly and configure their Redis servers, and ensure that machines aren't running the vulnerable SMB protocol.