Cryptominer z0Miner Makes use of Newly Found Vulnerability CVE-2021-26084 to Its Benefit

0
97



Cryptominer z0Miner Makes use of Newly Found Vulnerability CVE-2021-26084 to Its Benefit

Exploits & Vulnerabilities

Lately, we found that the cryptomining trojan z0Miner has been benefiting from the Atlassian’s Confluence distant code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August.
By: Nikki Madayag, Josefino Fajilago IV

September 21, 2021

Learn time:  ( phrases)

Lately, we found that the cryptomining trojan z0Miner has been benefiting from the Atlassian’s Confluence distant code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August. Given the rising recognition of the cryptocurrency market, we count on malware authors behind trojans like z0Miner to consistently replace the strategies and entry vectors they use to realize a foothold inside a system.
This trojan was initially noticed exploiting Oracle’s WebLogic Server RCE, CVE-2020-14882, late final 12 months. Since then, z0Miner has been gaining consideration by using totally different unauthorized RCE vulnerabilities, such because the ElasticSearch RCE bug, aka CVE-2015-1427.
An infection chain
Primarily based on our investigation, we discovered that the an infection chain that leverages the brand new CVE-2021-26084 flaw (Determine 1) is equivalent to earlier findings on z0Miner, as reported by 360 Netlab and Tencent Safety.
As soon as the Confluence vulnerability is efficiently exploited, z0Miner deploys internet shells that can obtain the next malicious recordsdata:

hxxp://213[.]152[.]165[.]29/x[.]bat: detected by Pattern Micro as Trojan.BAT.TINYOMED.ZYII
hxxp://213[.]152[.]165[.]29/uninstall[.]bat: detected by Pattern Micro as Trojan.BAT.SVCLAUNCHER.ZYII
hxxp://213[.]152[.]165[.]29/vmicguestvs[.]dll: detected by Pattern Micro as Trojan.Win64.TINYOMED.ZYII
hxxp://27[.]1[.]1[.]34:8080/docs/s/sys[.]ps1: detected by Pattern Micro as Trojan.PS1.Z0MINER.YXAIJ

Determine 1. The an infection chain of z0Miner

Evasion mechanisms
The malware has been recognized to make use of a number of persistence and protection evasion mechanisms, one among which is the set up of the file vmicvguestvs.dll that z0Miner disguises as a reputable integration service known as “Hyper-V Visitor Integration” (Determine 2).

Determine 2. The creation of the fraudulent “Hyper-V Visitor Integration” service

One of many downloaded scripts may also create a scheduled activity known as .NET Framework NGEN v4.0.30319 32 that poses as a .NET Framework NGEN activity, as proven in Determine 3. This scheduled activity is designed to obtain and execute a script from Pastebin each 5 minutes. Nevertheless, as of this writing, the contents of the Pastebin URL have already been taken down.

Determine 3. The creation of the scheduled activity

The z0Miner trojan will proceed to gather its personal mining instruments from URLs contained within the file okay.bat, as proven in Determine 4. It additionally downloads one other script named clear.bat to search out and delete any cryptocurrency mining payloads from different opponents (Determine 5).

Determine 4. The URLs and file paths of z0Miner’s mining parts from the file okay.bat

Determine 5. The clear.bat file that locates and deletes different cryptominers

Safety suggestions
Though Atlassian has already launched a patch addressing the Confluence vulnerability, customers can take additional steps to reduce their system’s publicity to threats like z0Miner. Commonly updating their programs and purposes with the most recent patches performs a essential function in mitigating the dangers for end-users, making certain that these safety gaps cannot be abused for malicious actions.
To help with patch administration, customers can flip to options similar to Pattern Micro™ Deep Safety™ and Pattern Micro Cloud One™ – Workload Safety, which give digital patching that protects servers and endpoints from threats that abuse vulnerabilities in essential purposes. Pattern Micro ™ Deep Discovery™ presents detection, in-depth evaluation, and a proactive response to assaults utilizing exploits and different comparable threats via specialised engines, customized sandboxing, and seamless correlation throughout your entire assault life cycle, permitting it to detect threats even with none engine or sample replace.
Equally, Workload Safety defends programs and detects vulnerabilities and malware with the broadest hybrid cloud safety capabilities for a blended surroundings of digital, bodily, cloud, and containers. Utilizing strategies like machine studying (ML) and digital patching, Workload Safety additionally protects new and present workloads even towards unknown threats. It additionally shields customers from exploits that concentrate on the Confluence vulnerability through the next rule:

1011117 – Atlassian Confluence Server Distant Code Execution Vulnerability (CVE-2021-26084)

Customers may also profit from the TippingPoint® Menace Safety System, which makes use of complete and contextual consciousness evaluation for superior threats that exploit vulnerabilities. Menace intelligence from sources similar to Digital Vaccine Labs (DVLabs) and Zero Day Initiative (ZDI) offers most risk protection and digital patching shields vulnerabilities towards exploits. TippingPoint protects clients via the next rule:

40260: HTTP: Atlassian Confluence Server and Knowledge Heart OGNL Injection Vulnerability

MITRE ATT&CK Techniques and Methods
The next are the MITRE ATT&CK techniques and strategies related to CVE-2021-26084 bundled with z0Miner:

Tactic
Approach
Execution
T1569.002: System Providers: Service Execution
Persistence
T1053.005: Scheduled Job
T1543.003: Create or Modify System Course of: Methods Service
Protection Evasion
T1112: Modify Registry
T1489: Service Cease
T1562.001: Impair Defenses: Disable or Modify Instruments
T1036.004: Masquerade Job or Service
T1070.004: File Deletion
Discovery
T1033: System Proprietor/Consumer Discovery  
T1049: System Community Connections Discovery 
T1069.001: Permission Teams Discovery: Native Teams 
T1069.002: Permission Teams Discovery: Area Teams 
T1082: System Info Discovery 
T1087: Account Discovery 
T1087.001: Account Discovery: Native Account 
T1087.002: Account Discovery: Area Account 
T1124: System Time Discovery
Impression
T1496: Useful resource Hijacking

Indicators of compromise

SHA-256
Filename
Pattern Micro Detection Title
49f3d06419d9578551e584515f44b2ee714e1eef96b94e68ea957f2943deca5a
error.jsp
Possible_SMASPWEBSHELL
cb339d08c0ad7c4d07b06cae5d7eae032fb1bb1178d80b2a1997a8b8257b5bea
uninstall.bat
Backdoor.Java.WEBSHELL.SBJKTK
0663d70411a20340f184ae3b47138b33ac398c800920e4d976ae609b60522b01
wxm.exe
PUA.Win64.Xmrig.KBL
a5604893608cf08b7cbfb92d1cac20868808218b3cc453ca86da0abaeadc0537
network02.exe
Coinminer.Win64.MALXMR.SMA
f176d69f18cde008f1998841c343c3e5d4337b495132232507a712902a0aec5e
.solrg
Trojan.SH.Z0MINER.YXAIJ
4a2fbe904e4665939d8517c48fb3d5cb67e9b1482195c41fe31396318118cfc8
sys.ps1
Trojan.PS1.Z0MINER.YXAIJ
e9ba929949c7ea764a298e33af1107ff6feefe884cabf6254ff574efff8a2e40
7d8b52e263bc548891c1623695bac7fb21dab112e43fffb515447a5cc709ac89
clear.bat
Trojan.BAT.KILLMINE.YXAIJ

URLs

hxxp://209.141.40.190/oracleservice.exe 
hxxp://209.141.40.190/wxm.exe 
hxxp://27.1.1.34:8080/docs/s/config.json 
hxxp://27.1.1.34:8080/examples/clear.bat 
hxxp://27.1.1.34:8080/docs/s/sys.ps1 
hxxp://222.122.47.27:2143/auth/xmrig.exe 
hxxp://pastebin.com/uncooked/bcFqDdXx 
hxxp://pastebin.com/uncooked/g93wWHkR 
hxxp://164.52.212.196:88/eth.jpg 
hxxp://66.42.117.168/BootCore_jsp 
hxxp://164.52.212.196:88/1.jpg 
hxxp://209.141.40.190/xms 
hxxp://172.96.249.219:88/.jpg  
hxxp://172.96.249.219:88/1.jpg 1.bat 
hxxp://172.96.249.219:88/.jpg 
hxxps://zgpay.cc/css/kwork.sh 
hxxps://uncooked.githubusercontent.com/alreadyhave/thinkabout/principal/kwork.sh 
hxxp://209.141.40.190/oracleservice.exe  
hxxp://213.152.165.29/vmicguestvs.dll 
hxxp://213.152.165.29/uninstall.bat 
hxxp://213.152.165.29/x.bat

Tags

sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk