Hello, and happy holidays! I have a few binaries to unwrap for you today. These are 2 separate incidents from the prior week of some more miners in the wild.
First up we have Case 1.
Alert method: Hacked site and Spamming
So this case began as a report of spamming on the server, after running a check on the mail activity on the server if was quickly revealed to be due to php mailer scripts. That lead to finding several malicious backdoors planted on 2 sites on the server. Pretty standard hacked site and spamming investigation so far. Next though to double check the results of my first scan I ran a second scanner to look for things I may have missed. Bingo 2 more hits!
{HEX}php.base64.v23au.185 : /home/XXXXXXXX/public_html/wp-includes/Requests/Utility/favicon_8fe607.ico
{CAV}Unix.Malware.Agent-1847048 : /tmp/phpGV8mRa_ynb36jmjimun4uax
The file found in /tmp was the one that really sparked my interest. I booted up my minerchk script and low and behold what have we here, active mining in progress!
============================ -- Miner Check alpha -- ============================ Enter 1 to run miner checks on server. Enter 2 to run miner checks embeded in Website Enter 3 to innoculate server Enter 4 to quit 1 === Checking for miners in /tmp === /tmp/phpGV8mRa.c:mine = stratum+tcp://XXXXekfZdWY1e74dUzQUayG2K4zHhp3RvVqjrRLvGXsUaW43QdLUkSH6rRSscU6bsSBJ7YmKuhmCE8x8iPCXLLotUC2HUzP:x@xmr.crypto-pool.fr:3333/xmr Binary file /tmp/phpGV8mRa_ynb36jmjimun4uax matches === Checking for miners in running processes === === Checking for common miner ports === tcp 0 1 64.91.X.X:56922 78.46.89.102:3333 SYN_SENT 4967/phpGV8mRa_ynb3
Here the check for the common mining ports it showing a active connection from the server to the mining pool located at 78.46.89.102 communicating over port 3333. This was quite nice to see the script doing it job in the wild. However this led me to an interesting conundrum. Here we have an active miner, but load on the server was running quite low compared to other mining compromises. I ran the checks a few more times looking at the connections.
=== Checking for common miner ports === tcp 0 1 64.91.X.X:45796 94.130.164.60:7777 SYN_SENT 4967/phpGV8mRa_ynb3 === Checking for common miner ports === tcp 0 1 64.91.X.X:54556 138.201.31.12:3333 SYN_SENT 4967/phpGV8mRa_ynb3 tcp 0 1 64.91.X.X:50448 37.59.44.193:3333 SYN_SENT 4967/phpGV8mRa_ynb3 === Checking for common miner ports === tcp 0 1 64.91.X.X:32802 158.69.143.112:5555 SYN_SENT 4967/phpGV8mRa_ynb3 === Checking for common miner ports === tcp 0 1 64.91.X.X:46606 78.46.89.102:5555 SYN_SENT 4967/phpGV8mRa_ynb3 === Checking for common miner ports === tcp 0 1 64.91.X.X:56546 50.28.33.98:3333 SYN_SENT 4967/phpGV8mRa_ynb3
Here we can see that it is rotating between several different mining pools by the changing IP addresses trying to between several ports. But no unusual load on the server processor.
root@host [2889 13:39:35 /tmp]# tcpdump -nnvvS src 64.91.X.X and dst port 3333 -w miner.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 0 packets captured 0 packets received by filter 0 packets dropped by kernel
Well turns out here that out default firewall setup was still in place which only allows outgoing connections between allowed ports, with all of the above ports blocked outgoing in the firewall. This was why the load was so low, none of these connections were successfully leaving the server. This may be why it was spamming, but eh who knows could be different actors between the spam and the mining.
What we could learn was the likely vector that this arrived from. Hat tip to the filescout program from Matt Jung.
============================================ Log diving ============================================ Found HTTP POST entry when searching when grepping for a 10 second window around the change time in the Apache domlogs. /home/XxXxXx/logs/XxXxXx.com-Dec-2017.gz:198.12.149.108 - - [15/Dec/2017:14:05:14 -0600] "POST /wp-content/plugins/all-in-one-wp-migration/fbqevcdb.php HTTP/1.1" 301 - "http://XxXxXx.com/wp-content/plugins/all-in-one-wp-migration/fbqevcdb.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" The above POST request was directed at this file: /home/XxXxXx/public_html/wp-content/plugins/all-in-one-wp-migration/fbqevcdb.php
Here we can see that it looks like this miner was uploaded using one of the previously identified backdoor shells.
So I’m fairly certain based on the config file contents that this miner is using the YAM miner software, but I need to confirm this.
/tmp/phpGV8mRa.c:mine = stratum+tcp://XXXXekfZdWY1e74dUzQUayG2K4zHhp3RvVqjrRLvGXsUaW43QdLUkSH6rRSscU6bsSBJ7YmKuhmCE8x8iPCXLLotUC2HUzP:x@xmr.crypto-pool.fr:3333/xmr
So grabbed a copy of the files and dropped them into a test environment. And indeed as I suspected we have the YAM miner.
YAM - Yet Another Miner by yvg1900 yam M7v-linux64-generic/yvg1900 ********************************************************************************************************** * Supported coins: PTS MMC MAX GRS DMD DVK MYR BCN QCN FCN XMR * * Author: yvg1900 (Twitter @yvg1900) * * XPT protocol: jh (http://ypool.net) * * * * Addresses for Thanks and Donations: * * PTS: PZxsEQoiMeB6tHcW2ZySBEiCPio1WkxbEL * * XPM: AW2388DEWNEfMH4rP9kcj9yKcMq1QywYT4 * * DTC: D6PmUogMigWvXurgFTqm5VLxQeVpXdYQj3 * * MMC: MVk7PuJCa9o6qTYeiQRJDd3uHxKXMrQuU6 * * LTC: Lby4YjhcAxhmbsdHFb4nYydrwGoiJezZt1 * * BTC: 1FxekeK5La7AuF3oxiLzPKnjXyLMrux6VT * * NMC: N9KXqmzEqP7gB2dGHpEZiRMgFjUHNM38FR * * MAX: mTEsqg9dp3U9YXwduKxhhhDx1TRPBcNRvA * * NRS: 9qwyC34MCZ9XGopaNDNTnaMBtjAZhHvBd3 * * GRS: FpHaQNJ2nMUc2kgBbzYue13E9VUfL8YbQp * * DMD: dEQZa7W7AczvUsjJkvWWrim1j8ZtgbAwXv * * DVK: D9o66V4h75JzWNpsaPidmKFVgwEf2DcDAX * * MYR: MFDpLPThL6D6vtWW42XobFNBpPdrJFPQb6 * * XMR: 45w9aqVA6iVeMJ6jVHZPEyPqgVnBEAGhBBqGAW9ncXp44qbZy9vXkd2KpqYwcyVTQHF1kaSJm97GyceP3Y2dRMd7E9gyuZf * * BCN: 2AcGMZmmNWTiLvAg5n7ywMCAxXTxysYGsi1xzba2ok4UPccWTLqRyKN7EnQYUpEWpqBw1c9EVZrqo2CUG8f8mbjG5NA9njF * * QCN: 1V6wZP6aycYPbeafHxPcvaQfGs4M5kabHDQoTEsyCTT3HjccMyQbvEVNPoJuRc79XrPRYWESiAezyipWojpZ8bii3kczNgW * * FCN: 6rNjXkY5YQzWiTMmDUbL5gYTWx9UTdUMSA98S1G3cTmhZN9Xp6kq4woGeoK5Q8B3fPZV6TFKs36zdHpZnYxA4BFK3fLpJzW * ********************************************************************************************************** Loading config file [phpGV8mRa.c] Miner version: yam M7v-linux64-generic/yvg1900 Checking target [stratum+tcp://XXXXekfZdWY1e74dUzQUayG2K4zHhp3RvVqjrRLvGXsUaW43QdLUkSH6rRSscU6bsSBJ7YmKuhmCE8x8iPCXLLotUC2HUzP:x@xmr.crypto-pool.fr:3333/xmr]... Target OK Checking XMR optimizations compatibility... OK: XMR optimizations are compatible Monero: Determine Algorithm Variation by finetuning Using 1 CPU mining threads Will mine 6 rounds for miner developers to support development of the next version Follow @yvg1900 on Twitter to get information on new version availability on time STRATUM-RPC2: Logged in with XXXXekfZdWY1e74dUzQUayG2K4zHhp3RvVqjrRLvGXsUaW43QdLUkSH6rRSscU6bsSBJ7YmKuhmCE8x8iPCXLLotUC2HUzP New Monero Block nTime 1513455382 Monero Aggregated Hash/sec: ?; Rounds Complete/Incomplete: 0/0, Donated Complete/Incomplete: 0/0; Config/Worker Hash/sec: ?/? on 0 rounds with AV=1, ART=? ms; Fine-tuning: IN PROGRESS, AV/RT: 1/0, Best AV/RT: 1/0 xmr.crypto-pool.fr: On-line, Shares Submitted 0, Accepted 0 Monero Aggregated Hash/sec: ?; Rounds Complete/Incomplete: 0/0, Donated Complete/Incomplete: 0/0; Config/Worker Hash/sec: ?/? on 0 rounds with AV=1, ART=? ms; Fine-tuning: IN PROGRESS, AV/RT: 1/0, Best AV/RT: 1/0 xmr.crypto-pool.fr: On-line, Shares Submitted 0, Accepted 0
And on the test machine no such firewall rules were blocking the connections so load started rising quite quickly.
=== Checking for common miner ports === tcp 0 68 10.X.X.X:46442 163.172.204.213:3333 FIN_WAIT1 - tcp 0 68 10.X.X.X:45420 163.172.226.120:3333 FIN_WAIT1 - tcp 0 67 10.X.X.X:42010 37.59.56.102:5555 ESTABLISHED 23915/./phpGV8mRa_y tcp 0 1 10.X.X.X:46276 158.69.145.60:5555 SYN_SENT 23915/./phpGV8mRa_y tcp 0 68 10.X.X.X:41168 188.165.254.85:5555 FIN_WAIT1 - tcp 0 1 10.X.X.X:48254 212.83.158.14:6666 SYN_SENT 23915/./phpGV8mRa_y
So this post turned out to be longer than I expected so we’ll wait for part 2 of this unwrapping experience for the 2nd miner rundown. Have a great time, if you have questions hit me up on twitter @laskow26.
Check out the minderchk script here: https://github.com/Hestat/minerchk