So earlier this past month I was looking over my web attack dashboard and normally I see standard recon scanning for phpmyadmin and known wordpress shells, but on the 17th, something stood out to me. An attack that looked to be targeting php websites on Windows operating systems and dropping an EXE file. So I decided to see where this led to.
So first here’s the URL’s that revealed the attack attempt.
Looking into the strings or the URI we can see that they are trying a command injection into the PHP in the public folder of a Windows system. Doing a little bit of googling it looks like they are trying to exploit a known vulnerability in Think PHP. Sonicwall did a write up as they noticed a campaign using this back in December. From there they are calling cmd.exe to run powershell to collect download.exe and name it 9.exe. Well what does download.exe do? Why download things of course!
That’s just the first thing, why this thing does it all, it runs mimikatz, drops executables, schedules tasks, runs a crypto miner, checks for other hosts on the local subnet, disables Windows Defender, and even then tries to spread using its pilfered creds.
And then its time to spread its little malware wings and try to spread.
Luckily detection for this is pretty good and you have to really try to execute this virulent malware as of today on a windows system.
a46.bulehero.in a88.bulehero.in a45.bulehero.in axx.bulehero.in a47.bulehero.in a48.bulehero.in pool.bulehero.in gl.bulehero.in www.bulehero.in c.bulehero.in b.bulehero.in a666.bulehero.in
Cyrpto Mining Pool Observed:
Virustotal Domains to above IP:
2019-01-15 7/67 http://pool.bulehero.in:7777/ 2019-01-12 8/67 http://pool.bulehero.in:5555/ 2019-01-16 6/67 http://pool.bulehero.in/
Port Observed in sample: