Threat Research

Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike – ASEC BLOG

Securonix

ASEC reports attacks against vulnerable Apache web servers where threat actors deploy Cobalt Strike beacons and XMRig coin miners on Windows servers, often via PHP web shells and unpatched vulnerabilities. The operation uses obfuscated malware, staged beacons, and HTTP/HTTPS-based C2 with later attempts to install Gh0st RAT to gain persistence and mine Monero for profit. #CobaltStrike #XMRig #Gh0stRAT #Apache #webshell #Monero

Keypoints

  • Attacks target Windows servers running Apache/PHP with old or unpatched software, leveraging web shells and vulnerabilities.
  • Cobalt Strike is used as the main backdoor/beacon to control the infected system, with both stager and stageless delivery patterns.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Targeted Apache/PHP environments with unpatched vulnerabilities and PHP web shells installed. ‘Targeted systems were all environments with old versions of the Apache web service and PHP installed.’
  • [T1105] Ingress Tool Transfer – Downloader malware downloads a beacon from an external source and executes it in memory. ‘downloader malware that downloads a beacon from an external source and executes it in the memory area.’
  • [T1573] Obfuscated/Compressed Files and Information – Malware strains are obfuscated, including Golang or PyInstaller builds. ‘obfuscated the malware strains used, even using Golang or PyInstaller.’
  • [T1071.001] Application Layer Protocol – Beacons communicate with the C2 server via HTTP/HTTPS/DNS. ‘beacons can communicate with the C&C server via protocols such as http, https, and dns.’
  • [T1021.002] SMB/Windows Admin Shares – An SMB beacon is used to communicate for lateral movement within the network. ‘an SMB beacon that communicates via the SMB protocol is used.’
  • [T1055] Process Injection – Cobalt Strike configurations show target processes for injection. ‘the target process for injection.’
  • [T1496] Resource Hijacking – CoinMiner (XMRig) installed to mine Monero for profit. ‘CoinMiner that mines Monero coins was ultimately installed.’

Indicators of Compromise

  • [IP] context – 121.135.44.49:808, 202.30.19.218:521 and other related IPs used for C2 or beacon communications
  • [Domain] context – one188.one, gd.one188.one (domains referenced for Gh0st/RAT activity)
  • [URL] context – hxxp://121.135.44[.]49:808/ptj, hxxp://121.135.44[.]49:808/updates.rss, hxxp://121.135.44[.]49:808/ga.js (Cobalt Strike beacons)
  • [File] context – 3JONXp.exe, 256.exe (Cobalt Strike beacons/stagers)
  • [MD5] context – 719253ddd9c49a5599b4c8582703c2fa, 594365ee18025eb9c518bb266b64f3d2 (CobaltStrike Beacon)

Read more: https://asec.ahnlab.com/en/59110/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint