Apache Applications Targeted by Stealthy Attacker

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The attackers exploited a misconfiguration in Hadoop YARN ResourceManager, allowing unauthenticated users to create and run applications. [‘The YARN permits unauthenticated users to create and run applications.’]
• [T1059.004] Command and Scripting Interpreter: Unix Shell – The attacker executed arbitrary code via specially crafted HTTP requests to launch the new application. [‘requesting to launch the new application with the attacker’s command’]
• [T1053.003] Scheduled Task/Job: Cron – The threat actor deletes cron jobs and creates a cron job to establish persistence. [‘deleting all cron jobs and creating a cron job to establish persistence’]
• [T1027.002] Obfuscated Files or Information: Software Packing – The main payload ‘dca’ is packed with a BGP packer to obfuscate. [‘using BGP packer to pack and obfuscat the main payload the ‘dca’ ELF binary’]
• [T1027.008] Obfuscated Files or Information: Stripped Payloads – The ‘dca’ binary has symbols/strings removed to hinder analysis. [‘dca ELF binary symbols and strings were removed to make the analysis more difficult’]
• [T1027.009] Obfuscated Files or Information: Embedded Payloads – The Monero miner is embedded within the ‘dca’ ELF binary. [‘The Monero cryptominer is embedded withing the ‘dca’ ELF binary’]
• [T1222.002] File and Directory Permissions Modification – The attacker modifies permissions to execute the payload. [‘Linux File and Directory Permission Modification’]
• [T1014] Rootkit – The threat actor uses two Processhider rootkits to hide the cryptominer and shell commands. [‘Rootkit (T1014)’]
• [T1082] System Information Discovery – The attackers perform vCore and memory discovery during initial access. [‘conducting a vCore (virtual CPU cores) and memory discovery’]
• [T1496] Resource Hijacking – The Monero cryptominer deployment indicates cryptocurrency mining at the expense of resources. [‘Resource Hijacking (T1496)’]