An attack campaign that installs XMRig Coinminer on Windows web servers that run on Apache has been discovered recently. The threat actors used the Cobalt Strike tool as a medium to target the internal systems with APT and ransomware.
AhnLab stated that these threat actors leverage web services that support Windows environments, including Internet Information Services (IIS), Apache, Apache Tomcat, and Nginx.Â
Apache Web Server Targeted Attacks
The targeted systems were running old versions of the Apache web server and had PHP installed. Some logs indicated PHP web shell malware strains installed.
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
The httpd.exe process, which runs the Apache web server, was the primary target for threat actors to install web shells or exploit vulnerabilities. This httpd.exe process also performs malicious behaviors like creating and running malware.
Cobalt Strike Usage
The Cobalt Strike beacon was used in both stager and stageless attacks. The stager method uses a downloader malware that downloads a beacon from an external source and executes it in the memory area, which is small but requires additional steps for beacon download.
The stageless method contains the beacon embedded and has a large file size of over a certain limit. The malware strains were obfuscated to evade detection by even using Golang or PyInstaller.Â
In addition to this, the beacons also communicate with the C2 server through http, https, and DNS. During the lateral movement, the SMB beacons communicate with the installed beacon for further instructions.
Additional Malware Installation
There was an attempt to install Gh0st RAT during the installation of the Cobalt Strike, an added backup method in case the Cobalt Strike installation failed due to security products. Once control over the affected systems has been established, a Coinminer, which mines Monero coins, is installed.
However, no logs of mining crypto coins were detected other than the installation of remote control malware and Coinminer.
A complete report about this crypto mining activity has been published, which provides detailed information about the source code, malware used, methods, and other information.
Administrators are recommended to mandatorily check for file upload vulnerabilities on web servers and patch them to prevent initial infiltration. Additionally, a password change policy and access control measures must be implemented to respond to lateral movement attacks using stolen account credentials.
Indicators of Compromise
File Detection
– Backdoor/Win.CobaltStrike.C5538818 (2023.11.08.00)
– Trojan/Win.Generic.R605627 (2023.09.15.01)
– Malware/Win64.RL_Backdoor.R363496 (2021.01.18.05)
– Downloader/Win.CobaltStrike.C5538917 (2023.11.09.01)
– Downloader/Win.CobaltStrike.C5538829 (2023.11.08.00)
– Backdoor/Win.Gh0stRAT.C4976986 (2023.06.04.01)
– Malware/Win32.RL_Generic.R356011 (2020.11.22.01)
– CoinMiner/Win.XMRig.C5539322 (2023.11.09.01)
– WebShell/PHP.Generic.S1912 (2022.09.27.02)
– WebShell/PHP.Small.S1690 (2021.10.26.02)
Behaviour Detection
– InitialAccess/DETECT.Event.M11450
– Connection/EDR.Behavior.M2650
Memory Detection
– Backdoor/Win.CobaltStrike.XM79
– Downloader/Win.CobaltStrike.XM83
MD5
– 719253ddd9c49a5599b4c8582703c2fa: CobaltStrike Beacon (3JONXp.exe)
– 594365ee18025eb9c518bb266b64f3d2: CobaltStrike Beacon (3JONXp-Signed.exe)
– d4015f101a53555f6016f2f52cc203c3: CobaltStrike Beacon (256.exe)
– 1842271f3dbb1c73701d8c6ebb3f8638: CobaltStrike Beacon (256-Signed.exe)
– 36064bd60be19bdd4e4d1a4a60951c5f: CobaltStrike Stager (test.exe)
– 5949d13548291566efff20f03b10455c: CobaltStrike Stager (artifact_x64.exe)
– c9e9ef2c2e465d3a5e1bfbd2f32ce5cd: CobaltStrike Stager (artifact_x64-signed.vmp.exe)
– 85e191a1fff9f6d09fb46807fd2dea37: Gh0st RAT (1.exe)
– b269dd0b89d404d5ad20851e0d5c322e: Gh0st RAT (server.exe)
– 205c12fabb38b13c42b947e80dc3d53a: XMRig (svchost.exe)
– 6b837fafaa1fbc2a4ddb35a748f4c11e: PHP WebShell (helper.php)
– f9d6a75875991086e1fb5985fc239df3: PHP WebShell (s.php)
C&C URLs
– hxxp://121.135.44[.]49:808/ptj: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/updates.rss: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/ga.js: CobaltStrike Beacon
– 202.30.19[.]218:521: Gh0st RAT
– gd.one188[.]one:520: Gh0st RAT
Download URLs
– hxxp://121.135.44[.]49:808/a4vR: CobaltStrike Stager
– hxxp://www.beita[.]site/api/2:2053: CobaltStrike Stager
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
.webp "ConfusedFunction Vulnerability in Google Cloud Platform Let Attackers Escalate Privileges"){kind=small}
.webp "DDoS Attack Lasted for 6 Days, Record created for the duration of the Cyberattack"){kind=small}