Hackers Attacking Apache Web Servers to Install Coinminers

An attack campaign that installs XMRig Coinminer on Windows web servers that run on Apache has been discovered recently. The threat actors used the Cobalt Strike tool as a medium to target the internal systems with APT and ransomware.

AhnLab stated that these threat actors leverage web services that support Windows environments, including Internet Information Services (IIS), Apache, Apache Tomcat, and Nginx. 

Apache Web Server Targeted Attacks

The targeted systems were running old versions of the Apache web server and had PHP installed. Some logs indicated PHP web shell malware strains installed. 

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

The httpd.exe process, which runs the Apache web server, was the primary target for threat actors to install web shells or exploit vulnerabilities. This httpd.exe process also performs malicious behaviors like creating and running malware.

Suspicious files being created in an Apache web server (Source: AhnLab)
Suspicious files being created in an Apache web server (Source: AhnLab)

Cobalt Strike Usage

The Cobalt Strike beacon was used in both stager and stageless attacks. The stager method uses a downloader malware that downloads a beacon from an external source and executes it in the memory area, which is small but requires additional steps for beacon download.

The stageless method contains the beacon embedded and has a large file size of over a certain limit. The malware strains were obfuscated to evade detection by even using Golang or PyInstaller. 

In addition to this, the beacons also communicate with the C2 server through http, https, and DNS. During the lateral movement, the SMB beacons communicate with the installed beacon for further instructions.

Stager malware downloading (Source: AhnLab)
Stager malware downloading (Source: AhnLab)

Additional Malware Installation

There was an attempt to install Gh0st RAT during the installation of the Cobalt Strike, an added backup method in case the Cobalt Strike installation failed due to security products. Once control over the affected systems has been established, a Coinminer, which mines Monero coins, is installed.

However, no logs of mining crypto coins were detected other than the installation of remote control malware and Coinminer.

A complete report about this crypto mining activity has been published, which provides detailed information about the source code, malware used, methods, and other information.

Administrators are recommended to mandatorily check for file upload vulnerabilities on web servers and patch them to prevent initial infiltration. Additionally, a password change policy and access control measures must be implemented to respond to lateral movement attacks using stolen account credentials.

Indicators of Compromise

File Detection
– Backdoor/Win.CobaltStrike.C5538818 (2023.11.08.00)
– Trojan/Win.Generic.R605627 (2023.09.15.01)
– Malware/Win64.RL_Backdoor.R363496 (2021.01.18.05)
– Downloader/Win.CobaltStrike.C5538917 (2023.11.09.01)
– Downloader/Win.CobaltStrike.C5538829 (2023.11.08.00)
– Backdoor/Win.Gh0stRAT.C4976986 (2023.06.04.01)
– Malware/Win32.RL_Generic.R356011 (2020.11.22.01)
– CoinMiner/Win.XMRig.C5539322 (2023.11.09.01)
– WebShell/PHP.Generic.S1912 (2022.09.27.02)
– WebShell/PHP.Small.S1690 (2021.10.26.02)

Behaviour Detection
– InitialAccess/DETECT.Event.M11450
– Connection/EDR.Behavior.M2650

Memory Detection
– Backdoor/Win.CobaltStrike.XM79
– Downloader/Win.CobaltStrike.XM83

– 719253ddd9c49a5599b4c8582703c2fa: CobaltStrike Beacon (3JONXp.exe)
– 594365ee18025eb9c518bb266b64f3d2: CobaltStrike Beacon (3JONXp-Signed.exe)
– d4015f101a53555f6016f2f52cc203c3: CobaltStrike Beacon (256.exe)
– 1842271f3dbb1c73701d8c6ebb3f8638: CobaltStrike Beacon (256-Signed.exe)
– 36064bd60be19bdd4e4d1a4a60951c5f: CobaltStrike Stager (test.exe)
– 5949d13548291566efff20f03b10455c: CobaltStrike Stager (artifact_x64.exe)
– c9e9ef2c2e465d3a5e1bfbd2f32ce5cd: CobaltStrike Stager (artifact_x64-signed.vmp.exe)
– 85e191a1fff9f6d09fb46807fd2dea37: Gh0st RAT (1.exe)
– b269dd0b89d404d5ad20851e0d5c322e: Gh0st RAT (server.exe)
– 205c12fabb38b13c42b947e80dc3d53a: XMRig (svchost.exe)
– 6b837fafaa1fbc2a4ddb35a748f4c11e: PHP WebShell (helper.php)
– f9d6a75875991086e1fb5985fc239df3: PHP WebShell (s.php)

– hxxp://121.135.44[.]49:808/ptj: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/updates.rss: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/ga.js: CobaltStrike Beacon
– 202.30.19[.]218:521: Gh0st RAT
– gd.one188[.]one:520: Gh0st RAT

Download URLs
– hxxp://121.135.44[.]49:808/a4vR: CobaltStrike Stager
– hxxp://www.beita[.]site/api/2:2053: CobaltStrike Stager

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.