zoMiner Malware Spreads Thanks to Unpatched Elasticsearch and Jenkins Servers
zoMiner is a malicious mining family that became active last year and have been publicly analyzed by the Tencent Security Team. zoMiner was initially active when it exploited the Weblogic unauthorized remote command execution vulnerability for propagation.
The malware uses exploits targeting an Elasticsearch RCE vulnerability. CVE-2015-1427, and an older RCE impacting Jenkins server to compromise a server. It then downloads a malicious shell script to stop any competitive miners. Next, it sets up a cron job to periodically download and execute malicious scripts on Pastebin. Researchers said these scripts currently only have one exit command but couldn’t rule out the possibility that more malicious commands could be added in the future.
It then downloads and executes its mining software from three URLs containing a mining config file, an XMRig miner, and a miner starter shell script. According to researchers, it’s mined over 22 XMRs valued at $4,600 so far, but cyber criminals often use many wallets, so the overall figure could be much higher.
Researchers recommended Elasticsearch and Jenkins users check their installations and update them to patch these exploits as soon as possible. They also recommended that organizations check Elasticsearch and Jenkins for abnormal processes and network connections and monitor and block relevant IP and URLs.
IOCs
- C&C
- 27.1.1.34:8080
- 178.62.202.152:8080
- URL
- hxxp://27.1.1.34:8080/docs/conf.txt
- hxxps://pastebin.com/raw/4rb51qKW
- hxxps://pastebin.com/raw/bwD1BCXt
- hxxp://27.1.1.34:8080/docs/config.json
- hxxp://178.62.202.152:8080/Wuck/java.exe
- hxxp://178.62.202.152:8080/Wuck/xmrig.exe
- hxxp://27.1.1.34:8080/docs/solr.sh
- MD5
- 84417ff134484bb8ce4ff567574beaa5
- c1dcc75d729e31833892cb649f450568
- adb190c4e90cc61ca266cfda355826df
- d833fc2ced5d0791a404ced14ecf4e20
- 26a91e9a94c7f8d966de1541095a3d92
- 373b018bef17e04d8ff29472390403f9