AhnLab Security Emergency response Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed. Because web servers are externally exposed for the purpose of providing web services to all available users, these become major attack targets for threat actors.
Major examples of web services that support Windows environments include Internet Information Services (IIS), Apache, Apache Tomcat, and Nginx. While the Apache web service is usually used in Linux environments, there are some cases where it is used to provide services in Windows environments since it supports Windows as well.
Recently, ASEC identified an attack campaign where the XMRig CoinMiner is installed on Windows web servers running Apache. The threat actor used Cobalt Strike to control the infected system. Cobalt Strike is a commercial penetration testing tool, and it is recently being used as a medium to dominate the internal system in the majority of attacks including APT and ransomware.
Figure 1. Cobalt Strike being installed by an Apache web service (httpd.exe)
- Attack Targeting Apache Web Servers
Targeted systems were all environments with old versions of the Apache web service and PHP installed. While the specific method of attack has not been identified, it is likely that various vulnerability attacks would have been possible against unpatched Apache web servers. There were also logs of PHP web shell malware strains having been installed.
Figure 2. PHP web shell malware strains used in the attacks
The threat actor uploaded and executed the malware through the installed web shell or through vulnerability attacks. The attack target is the httpd.exe process which is the Apache web server. Accordingly, httpd.exe performs malicious behaviors such as creating and running malware.
Note that behaviors such as creating files for web service processes and executing processes are not always used for malicious purposes. These can occur during legitimate update processes or while an administrator is processing tasks for web server management. As such, there is a limit to anti-malware products such as V3 to perfectly block such behaviors.
AhnLab EDR (Endpoint Detection and Response) is the only next-generation threat detection and response solution based on behavior-based engine that exists in South Korea. It provides powerful threat monitoring, analysis, and response capabilities for endpoint areas. AhnLab EDR constantly collects information on suspicious behaviors by type and allows users to accurately recognize threats in detection, analysis, and response perspectives. Through this process, a comprehensive analysis can be performed to identify causes, make adequate responses, and establish preventative processes.
The following is a screen showing the EDR detection of the threat actor attacking an Apache web service and installing Cobalt Strike. Traces show httpd.exe, the Apache web server process, executing Cobalt Strike.
Figure 3. Traces of suspicious files being created in an Apache web server (EDR)
Figure 4. Traces of suspicious files being executed in an Apache web server (EDR)
- Cobalt Strike Used in Attacks
A beacon is the Cobalt Strike’s agent that acts as a backdoor. Cobalt Strike provides beacons in various forms. Depending on the method, they can be categorized as either stager or stageless.
The stager method uses a downloader malware that downloads a beacon from an external source and executes it in the memory area. Because this method does not actually contain the beacon, it has a small size and requires an additional step for downloading the beacon. On the other hand, Cobalt Strike created with the stageless method contains a beacon within and has a file size above a certain threshold.
Figure 5. Stager malware downloading an encrypted beacon
To evade file detection, the threat actor obfuscated the malware strains used, even using Golang or PyInstaller. Most malware strains used in the attacks use the stageless method. However, malware developed with PyInstaller is a downloader malware that uses the stager method (downloads Cobalt Strike and executes it in the memory area).
Figure 6. Obfuscated Cobalt Strike malware strains
Beacons can also communicate with the C&C server via protocols such as http, https, and dns. As the beacon installed in the internal network during the lateral movement stage will not be connected with the external network, an SMB beacon that communicates via the SMB protocol is used. Because the Cobalt Strike instances used in the attacks were all used for the purpose of controlling the infected system after initial penetration, they used the HTTP protocol for communicating with the C&C server. The following is a result of using CobaltStrikeParser on an instance of Cobalt Strike used in the attack to extract the configuration data [1]. Various settings can be seen, including not only the C&C server address but also user-agent and the target process for injection.
Figure 7. Cobalt Strike settings data
The Cobalt Strike instances used in the attacks have various appearances such as Go and PyInstaller, but in all cases, the same IP address was used for the C&C server. AhnLab has been detecting the C&C address used in Cobalt Strike attacks from the past as a malicious URL, which can be also checked in AhnLab EDR. The following is evidential data of detecting the behavior of connecting to a malicious URL as a threat. It shows the information on the malicious URL address and the process that connected to said URL, as well as the transmitted payload data.
Figure 8. Connecting to Cobalt Strike’s malicious URL (EDR)
- Installing Additional Malware
After attempting to install Cobalt Strike, there was an attempt to additionally install Gh0st RAT. This was probably done because Cobalt Strike did not run correctly due to security products. When control over the infected system is obtained through these attempts, a CoinMiner that mines Monero coins was ultimately installed.
Figure 9. XMRig communications packet
As no logs were identified other than those of installing the remote control malware and CoinMiner, it is deemed that the ultimate goal of the threat actor is to use the resources of poorly-managed web servers to mine Monero coins and raise a profit.
- Conclusion
Recently, attacks involving Cobalt Strike being installed on Windows servers with Apache web service have been identified. Seeing from the logs, it can be inferred that the threat actor attacked poorly managed web servers or those with unpatched vulnerabilities.
Cobalt Strike is a commercial penetration testing tool, and it is recently being used as a medium to dominate the internal system in the majority of attacks including APT and ransomware. AhnLab products are equipped with a process memory-based detection method and behavior-based detection feature that can counter the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to spread internally.
Figure 10. Memory detection log for Cobalt Strike
Administrators must check for the file upload vulnerability in web servers to prevent the initial infiltration path of web shell uploads in advance. Furthermore, the password must be changed periodically and access control measures must be put in place to respond to lateral movement attacks using stolen account credentials. Also, V3 should be updated to the latest version so that malware infection can be prevented.
File Detection
– Backdoor/Win.CobaltStrike.C5538818 (2023.11.08.00)
– Trojan/Win.Generic.R605627 (2023.09.15.01)
– Malware/Win64.RL_Backdoor.R363496 (2021.01.18.05)
– Downloader/Win.CobaltStrike.C5538917 (2023.11.09.01)
– Downloader/Win.CobaltStrike.C5538829 (2023.11.08.00)
– Backdoor/Win.Gh0stRAT.C4976986 (2023.06.04.01)
– Malware/Win32.RL_Generic.R356011 (2020.11.22.01)
– CoinMiner/Win.XMRig.C5539322 (2023.11.09.01)
– WebShell/PHP.Generic.S1912 (2022.09.27.02)
– WebShell/PHP.Small.S1690 (2021.10.26.02)
Behavior Detection
– InitialAccess/DETECT.Event.M11450
– Connection/EDR.Behavior.M2650
Memory Detection
– Backdoor/Win.CobaltStrike.XM79
– Downloader/Win.CobaltStrike.XM83
IOC
MD5
– 719253ddd9c49a5599b4c8582703c2fa: CobaltStrike Beacon (3JONXp.exe)
– 594365ee18025eb9c518bb266b64f3d2: CobaltStrike Beacon (3JONXp-Signed.exe)
– d4015f101a53555f6016f2f52cc203c3: CobaltStrike Beacon (256.exe)
– 1842271f3dbb1c73701d8c6ebb3f8638: CobaltStrike Beacon (256-Signed.exe)
– 36064bd60be19bdd4e4d1a4a60951c5f: CobaltStrike Stager (test.exe)
– 5949d13548291566efff20f03b10455c: CobaltStrike Stager (artifact_x64.exe)
– c9e9ef2c2e465d3a5e1bfbd2f32ce5cd: CobaltStrike Stager (artifact_x64-signed.vmp.exe)
– 85e191a1fff9f6d09fb46807fd2dea37: Gh0st RAT (1.exe)
– b269dd0b89d404d5ad20851e0d5c322e: Gh0st RAT (server.exe)
– 205c12fabb38b13c42b947e80dc3d53a: XMRig (svchost.exe)
– 6b837fafaa1fbc2a4ddb35a748f4c11e: PHP WebShell (helper.php)
– f9d6a75875991086e1fb5985fc239df3: PHP WebShell (s.php)
C&C URLs
– hxxp://121.135.44[.]49:808/ptj: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/updates.rss: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/ga.js: CobaltStrike Beacon
– 202.30.19[.]218:521: Gh0st RAT
– gd.one188[.]one:520: Gh0st RAT
Download URLs
– hxxp://121.135.44[.]49:808/a4vR: CobaltStrike Stager
– hxxp://www.beita[.]site/api/2:2053: CobaltStrike Stager
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/59110/