Hackers Attacking Apache Web Servers to Install Coinminers
An assault advertising and marketing and marketing and marketing campaign that installs XMRig Coinminer on Home windows internet servers that budge on Apache has been found these days. The threat actors former the Cobalt Strike tool as a medium to try the interior programs with APT and ransomware.
AhnLab acknowledged that these threat actors leverage internet products and companies that toughen Home windows environments, at the side of Details superhighway Details Providers (IIS), Apache, Apache Tomcat, and Nginx.
Apache Net Server Targeted Attacks
The centered programs had been running pale variations of the Apache internet server and had PHP installed. Some logs indicated PHP internet shell malware traces installed.
Are living API Attack Simulation Webinar
Within the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface tune how APIs could possibly additionally very wisely be hacked. The session will screen: an exploit of OWASP API Top 10 vulnerability, a brute drive story take-over (ATO) assault on API, a DDoS assault on an API, how a WAAP could possibly bolster safety over an API gateway
The httpd.exe project, which runs the Apache internet server, used to be the main aim for threat actors to set up internet shells or exploit vulnerabilities. This httpd.exe project also performs malicious behaviors cherish constructing and running malware.
Cobalt Strike Utilization
The Cobalt Strike beacon used to be former in each and each stager and stageless assaults. The stager intention uses a downloader malware that downloads a beacon from an external source and executes it within the reminiscence dwelling, which is puny nonetheless requires extra steps for beacon obtain.
The stageless intention contains the beacon embedded and has a natty file dimension of over a clear restrict. The malware traces had been obfuscated to evade detection by even the employ of Golang or PyInstaller.
As well to this, the beacons also talk with the C2 server by http, https, and DNS. Everywhere in the lateral toddle, the SMB beacons talk with the installed beacon for extra instructions.
Extra Malware Installation
There used to be an strive to set up Gh0st RAT throughout the set up of the Cobalt Strike, an added backup intention in case the Cobalt Strike set up failed resulting from safety products. Once attend watch over over the affected programs has been established, a Coinminer, which mines Monero cash, is installed.
On the opposite hand, no logs of mining crypto cash had been detected other than the set up of distant attend watch over malware and Coinminer.
A full chronicle about this crypto mining process has been published, which affords detailed data about the source code, malware former, solutions, and other data.
Administrators are instructed to mandatorily take a look at for file add vulnerabilities on internet servers and patch them to forestall preliminary infiltration. Moreover, a password swap protection and access attend watch over measures want to be implemented to acknowledge lateral toddle assaults the employ of stolen story credentials.
Indicators of Compromise
File Detection
– Backdoor/Fetch.CobaltStrike.C5538818 (2023.11.08.00)
– Trojan/Fetch.Generic.R605627 (2023.09.15.01)
– Malware/Win64.RL_Backdoor.R363496 (2021.01.18.05)
– Downloader/Fetch.CobaltStrike.C5538917 (2023.11.09.01)
– Downloader/Fetch.CobaltStrike.C5538829 (2023.11.08.00)
– Backdoor/Fetch.Gh0stRAT.C4976986 (2023.06.04.01)
– Malware/Win32.RL_Generic.R356011 (2020.11.22.01)
– CoinMiner/Fetch.XMRig.C5539322 (2023.11.09.01)
– WebShell/PHP.Generic.S1912 (2022.09.27.02)
– WebShell/PHP.Minute.S1690 (2021.10.26.02)
Behaviour Detection
– InitialAccess/DETECT.Tournament.M11450
– Connection/EDR.Behavior.M2650
Memory Detection
– Backdoor/Fetch.CobaltStrike.XM79
– Downloader/Fetch.CobaltStrike.XM83
MD5
– 719253ddd9c49a5599b4c8582703c2fa: CobaltStrike Beacon (3JONXp.exe)
– 594365ee18025eb9c518bb266b64f3d2: CobaltStrike Beacon (3JONXp-Signed.exe)
– d4015f101a53555f6016f2f52cc203c3: CobaltStrike Beacon (256.exe)
– 1842271f3dbb1c73701d8c6ebb3f8638: CobaltStrike Beacon (256-Signed.exe)
– 36064bd60be19bdd4e4d1a4a60951c5f: CobaltStrike Stager (take a look at.exe)
– 5949d13548291566efff20f03b10455c: CobaltStrike Stager (artifact_x64.exe)
– c9e9ef2c2e465d3a5e1bfbd2f32ce5cd: CobaltStrike Stager (artifact_x64-signed.vmp.exe)
– 85e191a1fff9f6d09fb46807fd2dea37: Gh0st RAT (1.exe)
– b269dd0b89d404d5ad20851e0d5c322e: Gh0st RAT (server.exe)
– 205c12fabb38b13c42b947e80dc3d53a: XMRig (svchost.exe)
– 6b837fafaa1fbc2a4ddb35a748f4c11e: PHP WebShell (helper.php)
– f9d6a75875991086e1fb5985fc239df3: PHP WebShell (s.php)
C&C URLs
– hxxp://121.135.44[.]49:808/ptj: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/updates.rss: CobaltStrike Beacon
– hxxp://121.135.44[.]49:808/ga.js: CobaltStrike Beacon
– 202.30.19[.]218:521: Gh0st RAT
– gd.one188[.]one:520: Gh0st RAT
Download URLs
– hxxp://121.135.44[.]49:808/a4vR: CobaltStrike Stager
– hxxp://www.beita[.]situation/api/2:2053: CobaltStrike Stager
Source credit : cybersecuritynews.com
