# Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify **trendmicro.com/en_us/research/21/l/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-gitHub-** netlify.html December 3, 2021 We looked into exploitation attempts we observed in the wild and the abuse of legitimate platforms Netlify and GitHub as repositories for malware. By: Nitesh Surana December 03, 2021 Read time: ( words) [Earlier this year, a security flaw identified as CVE-2021-41773 was](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41773) [disclosed to Apache](https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773) HTTP Server Project, a path traversal and remote code execution (RCE) flaw in Apache HTTP Server 2.4.49. If this vulnerability is exploited, it allows attackers to map URLs to files outside the directories configured by Alias-like directives. Under certain configurations where Common Gateway Interface (CGI) scripts are enabled for aliased paths, attackers can also [use it for RCE. As the initial fix was deemed insufficient, a bypass was later reported for the](https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013) [fix and tracked as CVE-2021-42013.](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013) [Official fixes have been rolled out by Apache HTTP Server Project. However, when we](https://httpd.apache.org/download.cgi#:~:text=Apache%20HTTP%20Server%202.4.51) looked at the malicious samples abusing this vulnerability, we found more of these exploits being abused to target different gaps in products and packages for malicious mining of ----- Monero. In this blog, we look into the abuse of GitHub and Netlify repositories and platforms for hosting cryptocurrency-mining tools and scripts. We have already informed GitHub and Netlify of the malicious activities and they have taken down the accounts. Technical details We observed attackers targeting the following package and products via security vulnerabilities disclosed in 2020 and 2021 for malicious cryptocurrency-mining activities through samples caught in our honeypots: [1. Atlassian Confluence (CVE-2021-26084 and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26084) [CVE-2021-26085)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26085) [2. F5 BIG-IP (CVE-2020-5902 and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-5902) [CVE-2021-22986)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22986) [3. VMware vCenter (CVE-2021-22005,](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22005) [CVE-2021-21985,](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21985) [CVE-2021-21972, and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21972) CVE2021-21973) [4. Oracle WebLogic Server (CVE-2020-14882,](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14882) [CVE-2020-14750, and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14750) [CVE-2020-14883)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14883) [5. Apache HTTP Server (CVE-2021-40438,](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40438) [CVE-2021-41773, and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41773) [CVE-2021-42013)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42013) Figure 1. Exploits attempting to abuse servers for malicious cryptocurrency mining from October 19 to November 19, 2021. Data taken from Trend Micro Cloud One™ – Workload Security. We found it interesting that all the products and the particular package have had widely [distributed public](https://github.com/Al1ex/CVE-2021-22986) [proofs of concept for](https://gist.github.com/testanull/5bb925179c4695e51ca400b7370bc252) [pre-auth](https://www.exploit-db.com/exploits/49479) [RCE. Looking at the Monero wallet from one](https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html) such mining pool, we saw that the operation is still ongoing and actively accumulating ----- Monero as of this writing. Figure 2. Cryptocurrency-mining pool Services abused: Targeting Windows hosts ----- Figure 3. Infection chain The miner samples we found work on and abuse both Windows and Linux platforms. While the exploits used differ according to the infrastructure targeted, the batch scripts we identified works on both. We saw the usage of Netlify and GitHub as the malware file servers for downloading batch scripts from an attacker-controlled account. The batch script is renamed as a temporary file and deleted after it starts running in the background. The scripts (c3.bat) are a modified version of Monero-mining helper scripts abridged from [GitHub, and these begin checking if the current session has administrative privileges. If the](https://github.com/C3Pool) privilege is of the Administrator, then the ADMIN flags are set. Afterward, the length of the Monero wallet address is calculated. If the length is not 106 or 95 characters, the script exits. If it is 106 or 95, it jumps to “WALLET_LEN_OK” statement. ----- Figure 4. The batch scripts observed are modified versions of helper scripts abridged from GitHub. Figure 5. Checks for administrative privileges and “XMR WALLET” flag to calculate address length The script further conducts a series of checks in the system, such as if the USERPROFILE environment variable is defined, and whether utilities like wmic, powershell, find, findstr, and tasklist are available or not. ----- Figure 6. Checking the system for availability of environment variable and utilities ----- Figure 7. Getting the results for utilities’ availability in the system The wmic utility is used to further enumerate specific parameters in the system, such as the number of processors, maximum clock speed, L2 and L3 cache sizes, and CPU sockets. These values are later used to calculate the Monero mining rate of the Windows host. For different mining rates, different ports are used on the mining pool. ----- Figure 8. Enumerating the system’s parameters to determine cryptocurrency mining rate After identifying the CPU’s computing power, the running c3pool_miner is removed from the host. The zipped miner (c3.zip) is then downloaded from the attacker-controlled GitHub repository and PowerShell is used to unzip the downloaded file. If the unzip attempt fails, 7z is downloaded to extract the zipped file, and both the downloaded files (7za.exe and c3.zip) are deleted after. ----- Figure 9. Removing traces of the downloaded files after extraction The script also goes on to install the latest version of XMRig for Windows from the official repository. After unzipping the downloaded file, the 7z binary and XMRig ZIP files are removed. Once the miner is successfully installed, the config files are modified using PowerShell. Figure 10. Installing the latest XMR version in the system Figure 11. Configuring and modifying the installed miner ----- If the miner is already running (c3.exe), the execution jumps to an ALREADY_RUNNING label. If not, the miner is executed using the “start” command in the IDLE priority class. If the current user has administrative privileges, then execution jumps to the label ADMIN_MINER_SETUP. If not, persistence is added by modifying the Startup directory with the batch scripts to execute c3pool XMR miner with the configuration file. Figure 12. Configuring the miner’s admin privileges and persistence A service is created from the c3cache_worker using the Non-Sucking Service Manager [(NSSM). NSSM is a service helper program that helps install applications as services, and](https://nssm.cc/) with it a user can specify logging to user-defined files. ----- Figure 13. Using NSSM to constantly run the miner as a background application in the infected system Targeting Linux hosts The shell script starts with an infinite loop to remove all competing cryptominers found in the infected system, such as kinsing, kdevtmpfsi, pty86, and .javae. Figure 14. Removing all the cryptocurrency-mining competitors and their components found in the infected system in a loop ----- After all the competing miners are wiped out, the attribute of /var/spool/cron/root is made immutable and crontab is reloaded. Then, if there are any processes except java, redis, weblogic, mongod, mysql, oracle, tomcat, grep, postgres, confluence, awk, and aux that are raking up more than 60% of CPU usage, they are terminated. Figure 15. Stopping all other processes except those necessary for running a miner in the system A function “func1” (redacted) is called and the loop is reiterated after every 30 seconds. We observed two content delivery networks (CDNs) being used as the FILE_CC_SERVER in GitHub and Netlify. In func1, a process “java.xnk” is checked for and if the CPU usage is above or equal to 60%, the process ID is fetched into a variable “p”. If the variable is empty, then the process is killed and three directories are created, namely: a. /var/tmp/java.xnk b. /var/lock/java.xnk c. /tmp/java.xnk ----- Figure 16. The variable DIR contains the value of the valid TMP directory that was created. Different paths for “wget” and “curl” binaries are checked for and assigned to variable Wget. A file “java.xnk.bionic” is checked in the path “$DIR”. If the file doesn’t exist, the valid Wget command is used to download and copy the file named “bionic” (a Monero miner) and “config.json,” which contains the Monero wallet address. Executable permissions are assigned for the downloaded binary and the binary is executed via nohup. Similarly, the following binaries are downloaded and executed in place of the file “bionic” and repeat the process: ----- 1. focal as java.xnk.focal 2. freebsd as java.xnk.freebsd 3. linuxstatic as java.xnk.linux 4. xenial as java.xnk.xenial 5. xmr-stak as java.xnk.stak Figure 17. Assigning binaries to Wget and executable permissions Conclusion Based on the frequency of attempts on the targeted products and the particular package in the past month, we believe there are more servers that remain unpatched and exposed to these exploits. More importantly, malicious actors will continue targeting these products and package for intrusion based on the availability of the proofs of concept, as well as the higher likelihood that these servers have yet to be patched. Moreover, due to the wide usage of Linux and Windows platforms and the fact that all the miners identified here work on both, illicit cryptocurrency mining makes for a lucrative business with regard to the high volume of systems that can be targeted. The abuse of legitimate platforms such as GitHub and Netlify will continue due to the traffic being encrypted over HTTPS. If the machines targeted have intrusion detection and prevention solutions (IDS/IPS) in place, network artifacts will not contribute for detection. Moreover, IP reputation services will not flag these platforms as malicious because they are legitimate sources of programs and organizations. The CDNs of both platforms also offer ease and convenience in setting up an operation, as well as provide availability and speed — thus also aiding malicious actors with a wide and fast malware infection capability regardless ----- of a victim s location. These two factors in CDNs will likely prompt a development in the [behavior of malicious actors who abuse these platforms for infection, even for routines and](https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/) attacks unrelated to cryptocurrency mining. From another perspective, the malicious actors targeting these devices can appear almost unsophisticated considering the use of public proofs for attacks. The actors also operate on a regular basis and target as many machines as they can, given that they continue operating and getting cryptocurrency in their respective wallets despite the suspension of their GitHub and Netlify accounts. Trend Micro solutions Enterprises should consider using security solutions such as the Trend Micro Cloud One™ platform, which protects cloud-native systems by securing continuous integration and continuous delivery (CI/CD) pipelines and applications. The platform includes: Workload Security: runtime protection for workloads. Trend Micro Cloud One clients are protected from this threat under these rules: **Intrusion Prevention Rules** 1. 1011171 - Apache HTTP Server Directory Traversal Vulnerability (CVE-2021-41773 and CVE-2021-42013) 2. 1011183 - Apache HTTP Server Server-Side Request Forgery Vulnerability (CVE-2021 40438) 3. 1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE 2021-26084) 4. 1011177 - Atlassian Confluence Server Arbitrary File Read Vulnerability (CVE-2021 26085) 5. 1010850 - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021 21972 and CVE-2021-21973) 6. 1010983 - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021 21985) 7. 1011167 - VMware vCenter Server File Upload Vulnerability (CVE-2021-22005) 8. 1005934 - Identified Suspicious Command Injection Attack 9. 1005933 - Identified Directory Traversal Sequence In Uri Query Parameter 10. 1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902) 11. 1010590 - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE 2020-14882, CVE-2020-14750 and CVE-2020-14883) 12. 1011212 - F5 BIG-IP and BIG-IQ iControl REST Authentication Bypass Vulnerability (CVE-2021-22986) **Log Inspection Rules** 1 1003447 – Web Server – Apache ----- **Integrity Monitoring Rules** 1. 1002851 - Application - Apache HTTP Server Network Security: cloud network layer intrusion prevention system (IPS) security. Trend Micro Cloud One clients are protected from this threat under these rules: 1. 1125: HTTP: ../.. Directory Traversal 2. 40260: HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability 3. 40417: HTTP: Atlassian Confluence Server S Endpoint Information Disclosure Vulnerability 4. 39077: TCP: VMware vSphere Client vropspluginui Code Execution Vulnerability 5. 39923: HTTP: VMware vCenter Server Remote Code Execution Vulnerability 6. 40382: HTTP: VMware vCenter AsyncTelemetryController Arbitrary File Write Vulnerability 7. 40361: HTTP: VMware vCenter Analytics service File Upload 8. 39352: HTTP: F5 BIG-IP iControl REST Interface Login Request 9. 39364: HTTP: F5 BIG-IP bash Suspicious Command Execution Request 10. 39313: HTTP: F5 BIG-IP TMM Buffer Overflow Vulnerability 11. 22087: HTTPS: F5 iControl iCall Script Privilege Escalation Vulnerability 12. 37841: HTTP: F5 BIG-IP TMUI Code Execution Vulnerability 13. 39360: HTTP: F5 BIG-IP iControl REST filePath Command Injection Vulnerability 14. 38380: HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability Indicators of Compromise (IOCs) View the full list of IOCs [here.](https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/l/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify/IOCs-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.txt) -----