Cryptojacking campaign exploiting Apache Struts 2 flaw kills off the competition

Proof-of-concept (PoC) exploits have been quickly adopted to compromise Linux systems.

It has only been two weeks since a critical vulnerability in Apache Struts 2 was revealed to the public, but this hasn't stopped cybercriminals from rapidly adding proof-of-concept (PoC) attack code to their arsenal.

The security flaw, patched by the Apache Software Foundation, is tracked as CVE-2018-11776 was caused due to insufficient validation of untrusted user data in the core Struts framework. If exploited, the bug can lead to remote code execution.

An updated build has been released which protects users from attack.

Those who have not applied the security update, however, may find themselves vulnerable to a new cryptojacking campaign which utilizes the security flaw.

Researchers from F5 Labs say the Apache bug is being used in a new cryptomining campaign which impacts Linux machines.

According to the team, threat actors are harnessing PoC code for the Apache Struts 2 critical remote code execution vulnerability posted to Pastebin to infiltrate Linux systems for the purpose of mining Monero.

Mining for cryptocurrency, such as Bitcoin (BTC), Ethereum (ETH), and Monero (XMR), is a completely legitimate activity which uses computing power to find virtual coins. However, when this power is taken without consent, such activities are considered cryptojacking.

The most common tactic used by criminals in cryptojacking campaigns is the Coinhive script, a legitimate system which is being widely abused.

In July, a massive cryptojacking campaign was uncovered in which a botnet used enslaved MikroTik routers to mine for Monero.

See also: Japan issues first-ever prison sentence in cryptojacking case

Dubbed CroniX, the new attack exploits the Apache bug to send a single HTTP request at the same time as injecting an Object-Graph Navigation Language (OGNL) expression containing malicious JavaScript code.

TechRepublic: Why cryptocurrency needs to get more user-friendly to achieve mainstream success

This code then calls and downloads an additional file which launches a Powershell command on the infected system.

The downloaded file is a bash script which sets the number of "huge pages" in memory to 128 in preparation for the mining operation. Cron jobs are then set for the purpose of persistence; the download of an update.sh file on a daily basis and a file called "anacrond" which can be called upon to restart the mining process if the original malicious files are removed.

To make sure that the cryptomining campaign is not having to fight for processor resources, the malware then scans the system and kills off any binaries related to previous cryptominers.

See also: Windows utility used by malware in new information theft campaigns

Once the competition has been eradicated, the attacker downloads and executes the "XMRigCC" miner which contains embedded configuration details including wallet information and the mining pool location.

A process called XHide is also implemented to disguise the miner as a Java service.

"Considering it's only been two weeks since this vulnerability was discovered, it's worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild," F5 Labs says. "Enterprises must be as vigilant as ever about patching affected systems immediately."

CNET: Someone just bought a cryptocurrency cat for $172,000

Last year, Equifax blamed its record-breaking data breach and the exposure of data belonging to 147 million consumers on an Apache Struts vulnerability. Failure to patch the flaw months after a security advisory was issued has cost the company over $439 million to date.

Previous and related coverage