麋鹿资源网
当前位置:首页 > 网络安全

【麋鹿】挖矿木马z0Miner正利用Confluence漏洞发起攻击

10-05   麋鹿站长   63562   0

近日,趋势科技发现挖矿木马 z0Miner 一直在利用 Atlassian 的 Confluence 远程代码执行漏洞(CVE-2021-26084)。

去年年底,z0Miner 被发现利用 Oracle 的 WebLogic 远程代码执行漏洞(CVE-2020-14882)发起攻击。从那以后,z0Miner 被发现多次利用各种 RCE 漏洞发起攻击,例如 CVE-2015-1427。

感染链

根据调查,利用 CVE-2021-26084 漏洞的感染链与此前类似。一旦 Confluence 漏洞被成功利用,z0Miner 就会部署 WebShell 下载恶意软件。

http]://213.152.165.29/x.bat

http]://213.152.165.29/uninstall.bat

http]://213.152.165.29/vmicguestvs.dll

http]://27.1.1.34:8080/docs/s/sys.ps1

规避机制

z0Miner 通过安装 vmicvguestvs.dll进行持久化和检测逃避,z0Miner 将其伪装成名为 Hyper-V Guest Integration的服务。

下载的脚本会创建一个名为 .NET Framework NGEN v4.0.30319 32的计划任务,该任务伪装成 .NET Framework NGEN 任务。如下所示,该任务每隔五分钟执行一次。但在撰写本文时,Pastebin URL 的内容已被删除。

z0Miner 还会下载另一个名为 clean.bat的脚本来查找并删除其他竞争对手的矿工。

安全建议

Atlassian 已经发布了一个补丁来修复 Confluence 的漏洞,用户也应该进一步采取其他措施来最大程度地减少系统面临的威胁和风险。

ATT&CK

T1569.002: System Services: Service Execution
T1053.005: Scheduled Task
T1543.003: Create or Modify System Process: Systems Service
T1112: Modify Registry
T1489: Service Stop
T1562.001: Impair Defenses: Disable or Modify Tools
T1036.004: Masquerade Task or Service
T1070.004: File Deletion
T1033: System Owner/User Discovery
T1049: System Network Connections Discovery
T1069.001: Permission Groups Discovery: Local Groups
T1069.002: Permission Groups Discovery: Domain Groups
T1082: System Information Discovery
T1087: Account Discovery
T1087.001: Account Discovery: Local Account
T1087.002: Account Discovery: Domain Account
T1124: System Time Discovery
T1496: Resource Hijacking

IOC

49f3d06419d9578551e584515f44b2ee714e1eef96b94e68ea957f2943deca5a
cb339d08c0ad7c4d07b06cae5d7eae032fb1bb1178d80b2a1997a8b8257b5bea
0663d70411a20340f184ae3b47138b33ac398c800920e4d976ae609b60522b01
a5604893608cf08b7cbfb92d1cac20868808218b3cc453ca86da0abaeadc0537
f176d69f18cde008f1998841c343c3e5d4337b495132232507a712902a0aec5e
4a2fbe904e4665939d8517c48fb3d5cb67e9b1482195c41fe31396318118cfc8
e9ba929949c7ea764a298e33af1107ff6feefe884cabf6254ff574efff8a2e40
7d8b52e263bc548891c1623695bac7fb21dab112e43fffb515447a5cc709ac89
http]://209.141.40.190/oracleservice.exe
http]://209.141.40.190/wxm.exe
http]://27.1.1.34:8080/docs/s/config.json
http]://27.1.1.34:8080/examples/clean.bat
http]://27.1.1.34:8080/docs/s/sys.ps1
http]://222.122.47.27:2143/auth/xmrig.exe
http]://pastebin.com/raw/bcFqDdXx
http]://pastebin.com/raw/g93wWHkR
http]://164.52.212.196:88/eth.jpg
http]://66.42.117.168/BootCore_jsp
http]://164.52.212.196:88/1.jpg
http]://209.141.40.190/xms
http]://172.96.249.219:88/.jpg
http]://172.96.249.219:88/1.jpg 1.bat
http]://172.96.249.219:88/.jpg
http]s://zgpay.cc/css/kwork.sh
http]s://raw.githubusercontent.com/alreadyhave/thinkabout/main/kwork.sh
http]://209.141.40.190/oracleservice.exe
http]://213.152.165.29/vmicguestvs.dll
http]://213.152.165.29/uninstall.bat
http]://213.152.165.29/x.bat







相关评论

免责声明:本网站所发布的全部内容都来源于互联网搬运

请你在下载后的24小时内进行删除处理,如果有侵权之处请第一时间联系我们删除。敬请谅解! E-mail:2113295600@qq.com

麋鹿版权所有Copyright © 2021-2021