“EternalMiner” Copycats exploiting SambaCry for cryptocurrency mining

Written by Omri Ben Bassat

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    About eight weeks ago, a critical RCE vulnerability present in every Samba version since 2010 was reported and patched.  This vulnerability is mostly known as “SambaCry” after the famous WannaCry attack targeting Windows systems vulnerable to “EternalBlue” SMB exploit. The vulnerability lies in a logical bug, which enables an attacker with write-only access to a share to load a malicious samba module and execute arbitrary code.

    Immediately after writing & publishing the first public POC code, I wrote a yara signature for a possible exploit payload and we began monitoring our data feeds for threats exploiting this vulnerability. Over time, we have noticed countless bind/reverse shells and droppers. Most of them are either Metasploit payload or other publicly available implants.

    On June 9th, Kaspersky Labs published an article about  “EternalMiner” — a financially driven cryptocurrency mining malware turning victim machines into “a workhouse on a large farm, mining crypto-currency for the attackers”.

    Less than a week later, we were able to observe copycat cybercriminals actively exploiting the vulnerability with a similar yet improved setup for better cryptomining & control over the victim machines. Naturally, we decided to name this threat “CopyMiner”!

    1. Overview

    As we mentioned above, the copycats used a similar yet improved setup. Implementing a multistage flexible approach with daily updates from multiple backup servers, a persistent backdoor for better control of the victim machines and even a more efficient cryptominer for better consumption of the victim machine’s resources! The copycats took EternalMiner to the next level as an operation suitable for multiple victim’s machines.  In the following sections, we will drill down on each component of the following graph, comparing CopyMiner’s setup vs EternalMiner:
    The copycats took EternalMiner to the next level as an operation suitable for multiple victim’s machines

    2. “CopyMiner” Dropper

    On the 14th of June a small unique dropper sample was uploaded to VirusTotal. The dropper starts executing from “samba_init_module” exports then tries to fetch a payload from the server & execute it as root user in the background. This is done using a  hard-coded obfuscated bash one-liner as you can see in the picture below.

    CopyMiner Dropper

    ** sample hash: 444d0fae73e1221b81dc6c5d53cf087afa88248fc22ef36e756841ab04df24a8

    3. Payload

    The payload (http://update1.sdgndsfajfsdf[.]info/u1) is a short bash script which relays on system tools for 3 main tasks

    1. Setup daily updates from 3 different backup servers using crontab.




    2. Drop and execute Tsunami backdoor & CPUMiner in the background.

    3.Prevent further exploitation by other players who might compete for resources(patch smb.conf).

    ** We were also able to fetch the daily update script from a live server (http://update.sdgndsfajfsdf.info/upd). It seems that this script is just a stripped version of the payload script, lacking the daily updates setup functionality:

    4. CPUMiner

    CPUMiner is an open source cryptomining command line utility supporting multiple coins/algorithms. It seems that the attackers used “cpuminer-multi” – multithreaded more efficient version of the original @poolers cpuminer used by EternalMiner. This sample was “upgraded” it in a similar way as EternalMiner so it could run standalone without command line parameters. Once started, the upgraded cpuminer automatically login into the attackers private mining pool server (p.theywant[.]in:8080), unlike the public mining pool server used by EternalMiner (xmr.crypto-pool[.]fr:3333).

    CPUMiner is an open source cryptomining command line

    5. Tsunami Backdoor

    Alongside CPUMiner the payload script would also fetch & execute “Tsunami” (also known as Kaiten) which is an old Linux irc backdoor/ddos botnet best known for been used to infect IOT devices and OSX systems in the past. The source is publicly available and could be used by anyone. This sample (d8e93252f41e8b0d10cffa92923eeab94c6c42e8acc308e91340df102042c8c8) is configured with hardcoded c2 irc server (asdgsd.uselesslongdomain[.]info). We were able to connect to the live irc server using credentials hard coded in the malware. In the following picture you can see two victims currently logged in (running as root user).

    Tsunami Backdoor

    6. Quickly adopting

    We found that the domain used to host the payload file (sdgndsfajfsdf[.]info) was registered on June 13th. Not only that but the first malicious CPUMiner/Tsunami samples  were uploaded to VT a day after(June 14th), meaning that the attacks started within a short time of only  4-5 days after the original EternalMiner publication!

    7. Indicators of Compromise

    Description Type
    Dropper Sha256   444d0fae73e1221b81dc6c5d53cf087afa88248fc22ef36e756841ab04df24a8
    Payload host dns   update1.sdgndsfajfsdf[.]info
    Payload Sha256   2b96805abdbd1d9ca03d584e48fcfb30740d051dfc93248ff3e21b3a831c0e1a
    Updates server dns   update.sdgndsfajfsdf.info
    dns   update.sdgsafdsf.pw
    dns   update.omfg.pw
    update file(daily) Sha256  22a8dc0603005e3eee49706330c6a5b90214dcb0b3d2f89411fa10a6b3942e3b
    Tsunami Sha256   d8e93252f41e8b0d10cffa92923eeab94c6c42e8acc308e91340df102042c8c8
    Sha256   162de4e95e5e5d35d80ca4cf752c80b2b32b52c9e5fef5551caa20b0d5ed83af
    Tsunami C2 dns   asdgsd.uselesslongdomain.info
    Cpuminer Sha256  26a717a7a14f10880a2869949814400b31d1f4c9cc45384be38289b012587468
    Mining pool dns   p.theywant.in
    Omri Ben Bassat

    Ex-officer in the IDF CERT. Malware analyst and a reverse engineer with vast experience in dealing with nation-state sponsored cyber attacks. Omri is the creator of Master of Puppets (MoP)—an open-source framework for reverse engineers who wish to create and operate trackers for new malware found in the wild—which was presented during the Black Hat USA 2019 Arsenal.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt