Infected WordPress Site Reveals Malicious C&C Script
Bitcoin prices are down 60% year-to-date, trading well off the all-time highs of $69,000 seen last November. Some altcoins have fallen in value further, as the value of digital currencies has plummeted over the past six months.
While we can collectively agree that cryptocurrencies are incredibly volatile and currently on a downward trajectory, this has not completely deterred attackers from trying to exploit compromised websites and servers to exploit them.
Let’s take a look at what we found in a recent survey.
XMRig Miner Hidden in /1.html
An examination of the files and database of a compromised WordPress website revealed the remains of an attempt to load cryptojacking malware.
This code had been hidden in ./1/1.html. Since it’s an HTML file, it can’t run PHP code by default – and there’s a good chance the malicious functionality was removed or modified by the wrong actor.
In its current state, the code is incomplete, corrupt, or just plain rubbish. It initiates XMRig download xmrig-6.17.0-linux-x64.tar.gz on a client computer and runs mastic.exe (which is normally a Windows SSH client, but in this case it could be anything) to the server.
While XMRig is a perfectly legitimate open-source mining platform used to mine Monero cryptocurrency, attackers are known to compromise servers and exploit system resources to mine with the XMRig platform.
Typical cryptojacking attack sequence
Although there is no specific single entry point for a cryptojacking attack, malicious actors can use brute force attacks or exploit known software vulnerabilities to gain unauthorized access to the environment. Once a foothold is established, attackers download the XMRig payload and hijack server resources for their mining.
- The attacker uploads a malicious script to the compromised server.
- When the script runs, it downloads and unpacks the XMRig miner on the victim’s server.
- When the XMRig miner is run, it contains instructions to mine Monero on a specific pool as well as configurations to send payments to the attacker’s wallet address.
Once access is gained, attackers have been known to create cron jobs to ensure the miner is persistent and still running on the environment. These cron jobs are set to run every few seconds to check and extract the malicious script. If the verification is not successful and the miner is not found, then the script will download XMRig and associated configuration files from the attackers server.
Resources will vary depending on the victim’s hosting plan and server provider – and while a single compromised server may not generate a significant amount of Monero in a short period of time, the attacker will see exponential results. able to increase the number of victims for their cryptojacking campaign.
Smoke Bot C&C Zip File
Our investigation also revealed a suspect smoke.zip file that had been downloaded and left on the website.
A content scan revealed command and control (C&C) server malware called Smoke Bot, also known as Smoke Loader hacktool. C&C servers are used to send commands to systems that have been compromised by malware, as well as to receive stolen data from target networks and resources. And while hacktools like AnonymousFox are regularly found during remediation, C&C software is much less often found during website cleanup.
The Smoke Bot software contains a large number of features that allow the attacker to easily install and maintain persistent processes, perform DDoS attacks on various resources, and mine for Monero (XMR) – which explains the presence code to start a download of xmrig-6.17.0-linux-x64.tar.gz on a client computer.
The software is modular, allowing the bad actor to install various plugins that extend functionality. These features became evident when we analyzed the malicious code.
In addition to features that allow an attacker to create tasks and manage bots in their botnet, the software contains a THIEF module that allows the attacker to retrieve saved passwords from browsers and email accounts from compromised endpoints that are part of the botnet and then manage them from the user interface.
An additional module is available for DDOS attacks which (among other things) include functionality for volumetric attacks designed to overwhelm a target server with HTTP, HTTPS, GET and POST requests.
The interface allows the attacker to easily initiate, stop, and remove DDoS attacks for target addresses.
Another one PROCMON allows the bad actor to monitor processes with options to end processes, restart the operating system, and even download or run files.
Additionally, the software also contains features to detect account passwords, grab form submissions, delete cookies, spoof DNS, log keystrokes, and other malicious behavior.
It goes without saying that this toolkit contains functionality that could be extremely harmful to both website visitors and website owners – and is widely associated with criminal activity.
In cases where malware like this Smoke Bot is installed in a hosting environment without the knowledge of the owner and used to actively manage bots, the blame will lie with the owner of the host rather than the master of the bot. It should also be noted that many bots contain hidden functions used to regain control of the botnet if the C&C software is discovered and shut down.
And while this particular investigation revealed components that did not appear to be in active use, steps should still be taken to ensure that malware does not end up hiding somewhere in your environment, whether or not it has active malicious behavior.
How to Check Indicators of Compromise
There are a few key things to check when trying to identify if your website is used to mine cryptocurrency.
Keep an eye on high CPU usage.
If your computer is running slow and your browser is using a ton of CPU even with all other tabs closed, that’s a major red flag. This behavior may not occur immediately, but only after the device has not been used for a while.
Inspect scripts from suspicious websites.
If your website has been compromised by a server-side cryptominer, you will need to remove the infection and then follow these key post-hack actions:
- Change all environment admin passwords including FTP, admin panel and cPanel credentials.
- Update and fix all website software including plugins, themes and core CMS.
- Run an antivirus scan on your computer or laptop.
- Delete any old backups or website versions from the server.
To avoid incidents where your website is used to mine cryptocurrency or host C&C botnet software, the most important course of action is to reduce the risk of infection in the first place.
Website monitoring can help you identify important indicators of compromise, like those seen in this particular case, where new suspicious .zip files were uploaded to the system and changes were made to existing HTML or PHP files . And if your system or website has started to see performance degradation, you might have an infection. We strongly encourage website owners to use file integrity monitoring solutions, closely monitor system resource usage, and monitor security issues at the client and server level.
In addition to monitoring, a web application firewall can help keep bad actors away from your site in the first place. Website firewalls protect your website from attackers looking to exploit vulnerabilities and perform malicious actions with your site, such as downloading or distributing malware. By detecting and filtering malicious traffic, your network and websites are protected against attacks.
Our incident response team is able to deal with all forms of website infections. If you think your website has been compromised and you need help cleaning up the infection, we’re always happy to help.