TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Windows IIS 6.0 CVE-2017-7269 is Targeted Again to Mine Electroneum

2018-04-12 · Read original ↗

ATT&CK techniques detected

12 predictions
T1059.005Visual Basic
95%
“commands with a legitimate microsoft binary. it allows the attacker to fetch and execute a remote extensible markup language ( xml ) file that contains “ scriptlets ” with attacker ’ s code of choice, using a legitimate and signed “ regsvr32 ” windows binary. this binary is proxy…”
T1218.010Regsvr32
84%
“opening a reverse shell to a malicious remote server. a reverse shell is a type of shell in which the target machine communicates back to attacker ’ s remote machine and waits for the attacker to send shell commands. reverse shell once the compromised server is connected to the a…”
T1204.002Malicious File
72%
“. at the time the vulnerability was released, microsoft announced that the bug wouldn ’ t be fixed as the os was eol. soon after microsoft published a patch6 addressing the issue as there were still many servers running that os, and exploit campaigns were active. shellcode analys…”
T1505.004IIS Components
71%
“##ls ) encryption. - the author named the malware file " lsass. exe ", likely to camouflage it as the legitimate lsass. exe process. - almost all the attacks are coming from the us or china, and the malware hosting server resides in beijing, china, inside china unicom ’ s network…”
T1569.002Service Execution
64%
“opening a reverse shell to a malicious remote server. a reverse shell is a type of shell in which the target machine communicates back to attacker ’ s remote machine and waits for the attacker to send shell commands. reverse shell once the compromised server is connected to the a…”
T1190Exploit Public-Facing Application
63%
“windows iis 6. 0 cve - 2017 - 7269 is targeted again to mine electroneum f5 researchers recently noticed a new campaign exploiting a vulnerability in microsoft internet information services ( iis ) 6. 0 servers ( cve – 2017 – 72691 ) in order to mine electroneum crypto - currency…”
T1003.001LSASS Memory
59%
“the attacker compromised the server previously, the script will stop and replace the old binary file with a new one before execution. in the script shown in figure 7 under the “ for update ” comment, the attacker tries to terminate a process of a specific file named “ lsass. exe …”
T1505.004IIS Components
58%
“windows iis 6. 0 cve - 2017 - 7269 is targeted again to mine electroneum f5 researchers recently noticed a new campaign exploiting a vulnerability in microsoft internet information services ( iis ) 6. 0 servers ( cve – 2017 – 72691 ) in order to mine electroneum crypto - currency…”
T1055.001Dynamic-link Library Injection
58%
“the attacker compromised the server previously, the script will stop and replace the old binary file with a new one before execution. in the script shown in figure 7 under the “ for update ” comment, the attacker tries to terminate a process of a specific file named “ lsass. exe …”
T1569.002Service Execution
43%
“using the binary data from the base64 string ( variable “ bytes ” ) and executes it. figure 9 : bytes variable getting persistence as rpc service to maintain persistence on the captured server, the script tries to register the execution command as an “ rpcremote ” service. the se…”
T1059Command and Scripting Interpreter
40%
“commands with a legitimate microsoft binary. it allows the attacker to fetch and execute a remote extensible markup language ( xml ) file that contains “ scriptlets ” with attacker ’ s code of choice, using a legitimate and signed “ regsvr32 ” windows binary. this binary is proxy…”
T1027.002Software Packing
35%
“##o - currency miner called xmrig ( 2. 5. 2 ) that was packed using the " ultimate packer for executables " upx packer, as shown in figure 11. figure 11 : xmrig packed with upx packer. figure 12 shows that the miner was compiled on march 26, 2018. figure 12 : xmrig version and co…”

Summary

Attacks are back to targeting a Windows IIS vulnerability first disclosed a year ago to mine Electroneum.