CoinMiner embedded lots of vulnerabilities to exploit

 

This coinMiner family is very classical, which the sample itself embedded lots of vulnerabilities to exploit, yeah, there are N-day. I just introduced one of them with static analysis; here we go.

The sample

(SHA256: 128452242b0ff64f746759e106ce84b998c0b7807380a1f50975ceb8eada430e)

The sample packed with the packer: UPX (3.96).

Figure 1 – packer:UPX(3.9.6)

Try the UPX tool to unpack, and the language is Go. Yeah, the Go language is so popular with malware development.

Figure 2 – the sample compiler with Go

Ok, let’s move to static analysis. Good luck!

Some function name strings like “shell_exploit” were very attractive.

Figure 3 – shell_exploit_* strings

 

Here, choosing “_b42207_” randomly for analysis.

Figure 4 – shell_exploit_ptr_b42207_*

 

In the function “shell_exploit__ptr_b42207_run,” you can find an interesting and key string: “/securityRealm/user/admin/.”

Figure 5 – CVE-2018-1000861: key strings

The complete strings are as follows:

Figure 6 – CVE-2018-1000861 complete string for EXP

It is CVE-2018-1000861, which is the Jenkins remote command injection.

Of course, the other vulnerabilities can check it out like that; lots of work needs to be done until you can get a table list.

 

End.