case analysis of exploiting server vulnerability to mine black production

Posted by tetley at 2020-04-05


Bat represents the bright side of making money through the Internet. In contrast, the dark side of the black industry will also exhaust its imagination to maximize its own profits. In this respect, the black industry can be described as "Eight Immortals crossing the sea" with their own abilities. Those who steal data and resell it to realize financial freedom, and those who end up in time, will not worry about food and drink all their lives, and those who are greedy and insatiable will end up in prison under the increasingly severe attack in the near future. In addition to making ideas on the data, we see that there are also those who make some small money by extracting the computing power of the equipment. Recently, Tianyan lab has tracked some gangs that use these nday vulnerabilities to attack the server to obtain control automation and implant mining Trojans, so as to analyze a real case for you.

I hope that this small exposure can cause some administrators to be alert, check whether there is a vulnerability in their server, clear the malicious code already existing in the machine (if there is a vulnerability, it can almost certainly be controlled by intrusion), and ensure the security of data and services.

The web application server based on Java has several very useful remote command execution vulnerabilities, such as the following two:


IBM WebSphere Java comments collections component deserialization vulnerability


Oracle WebLogic Server Java deserialization vulnerability

The details of the vulnerability are not analyzed here. Although technical details and utilization tools have been publicized for nearly two years, there are still a large number of web servers with these vulnerabilities on the Internet, and these servers will be prey to attackers sooner or later. As for what the controlled machine will do, it is the will of the attacker. If there is data, it will be stolen and sold back. In addition, the server generally has a very good hardware configuration, massive storage, high-speed CPU and network connection. Now the price of bitcoin is relatively high. It is also a black market to use the server to mine and make full use of its computing power The way for chickens to eat more for their own benefit.


Black industry scans the IP segment to find servers with specific ports open, confirms the web application servers with vulnerabilities, controls the servers with vulnerabilities, downloads a picture containing mining malicious programs, analyzes and executes them, and transforms the servers into a mining chicken.

The sample comes from the honeypot we set up. The server has opened the Weblogic service,

Log analysis shows that the attacker exploited Java deserialization vulnerability in Weblogic application server to break through the server. After gaining control, the attacker first executes a script, which is used to download and execute a program named regedit.exe. This program will call powershell.exe to execute the following PowerShell script:

The PowerShell code is shown in the following figure:

The script will first go to the open source website to download the tool program dd.exe, and use it to write files. For most of the main anti killing software, dd.exe will be marked as a white file, so using the tool can bypass some detection operations. The following figure is the introduction of dd.exe:

The script will also go to to download a JPG picture:

Https:// this website is a host, which can provide the external link address for the files uploaded by users:

The interface of the website is as shown in the figure, and the maximum upload file limit is 5MB:

The size of the downloaded image is 1.44M, which is certainly not just a picture:

It is found that the image offset 0xd82 (3458) starts as a PE file:

Finally, the script calls dd.exe to extract the PE file from the picture and names it msupdate.exe: dd.exe if = favicon. JPG of = msupdate. Exe skip = 3458 BS = 1.

PE is a self extracting file;

After decompression, execute msupdate.exe:

Msupdata.exe itself is also a self extracting file:

The comment is a command line parameter, which is the address of the mining pool and bitcoin Wallet:

The following contains the self extracting script command:

Setup=msupdate.exe -a cryptonight -o stratum+tcp:// -u 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4 -p x



Finally, extract a mining program, and start the mining program with the previous mining pool and bitcoin wallet address:

The whole attack process is as follows:

We also found a script:

Use Weblogic vulnerability to download PowerShell script with the following link:

The content of the script is as follows:

It will download yam.exe, and then add the script to the scheduled task to run the script every six hours to ensure that the malicious code runs in the server for a long time.

The link of the downloaded EXE file is:

The downloaded file is as follows:

The following figure is the string after shelling. It is not hard to see that it is the mining code:

Impact surface analysis

According to the analysis of the network features, more than 20000 machines infected by this kind of malicious code have been located in the last month, which constitutes considerable computing power for mining work. According to the statistics of IP sources, more than 95% of them are domestic, reflecting that the domestic server security management still has a long way to go


According to the distribution of provinces in China, Heilongjiang, Hubei, Henan, Guangdong and Sichuan are the hardest hit areas


There is no end to the pursuit of interests. They will "fully" extract the value of all the resources they can get and make full use of them. We must take all necessary measures to protect ourselves, and never get away with the laziness of our opponents.



file name



Miner's user name

[email protected]

[email protected]

[email protected]

[email protected]

*Author of this article: 360 Tianyan Laboratory (enterprise account), reprint please indicate that it is from