Hackers Attacking Apache Web Servers to Install Coinminers, Recently, a campaign was unearthed targeting Windows web servers running on Apache, deploying the XMRig Coinminer through an attack. The assailants employed Cobalt Strike as a conduit to infiltrate internal systems, utilizing APT techniques and ransomware.
According to AhnLab, these threat actors exploit web services compatible with Windows setups, such as Internet Information Services (IIS), Apache, Apache Tomcat, and Nginx.
Apache Web Server Targeted Attacks
Systems that were targeted operated on outdated iterations of the Apache web servers and featured PHP installations. Certain logs revealed the presence of PHP web shell malware strains.
The focal point for threat actors was the httpd.exe process responsible for running the Apache web server, serving as the primary target for installing web shells or exploiting vulnerabilities. Notably, this httpd.exe process was also implicated in executing malicious actions such as creating and running malware.
The Cobalt Strike beacon was employed in both stager and stageless attacks. In the stager approach, a downloader malware fetches the beacon from an external source, executing it within a compact memory space, albeit requiring additional steps for the beacon download process.
Contrarily, the stageless method incorporates the beacon within itself, resulting in a larger file size surpassing a specific limit. To evade detection, the malware strains were obfuscated, utilizing techniques such as Golang or PyInstaller.
Moreover, these beacons establish communication with the C2 server via http, https, and DNS channels. During lateral movement, SMB beacons interact with the installed beacon to receive further instructions.
Additional Malware Installation
During the Cobalt Strike installation, an attempt was made to install Gh0st RAT as a backup plan if the Cobalt Strike installation encountered security product obstacles. Once control over the affected systems was established, a Monero coin-mining Coinminer was introduced.
Surprisingly, no logs indicated actual cryptocurrency mining activities beyond the installation of remote control malware and the Coinminer.
A comprehensive report detailing this crypto mining endeavor has been released, offering intricate insights into the source code, malware employed, methodologies, and related information.
Administrators are strongly advised to thoroughly examine web server vulnerabilities related to file uploads and promptly apply patches to forestall initial breaches. Furthermore, implementing a password change policy and robust access control measures becomes crucial to counter lateral movement assaults fueled by pilfered account credentials.
Source – https://cybersecuritynews.com/
