Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/12/2018
09:00 AM
Andrey Shalnev
Andrey Shalnev
Partner Perspectives
50%
50%

How Attackers Can Exploit rTorrent with Monero Cryptocurrency Miner

As cryptomining campaigns become more profitable, cybercriminals are becoming more creative about finding new ways to extend their operations.

rTorrent is a Unix-based torrent client that is implemented in C++. rTorrent optionally supports XML-RPC to allow control by other external programs. XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. ruTorrent is an example of a web-based front-end that controls the rTorrent client using XML-RPC communication.

Unlike communicating with the uTorrent client, the rTorrent client doesn’t require any authentication and supports a method for direct shell command execution. While this functionality was not meant to be publicly accessible, some threat actors decided to test their luck on the Internet by looking for misconfigured rTorrent clients exposed to the web.

The campaign spotted by F5 researchers consists of two steps: reconnaissance and exploitation. The reconnaissance is performed using POST requests to an XML-RPC endpoint. The attacker tries to invoke the "download_list" method (provides the list of downloaded torrents) as an indication of an installed rTorrent client.

The request is sent to the "/RPC2" URL (as would be the case for common XML-RPC communication) but the endpoint URL is defined by the torrent client user in the web server configuration and could be configured to other values.

If there is a running rTorrent instance, it responds with a "200 OK" status code, and a list of hashes of the download list files. Then, once the result is positive, the attacker initiates the exploitation by sending another POST request that calls the "execute" method, which allows the attacker to run arbitrary shell commands on the host.

Payload Analysis
The attacker executes the bash (Unix shell) command with a base64 encoded payload. The payload is decoded using a Unix built-in base64 command and is executed by piping it to another bash to create a crontab task executed every hour. The task downloads a file from the attacker’s server and pipes its content directly to bash, which results in the execution of the script without saving it on the hard drive.

The bash script sets up some environment variables and prevents logging of any output from the running script. It also changes the memory page’s size to 128, likely to increase the performance of the mining process.

Removing Competitors
The script tries to stop other miners from running (competitors or older versions of its own miners) if they are present. It has quite a comprehensive list of miner process identifiers, from common miner program names like "miner" and "xmr" to specific file names such as "wnTKYg", "imWBR" and "ddg", that are related to another mining campaign. It also searches for common miner program arguments such as“stratum”(mining protocol) and miners that pretend to be ssh deamon (for example, sshd).

Downloading Malware from the Hidden Network
The malware sleeps for random periods (likely an evasion technique) and then downloads the mining malware with the correct OS architecture (x64 or x32). Interestingly, the file is served from a Tor network using the Tor2Web "gateway" service to make detection and shutdown of the attacker’s website more difficult. Tor2Web allows Tor hidden services to be accessed from a standard browser without being connected to the Tor network. This technique has been used by attackers for several years.

Zealot Connection?
Looking more closely, the malware download request contain a custom user-agent header with the value of "-". Interestingly, the same unique user-agent was also used in the Zealot campaign, leading us to speculate that both campaigns are executed by the same threat actor.

The user-agent is a bit unique as attackers typically use a legitimate browser user-agent to better masquerade their traffic, or a user agent that includes a default HTTP library name (for example, "python-requests/2.18.4"). In this case, the user-agent doubles as a deception technique to trick researchers or scanners that access the server with their Internet browser or tool and get a “403 Forbidden” response instead of the real content. This technique is being used more frequently by sophisticated attackers nowadays.

The downloaded malware is a Monero (XMR) crypto-currency miner. Currently, the executable is barely detected by anti-virus agents.  At the time of this writing, only 3 of 59 anti-virus agents detected it as malicious.

Mining Monero (XMR) Currency
The mining pool and Monero wallet addresses is in the malware file strings.

The mining addresses are: 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h

44Sqc2Zcgz7ROLQcGRXtFsMbwNQIX5HExWMxD9tfxXRDBBiu2pf2j6VhvjD6i7D8MLNYzn73efgxEIwfweVG626MIdl2uxC

Looking at the mining addresses we can see that the attacker has gained approximately $3,900 from this campaign for one of the addresses. The attacker’s current hash rate will produce the attacker about $43 per day. Currently, the second address doesn’t have a balance.

As crypto-mining campaigns become more profitable than other cybercrime business models, attackers are becoming more creative and finding new ways to extend their operations. In this example, we are seeing crypto criminals moving into an interesting attack vector target: misconfigured BitTorrent clients. As a protection, rTorrent users are advised to make sure that their clients are not accepting connections from the outside world, and that the listening sockets are bound to the localhost. Or, better yet, avoid XML-RPC functionality that is not shipped with the default installation. It’s worth noting that the author of rTorrent explicitly recommends not using the RPC functionality over TCP sockets.

Get the latest application threat intelligence from F5 Labs.

F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15488
PUBLISHED: 2020-09-30
Re:Desk 2.3 allows insecure file upload.
CVE-2020-15849
PUBLISHED: 2020-09-30
Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for a...
CVE-2020-14375
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Virtio ring descriptors, and the data they describe are in a region of memory accessible by from both the virtual machine and the host. An attacker in a VM can change the contents of the memory after vhost_crypto has validated ...
CVE-2020-14376
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A lack of bounds checking when copying iv_data from the VM guest memory into host memory can lead to a large buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...
CVE-2020-14377
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attack...