New CroniX Monero-mining malware being spread by hackers exploiting Apache Struts flaw

• The Apache Struts 2 flaw being exploited is a remote code execution flaw, which was recently disclosed.
• The cybercriminals behind the campaign were found using proof-of-concept exploits published on Twitter and GitHub.

Cybercriminals running a cryptomining campaign were found exploiting a recently exposed Apache Struts flaw. The Cybercriminals are using a new malware dubbed CroniX for persistence and stealth.

According to security researchers at F5 Labs, who discovered the new campaign, CroniX’s name comes from the tools that the malware uses - the Cron tool for persistence and the Xhide which launches executables with fake process names.

The Apache Struts flaw was disclosed just two weeks ago. The exploitation of this flaw could open the gates to create more havoc than the Apache Struts flaw that led to the Equifax breach.

“As with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances. This time, the injection point is within the URL,” F5 Labs researchers said in a blog. “The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.”

CroniX malware

Researchers discovered that the CroniX malware uses three Cron jobs for persistence - two of the Crons are responsible for refreshing the backdoor with new downloads everyday. CroniX is also capable of removing other competing cryptomining malware, to claim all of the CPU for itself.

“For some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage and then kill only those processes that utilize 60 percent or more of the CPU resources,” F5 Labs researchers said. “This is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.”

Attribution

F5 Labs researchers believe that the campaign’s malware deployment pattern and attack techniques indicate that the cybercriminals behind this campaign are likely the same attackers who were behind a previous campaign exploiting Jenkins servers via CVE-2017-1000353.

“Considering it’s only been two weeks since this vulnerability was discovered, it’s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild,” F5 Labs researchers said. “Enterprises must be as vigilant as ever about patching affected systems immediately. When patching isn’t possible, it’s advisable to implement a web application firewall for automated protection.”