挖矿木马z0Miner正利用Confluence漏洞发起攻击

近日，趋势科技发现挖矿木马 z0Miner 一直在利用 Atlassian 的 Confluence 远程代码执行漏洞（CVE-2021-26084）。

去年年底，z0Miner 被发现利用 Oracle 的 WebLogic 远程代码执行漏洞（CVE-2020-14882）发起攻击。从那以后，z0Miner 被发现多次利用各种 RCE 漏洞发起攻击，例如 CVE-2015-1427。

感染链

根据调查，利用 CVE-2021-26084 漏洞的感染链与此前类似。一旦 Confluence 漏洞被成功利用，z0Miner 就会部署 WebShell 下载恶意软件。

http]://213.152.165.29/x.bat
http]://213.152.165.29/uninstall.bat
http]://213.152.165.29/vmicguestvs.dll
http]://27.1.1.34:8080/docs/s/sys.ps1

规避机制

z0Miner 通过安装 vmicvguestvs.dll进行持久化和检测逃避，z0Miner 将其伪装成名为 Hyper-V Guest Integration的服务。

下载的脚本会创建一个名为 .NET Framework NGEN v4.0.30319 32的计划任务，该任务伪装成 .NET Framework NGEN 任务。如下所示，该任务每隔五分钟执行一次。但在撰写本文时，Pastebin URL 的内容已被删除。

z0Miner 还会下载另一个名为 clean.bat的脚本来查找并删除其他竞争对手的矿工。

安全建议

Atlassian 已经发布了一个补丁来修复 Confluence 的漏洞，用户也应该进一步采取其他措施来最大程度地减少系统面临的威胁和风险。

ATT&CK

T1569.002: System Services: Service Execution T1053.005: Scheduled Task T1543.003: Create or Modify System Process: Systems Service T1112: Modify Registry T1489: Service Stop T1562.001: Impair Defenses: Disable or Modify Tools T1036.004: Masquerade Task or Service T1070.004: File Deletion T1033: System Owner/User Discovery T1049: System Network Connections Discovery T1069.001: Permission Groups Discovery: Local Groups T1069.002: Permission Groups Discovery: Domain Groups T1082: System Information Discovery T1087: Account Discovery T1087.001: Account Discovery: Local Account T1087.002: Account Discovery: Domain Account T1124: System Time Discovery T1496: Resource Hijacking

IOC

49f3d06419d9578551e584515f44b2ee714e1eef96b94e68ea957f2943deca5a cb339d08c0ad7c4d07b06cae5d7eae032fb1bb1178d80b2a1997a8b8257b5bea 0663d70411a20340f184ae3b47138b33ac398c800920e4d976ae609b60522b01 a5604893608cf08b7cbfb92d1cac20868808218b3cc453ca86da0abaeadc0537 f176d69f18cde008f1998841c343c3e5d4337b495132232507a712902a0aec5e 4a2fbe904e4665939d8517c48fb3d5cb67e9b1482195c41fe31396318118cfc8 e9ba929949c7ea764a298e33af1107ff6feefe884cabf6254ff574efff8a2e40 7d8b52e263bc548891c1623695bac7fb21dab112e43fffb515447a5cc709ac89 http]://209.141.40.190/oracleservice.exe http]://209.141.40.190/wxm.exe http]://27.1.1.34:8080/docs/s/config.json http]://27.1.1.34:8080/examples/clean.bat http]://27.1.1.34:8080/docs/s/sys.ps1 http]://222.122.47.27:2143/auth/xmrig.exe http]://pastebin.com/raw/bcFqDdXx http]://pastebin.com/raw/g93wWHkR http]://164.52.212.196:88/eth.jpg http]://66.42.117.168/BootCore_jsp http]://164.52.212.196:88/1.jpg http]://209.141.40.190/xms http]://172.96.249.219:88/.jpg http]://172.96.249.219:88/1.jpg 1.bat http]://172.96.249.219:88/.jpg http]s://zgpay.cc/css/kwork.sh http]s://raw.githubusercontent.com/alreadyhave/thinkabout/main/kwork.sh http]://209.141.40.190/oracleservice.exe http]://213.152.165.29/vmicguestvs.dll http]://213.152.165.29/uninstall.bat http]://213.152.165.29/x.bat

参考来源：

https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html