One day, we noticed strange GET request towards our JBoss server:
From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.
The request tried to execute command below:
“-O” : writes the documents to file.
“-” : if – is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)
As you see, it tried to fetch image (jpeg file) from 18.104.22.168. Seems normal right?
We fetch the file & take a look at the jpg file:
ASCII?? Not JPEG?? hmm..
Here’s whats inside the “logo.jpg” file:
We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!
Here is the config file:
Not sure it is. Maybe bin file to run a process:
Lets see if the file is packed:
Yup. So lets unpacked the file using UPX:
Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂
Here the MD5 for file above: