March 30, 2017
An Apache Struts2 campaign has made a number of pivots to eventually start delivering Cerber ransomware.
Researchers have noticed new mutations in the campaigns targeting the Apache Struts2 vulnerability.
F5 Networks' researchers witnessed a campaign targeting the Apache Struts2 vulnerability pivot on 20 March and start delivering Cerber ransomware to servers.
Cerber ransomware is named for the mythological three headed canine guardian of the Greek mythological gates of hell. As a piece of ransomware, it encrypts the files of its victims and charges them bitcoin to decrypt and regain access to them. It is apparently popular on Russian Underground forums and Malwarebytes called it “pretty powerful ransomware written with attention to detail.” The company touted its “rich customisation options and various tricks to make analysis harder.”
This variant of Cerber adds an interesting new feature. It changes Windows firewall rules so that installed AVS cannot get messages out. This modification effectively stops the software from updating or reporting.
Researchers noted that, targeting servers with ransomware, over individuals, could provide a better payout because they are more likely run by private business and organisations “with deeper pockets and better infrastructure that might be critical for their business”.
Observation of the bitcoin wallet has shown that 2.2 bitcoin (£1854) have gone in and out of the wallet since the beginning of the campaign.
The campaign had started out early in the month using PowerBot malware and had previously tried its hand at crypto currency mining. The campaign started using the vulnerability to download a “minerd” cryptocoin mining programme, which mines coins into several, apparently “legitimate crypto pools”.
This particular malware is designed to be contagious. Researchers noted that once it infects a server it will compile a list of remote IP addresses and that the infected servers administrator had connected to, along with their fingerprints. The malware will then attempt to connect to them using ssh. If the machines of those IP addresses use key file authentication as opposed to a username and password, the malware will spread its contagion.
F5 researchers noted that they have seen 10 other campaigns delivering traditional Linux DDoS malware and performing reconnaissance.
Apache Struts 2 is an open source framework for developing web applications. The vulnerability in the Apache Struts2 Jakarta Multipart parser, CVE-2017-5638, was discovered on 6 March. The exploit could allow attackers to remotely execute commands by using a crafted Content-Type, Content-Disposition, or Content-Length value. Since the vulnerability was discovered early in the month, the Apache Struts group have released a series of plugins and updates to secure those using the framework against the attack. It has also strongly encouraged users to update to the latest version.