Cryptominer RubyMiner Targets web servers

According to a Check Point Research finding, a new malware package designed to mine cryptocurrency is attacking web servers in an effort to infect them. The malware uses a variation of an open-source Monero miner (XMRig), possibly because the software required does not require an extremely powerful server to operate. According to the article, the attack uses vulnerabilities from 2012 and 2013. Systems targeted included those running PHP, Ruby on Rails, and Microsoft IIS. The vulnerability in Ruby on Rails is CVE-2013-0156. This vulnerability provides the attacker a means to inject objects into the system that can execute arbitrary code. The malware flushes the crontab (on a Unix system) and then installs its own crontab entry. This entry runs one minute past the hour, every hour. The command downloads a robots.txt file from a web server under the control of the attackers. This downloaded file is then executed each time crontab executes the command. The article postulates this could be so that the attackers could execute a kill switch if desired or possibly to update the malware. The open-source package XMRig normally donates five percent of the earnings to XMRig’s author. Apparently, the individual(s) behind this attack were not inclined to lose any potential gains and removed the donating code from the version used in the infection.

Indicators of Compromise:

  • 761f5cfd0a3cddb48c73bc341a4d07a9
  • 91d31ed8e569c0089fa070ed125e1fc5
  • a6a57e6a216dff346a22f51639c4b99c

It is recommended to patch the operating system,patch the applications and check crontab for unusual entry.




A look at Redline from Mandiant

Redline is a nice tool to investigate a particular host for signs of compromises. It works on Windows and is freely available on the FireEye site .

Redline Interface

At a glance, we have options to collect data from the host or Analyse an existing data collected file. In our case , I am going to create  a Standard Collector for the sake of this demo.

Redline Review Script Configuration

It is clear that the script will run the Collector and save it to a folder named ‘Sessions\AnalysisSession2´ in our case because we run the script twice as in the figure below

AnalysisSession2.mans file to import in Redline

As said in the Readme.txt file, AnalysisSession2.mans has to be openend in Redline to continue with the investigation. We can go through the System Information,Processes,…

The tool is worth a try.

Happy investigations

Investigative options after opening the AnalysisSession2.mans file

WannaCry Malware Take Away

The world has experienced a Cyber Attack according to numerous open-source, classified as a ransomware campaign.It created ten of thousands of infections in Over 150 countries including the United States, United Kingdom,Spain, Russia, Taiwan,France and Japan. The software can run in as many as 27 different languages.The piece of code is affecting only Microsoft Windows Operating system. The latest version of this malware (5bef35496fcbdbe841c82f4d1ab8b7c2) was discovered in the morning of May 12 ,2017 by an independent security researcher. It was named Wannacry because of the string “WNcry@2ol7” found in its code.Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.


Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector may be through phishing. There exists 3 files belonging to the same malware.The first file is a dropper(worm), which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files.



This artifact (5bef35496fcbdbe841c82f4d1ab8b7c2) is a malicious PE32 executable that has been identified as a WannaCry ransomware dropper. Upon execution, the dropper attempts to connect to the following hard-coded URI:


Displayed below is a sample request observed:

--Begin request—

GET / HTTP/1.1
Host: www[.]
Cache-Control: no-cache

--End request--

If a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect the system with ransomware.
When executed, the malware is designed to run as a service with the parameters “-m security”. During runtime, the malware determines the
number of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to install itself as the
following service:

--Begin service--

ServiceName = "mssecsvc2.0"
DisplayName = "Microsoft Security Center (2.0) Service"
BinaryPathName = "%current directory%5bef35496fcbdbe841c82f4d1ab8b7c2.exe -m security"

--End service--

Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network
and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional
thread to propigate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010. The malware then extracts &
installs a PE32 binary from it’s resource section named “R”. This binary has been identified as the ransomware component of WannaCrypt.
The dropper installs this binary into “C:\WINDOWS\tasksche.exe.” The dropper executes tasksche.exe with the following command:

--Begin command--

"C:\WINDOWS\tasksche.exe /i"

--End command—


NOTE:When this sample was initially discovered, the domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” was not registered, allowing the
malware to run and propagate freely. However within a few days, researchers learned that by registering the domain and allowing the
malware to connect, it’s ability to spread was greatly reduced. At this time, all traffic to “” is
re-directed to a monitored, non-malicious server, causing the malware to terminate if it is allowed to connect. For this reason, we recommend
that administrators and network security personnel not block traffic to this domain.


The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the user’s private key needs to be decrypted, which requires the malware author’s private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password “WNcry@2ol7” is not used to encrypt files. It is only used by the malware to decrypt some of its components. Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.


-Apply the MS patch

-Basic defense in depth meaning segmentation to isolate vulnerable machines

-Restrict TCP port 445

-use Private Vlans if your edge switches support this feature

-Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

-Test your backups to ensure they work correctly upon use

-Implement the principle of least privilege

References: IOC with Wannacry:US-CERT

Washington post 150 countries affected


Public key infrastructure (PKI)

A Public key infrastructure is a system that incorporates asymmetric encryption and certificate to provide security. There are two principals actors: The client and the certificate authority(CA). The Cryptographic Service Provider (CSP) on the client side generates the key pair. Once the key pair has been generated, the client will keep the private key and send the public key with the certificate request to the CA. The client will use its private key to digitally sign that message. At this stage, the CA will either approve or deny the request. The Registration authority (RA) is another entity that can proxy certificate request to the CA on behalf of the client. When a certificate has been compromised it is revoked in the CA and updated to the Certificate Revocation List (CRL). The disadvantages of a certificate being revoked are that client has to go to the full list of what they are looking for. With the Online Certificate Status Protocol (OSCP), we only check for the validity of individual certificate without going to the full list thus improving performance. The standard for the certificate is the X.509 standard.


Malware Information Sharing Platform-MISP

The Malware Information Sharing Platform is used to store ,share and collaborate on malware across organizations. The Indicators of Compromise (IoC) are used to detect and prevent Cyber attack. The MISP integrates many features :-Efficient Built-in database to store malwares, information on attackers and intelligence

-Data are stored and shared in a structured format.

-Data can be imported from OpenIOC and exported to integrating with Network IDS, Host IDS and other tools.

MISP is good tool to use by your CERT team.

Malware Information Sharing Platform web interface

A look at Verizon Data breach digest report

Verizon released  its data breach digest report. It is a resume of 500 Cybersecurity investigations  occurring in over 40 countries. All scenarios were drawn from real-world cyberinvestigation.It is a 84 pages document with 18 scenarios divided in 4 groups:

  •  The human element—five scenarios highlighting human threats
    or targets.
  • Conduit devices—five scenarios covering device misuse or tampering.
  •  Configuration exploitation—four scenarios focusing on reconfigured or
    misconfigured settings.
  •  Malicious software—four scenarios centering on sophisticated or
    special-purpose illicit software.

The steps of incident response are well documented: Detection,containment,remediation .recovery and lessons learned.The vulnerabilities used during these attack are referenced in a very high technical way as well as the methods used to bypass those. You can get the report here.