Threat researchers at Trend Micro have recently observed active attempts to exploit the Spring4Shell vulnerability — a remote code execution bug, assigned as CVE-2022-22965, that exists in the Spring MVC (model-view-controller) and WebFlux applications running on Java Development Kit version 9 or higher and that was previously linked to the Mirai botnet. Attackers take advantage of this vulnerability by deploying malicious cryptocurrency miners to generate a profit.
These cryptocurrency miners have the potential to affect many users, especially since Spring is the most widely used framework for developing enterprise-level applications in Java, with its open-source nature making it more readily adaptable for developers and companies. Furthermore, the Spring framework is not just a standalone piece of software but is part of the Spring ecosystem, which provides components for cloud, data, and security, among others.
Malicious actors have been busy trying to find ways to exploit Spring4Shell since its disclosure at the end of March 2022. Thousands of exploit attempts are detected in the wild daily.
The execution flow of the cryptocurrency miner involves the following steps:
1. The firewall is turned off using the netsh utility. 2. Other known cryptocurrency miners such as kthreaddi, sysrv, and sysrv012 are stopped or killed. 3. Other running processes listening on ports 3333, 4444, 5555, 7777, and 9000 are stopped. 4. If the process kthreaddk does not exist, the cryptocurrency miner downloads a binary, sys.exe, from 194[.]145[.]227[.]21 to C:\Users\\AppData\Roaming\.exe. 5. The cryptocurrency miner then starts the process with a hidden window to avoid having the user observe visual hints of the process being executed. 6. A scheduled task with the name “BrowserUpdate” is created later, running every minute. In addition, the Windows run key is modified to run the binary sys.exe.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.