A recently detected attack campaign is attempting to ensnare Elasticsearch clusters into a distributed denial of service (DDoS) botnet, Trend Micro reports.
The multi-stage attacks leverage scripts to ultimately deliver backdoors to the targeted servers and turn them into DDoS bots.
As part of the attack, the threat actor searches for exposed or publicly accessible Elasticsearch databases/servers. A shell is invoked with an attacker-crafted search query with encoded Java commands and then the first malicious script is downloaded.
The first-stage script attempts to shut down the firewall and any competing cryptocurrency mining programs already running on the target server. Next, a second-stage script is retrieved, likely from a compromised website.
The actor behind these attacks is believed to be using expendable domains to quickly swap URLs when they are detected. By abusing compromised websites, the attackers can evade detection, Trend Micro says.
The URL observed in the analyzed attack was meant to exploit CVE-2015-1427, an old vulnerability in the Groovy scripting engine of Elasticsearch (versions 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2).
The second-stage script has functions similar to those of the first, as it too attempts to stop the firewall. It also removes certain files, likely associated with competing malware, along with various configuration files from the /tmp directory.
Next, it kills other crypto-currency mining activities and unwanted processes from the system, and attempts to remove traces of initial infection, in addition to killing processes running on certain TCP ports. The script also downloads the actual malware binary.
The final payload is a backdoor capable of stealing system information and launching DDoS attacks. The threat was previously observed using an exploit for CVE-2017-5638, a remote-code-execution vulnerability in Apache Struts 2.
The observed samples are similar to the BillGates malware, which was first spotted in 2014, and which is known for hijacking systems and launching DDoS attacks.
“Of late, we’ve seen variants of the BillGates malware involved in botnet-related activities,” Trend Micro notes.
Early this year, Cisco’s Talos security researchers revealed that multiple groups were targeting unsecured Elasticsearch clusters, and that one of them was attempting to infect the servers with a piece of malware derived from BillGates.
The assaults on Elasticsearch servers are relatively straightforward and profit-driven, Trend Micro says. The miscreants seek unsecure or misconfigured servers or exploit old vulnerabilities to drop a payload that usually consists of cryptocurrency-mining malware or even ransomware.
“Hence, an attack that takes precautions to evade detection and uses multistage execution techniques is a red flag. That the cybercriminals or threat actors behind this attack used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites could mean they are just testing their hacking tools or readying their infrastructure before mounting actual attacks,” Trend Micro concludes.