Error: no file object

Goldgrass tuning by SambaCry

Kaspersky's security team is discovering a Trojan that exploits the recently discovered Samba vulnerability for its SambaCry attacks and uses the cached hardware to generate crypto money.

Linux expert, SambaCry attack

A vulnerability could be observed at the end of May on a specially designed honeypot, which exploited this vulnerability of the Samba server (CVE-2017-7494). Thus the SambaCry gap (also known as EternalRed) is used to run malicious code, a "cryptocurrency mining utility" on vulnerable Linux servers, and conceal the cryptowogy BitMonero (XMR).

First, the attacker tries to write a file with eight random characters over the SambaCry/EternalRed gap on the faulty server. If successful, this file is also deleted immediately. Thus, the attacker knows the susceptibility of the system. Only now the attacker starts to write the malicious code with root privileges on the server. However, he must guess the path of the file that has just been created, using BruteForce to try different paths.

If the file is found again, the malicious code can be loaded and executed within the Samba server process using the SambaCry vulnerability. Then the file is deleted immediately. From this point onwards, the Trojan runs only in the working memory of the server.

Two files have been uploaded and run: (349d84b3b176bbc9834230351ef3bc2a -
and (2009af3fed2a4704c224694dfc4b31dc - Trojan-Downloader.Linux.EternalMiner.a).

This file saves the simplest reverse shell. It connects to the specific port of the IP address specified by its owner and gives it remote access to the shell (/bin/sh). As a result, the attackers have the ability to remotely execute any shell commands. They can literally do anything they want, from downloading and running programs from the Internet to delete all data from the computer of the victim.

The main functionality of this file is to download and run one of the most popular open source cryptocurrency mining utilities - cpuminer (miderd).
Cpuminer is used to digest and multiply XMR according to the crypt diet. It has always been possible to detect that the attacker has been able to tap 98 XMR (about 46 EUR / 1 XMR on 13.06.2017) or 4,498.00 EUR


Thus, an affected server becomes legal to a milking cow for the hackers. In addition, hackers can access and exploit the server with other types of malware through shell access.