Full Report
Threat actors are weaponizing exposed Java Debug Wire Protocol (JDWP) interfaces to obtain code execution capabilities and deploy cryptocurrency miners on compromised hosts. "The attacker used a modified version of XMRig with a hard-"coded configuration, allowing them to avoid suspicious command-line arguments that are often flagged by defenders," Wiz researchers Yaara Shriki and Gili
Analysis Summary
# Tool/Technique: Exposed Java Debug Wire Protocol (JDWP) Interfaces
## Overview
Exploitation of insecurely exposed Java Debug Wire Protocol (JDWP) interfaces to achieve remote code execution (RCE) and subsequently deploy cryptocurrency miners (e.g., XMRig). JDWP lacks inherent authentication, making its exposure a critical security flaw used as an initial attack vector.
## Technical Details
- Type: Vulnerability/Exploitation Technique
- Platform: Java Virtual Machine (JVM) based applications (e.g., TeamCity, Jenkins, Elasticsearch, Spring Boot, Apache Tomcat)
- Capabilities: Remote Code Execution (RCE), installation of persistence mechanisms, deployment of cryptocurrency miners.
- First Seen: Activity described in the report observed recently by Wiz researchers.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.004 - Web Application Server
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- T1547 - Boot or Logon Autostart Execution
- T1547.003 - Cron Job
## Functionality
### Core Capabilities
- **Scanning and Identification:** Attackers scan for hosts listening on TCP port 5005 (default JDWP port).
- **Session Establishment:** Confirmation via a JDWP-Handshake request to establish an interactive debugger session.
- **Initial Payload Delivery:** Execution of a `curl` command to fetch and execute a dropper shell script.
- **Miner Deployment:** Downloading and executing a modified XMRig miner into `~/.config/logrotate`.
- **Evasion:** Using a modified XMRig version with hardcoded configurations to avoid detection from suspicious command-line arguments.
- **Proxying:** Utilizing mining pool proxies to conceal the cryptocurrency wallet address.
### Advanced Features
- **Persistence:** Establishing cron jobs to re-fetch and re-execute the payload after shell login, reboot, or scheduled intervals.
- **Tampering:** Killing competing miners or other high-CPU processes.
- **Self-Deletion:** The dropper script deletes itself upon exit.
## Indicators of Compromise
- File Hashes: Not explicitly provided for the dropper or payload in the text.
- File Names: **XMRig** (modified), dropper shell script.
- Registry Keys: Not applicable (Focus on Linux/Unix persistence via cron).
- Network Indicators: C2 domain: `awarmcorner[.]world` (used to host the modified XMRig).
- Behavioral Indicators:
- Connection attempts or established sessions on port **5005** via JDWP.
- Execution of `curl` commands followed by shell script execution.
- Modification of cron jobs for persistence under user home directories.
- Appearance of CPU-intensive processes resembling XMRig.
## Associated Threat Actors
- Unspecified threat actors using this TTP to deploy cryptominers. The XMRig modification suggests a tailored campaign, though the general scanning activity is widespread.
## Detection Methods
- Signature-based detection: Signatures for the specific modified XMRig binary.
- Behavioral detection: Monitoring for unexpected network connections on port 5005, execution of shell scripts fetched via `curl` on exposed services, and creation/modification of user-level cron jobs.
- YARA rules: Potentially rules targeting the unique hardcoded configuration within the modified XMRig binary.
## Mitigation Strategies
- Prevention measures: Ensure JDWP is **never** exposed to the internet.
- Hardening recommendations:
- Disable JDWP unless explicitly required for debugging, and if necessary, restrict access via firewalls (IP whitelisting).
- Ensure development/debugging modes are not active in production environments.
- Implement host-based intrusion detection systems (HIDS) to monitor for unauthorized cron job creation or suspicious process execution branching from web applications.
## Related Tools/Techniques
- **Hpingbot Botnet:** An entirely separate, emerging Go-based botnet also detailed in the context, capable of launching DDoS attacks using **hping3**.
- **hping3:** A network utility used by the Hpingbot botnet for crafting custom packets, highlighting the misuse of legitimate tools.
- **XMRig:** Popular legitimate open-source cryptocurrency miner, often abused by threat actors.
---
# Tool/Technique: Hpingbot Botnet
## Overview
Hpingbot is a new, rapidly-evolving Go-based malware family designed to enlist compromised hosts (Windows and Linux) into a botnet capable of launching Distributed Denial-of-Service (DDoS) attacks, primarily utilizing the **hping3** utility. It demonstrates significant innovation by leveraging Pastebin for payload delivery.
## Technical Details
- Type: Malware Family (Botnet)
- Platform: Windows and Linux
- Capabilities: DDoS attacks (TCP/UDP floods), payload distribution, persistence, host reconnaissance (CPU architecture detection).
- First Seen: Activity observed starting at least since June 17, 2025.
## MITRE ATT&CK Mapping
- T1110 - Brute Force
- T1110.001 - Password Guessing (via SSH password spraying)
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Using Pastebin as C2 resolver)
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol (Implied initial access to non-public servers)
- T1204 - User Execution
- T1204.002 - Malicious File (Shell script execution)
- T1566 - Phishing (Implied delivery mechanism predecessor)
## Functionality
### Core Capabilities
- **Initial Access:** Propagates via an independent module performing **password spraying attacks** against weak SSH configurations.
- **C2 and Payload Delivery:** Uses **Pastebin** as a dead drop resolver to point to an IP address (`128.0.118[.]18`) which hosts the initial shell script.
- **Reconnaissance:** Detects the CPU architecture of the infected host.
- **Self-Containment:** Terminates any already running versions of the trojan.
- **DDoS Attacks:** Launches flood attacks using the **hping3** tool (on Linux hosts) leveraging TCP and UDP protocols.
- **Trace Clearing:** Designed to clear command history to cover infection tracks.
### Advanced Features
- **Innovation/Cost Reduction:** Built from scratch, eschewing common derivations (like Mirai/Gafgyt), and relying on existing open-source tools (**hping3**) and platforms (**Pastebin**).
- **Evolution:** Later versions observed dropping a second Go-based DDoS component that bypasses Pastebin and hping3 calls, using built-in flood functions.
- **Payload Distribution Network:** The ability of the Windows version (which cannot run hping3) to download and execute arbitrary payloads suggests a potential pivot towards being a general-purpose payload delivery network, extending beyond DDoS.
## Indicators of Compromise
- File Hashes: Not provided.
- File Names: Custom shell scripts, Hpingbot main payload (Go-based).
- Registry Keys: Not applicable (Primary persistence/tools lean toward Linux mechanisms).
- Network Indicators: C2 Resolver IP: `128.0.118[.]18` (Used to locate the shell script).
- Behavioral Indicators:
- Attempts to remotely connect via SSH using password spraying.
- Network traffic indicative of TCP/UDP flood attacks originating from the host.
- Use of `apt -y install hping3` on Linux systems.
- Execution of scripts that clear command history.
## Associated Threat Actors
- Unnamed actors detailed by NSFOCUS, exhibiting strong innovation capabilities demonstrated by building a custom botnet infrastructure.
## Detection Methods
- Signature-based detection: Signatures for the custom Go binary payload.
- Behavioral detection: Monitoring for SSH password spraying, system calls for installing `hping3`, use of Pastebin URLs in initial access scripts, and high-volume outbound TCP/UDP traffic characteristic of DDoS floods.
## Mitigation Strategies
- Prevention measures: Implement strong SSH authentication (e.g., key-based, MFA). Deploy network monitoring to detect volumetric traffic anomalies.
- Hardening recommendations:
- Harden SSH configurations against brute-forcing.
- Monitor file system activity concerning command history clearing.
- Block outbound connections to known Pastebin URLs originating from unusual sources if Pastebin usage is not necessary for operations.
## Related Tools/Techniques
- **hping3:** A legitimate network utility weaponized for DDoS attacks by Hpingbot.
- **Exposed JDWP:** Another concurrent threat observed leveraging insecure configuration for code execution.