Cybersecurity researchers have uncovered an ongoing campaign where threat actors exploit the critical CVE-2024-36401 vulnerability in GeoServer, a geospatial database, to remotely execute code and monetize victims’ bandwidth.
This remote code execution flaw, rated at a CVSS score of 9.8, enables attackers to deploy legitimate software development kits (SDKs) or modified applications that generate passive income through network sharing or residential proxies.
The approach mimics benign monetization strategies used by app developers, avoiding traditional ads to maintain user experience and app retention.
These malicious applications operate silently, consuming minimal resources while profiting from unused bandwidth, without distributing overt malware.
Targets GeoServer Vulnerability
Since early March 2025, attackers have scanned internet-exposed GeoServer instances, with Cortex Xpanse identifying 3,706 publicly accessible servers in early May 2025, highlighting a vast attack surface primarily in China and other regions.
The campaign evolved in phases, starting with initial exploits from IP 108.251.152.209 on March 8, 2025, fetching customized executables from 37.187.74.75.
According to Unit42 report, these included variants of a misused app (e.g., a193, d193, e193) and SDK (e.g., a593, c593).
By late March, tactics shifted after the distribution IP was flagged malicious, halting new app samples and moving to a new IP, 185.246.84.189, by April 1.
Infrastructure expanded further by mid-April with another distribution host at 64.226.112.52, maintaining persistence into June 2025.
The exploit leverages JXPath’s extension functions in GeoTools, allowing arbitrary code injection via expressions like getRuntime().exec(), facilitating command execution through requests such as GetPropertyValue in WFS, WMS, or WPS services.
Monetization Tactics
In-depth analysis reveals the exploit chain begins with CVE-2024-36401 to download a second-stage payload, like SDK variant z593, from attacker-controlled hosts using transfer.sh servers on ports 8080.
This stager fetches additional scripts (e.g., z401, z402) that create hidden directories, set up environments, and launch executables covertly.
The binaries, built with Dart for cross-platform Linux compatibility, integrate legitimate SDKs to share bandwidth for passive income, evading detection by mimicking low-profile services rather than resource-intensive cryptominers.
Comparison confirms the SDKs are unmodified official versions, potentially bypassing endpoint protections.
Telemetry from March-April 2025 shows 7,126 exposed GeoServer instances across 99 countries, with China hosting the majority.
To mitigate, organizations should patch promptly. Palo Alto Networks’ tools like Advanced Threat Prevention (signature 95463), Advanced WildFire, and Cortex XDR provide defenses against these exploits and payloads.
Indicators of Compromise
| Type | Values |
|---|---|
| IP Addresses | 37.187.74.75:8080, 64.226.112.52:8080, 108.251.152.209, 185.246.84.189 |
| Sample SHA256 Hashes | 89f5e7d66098ae736c39eb36123adcf55851268973e6614c67e3589e73451b24 (a101), 4e4a467abe1478240cd34a1deaef019172b7834ad57d46f89a7c6c357f066fdb (a193), 7c18fe9da63c86f696f9ad7b5fcc8292cac9d49973ba12050c0a3a18b7bd1cc9 (a593), 915d1bb1000a8726df87e0b15bea77c5476e3ec13c8765b43781d5935f1d2609 (z593) |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
