Incident Response Report

Brick by Brick
v2.1

A comprehensive forensic analysis of a sophisticated server compromise involving WordPress exploitation, cryptocurrency mining, and threat actor attribution.

Target: 10.10.106.106
Critical Severity
Analysis Complete
Abstract digital forensics investigation concept

Investigation Overview

From initial web server compromise to sophisticated cryptocurrency mining operation and threat actor attribution.

Executive Summary

Initial Vector

WordPress "bricks" theme vulnerability (CVE-2024-25600) exploited for unauthenticated RCE

Malicious Activity

Persistent cryptocurrency mining operation using disguised system service

Threat Attribution

Wallet address linked to transactions associated with Lockbit threat group

Key Investigation Findings

Attack Chain

  • WordPress theme vulnerability exploitation
  • Establishment of persistent system service
  • Cryptocurrency mining operation deployment

Critical Artifacts

  • Hidden flag file in web directory
  • Malicious process: nm-inet-dialog
  • Compromised Bitcoin wallet address

1. Initial Compromise & Web Server Analysis

1.1 Discovery of Hidden File in Web Directory

Hidden File Identification

650c844110baced87e1606453b93f22a.txt

A suspicious hexadecimal-named file was discovered in the web root directory during initial reconnaissance. This naming convention is commonly used by attackers to obscure malicious files. [59]

Location: Web root directory
User Context: Apache user shell access

Flag Content Analysis

THM{fl46_650c844110baced87e1606453b93f22a}

The file contained a TryHackMe challenge flag, confirming successful initial access and serving as the first forensic artifact in the investigation chain. [57] [58]

Significance: First indicator of compromise
Format: Standard THM challenge flag

1.2 Exploitation of WordPress Theme Vulnerability

WordPress Identification

WordPress logo

Port scanning revealed web services on ports 80/443 with WordPress favicon and /wp-admin directory confirmation. [58] [59]

Discovery Method: WPScan enumeration

Theme Analysis

bricks v1.9.5

WPScan identified the vulnerable "bricks" theme version 1.9.5, which became the primary attack vector. [58]

Vulnerability: CVE-2024-25600

Exploit Execution

Remote code execution attack

Public PoC exploit for CVE-2024-25600 was used to gain unauthenticated RCE and establish reverse shell access. [58] [59]

Result: Apache user shell access

Critical Vulnerability Details

CVE-2024-25600
  • • Unauthenticated Remote Code Execution
  • • Affects WordPress "bricks" theme ≤ 1.9.5
  • • Public exploit available on GitHub
Impact Assessment
  • • Full server compromise
  • • Arbitrary command execution
  • • Web server user context access

2. Malicious Process & Service Investigation

2.1 Identification of Suspicious System Process

Process Discovery Methodology

systemctl | grep running

Initial process listing with ps aux showed no obvious malicious activity, requiring advanced service enumeration techniques. [56]

Challenge: Attackers use process hiding and naming deception

Malicious Process Identification

/lib/NetworkManager/nm-inet-dialog

The suspicious process was identified as nm-inet-dialog, masquerading as a legitimate NetworkManager component. [49] [53]

SUSPICIOUS PROCESS

Service Analysis

Service Name ubuntu.service
Description TRYHACK3M
Status Active (running)
Path /etc/systemd/system/

[48] [51]

Deception Techniques
  • Service named "ubuntu.service" to appear legitimate
  • Binary path mimics NetworkManager system component
  • Service enabled for automatic startup persistence

2.2 Affiliated System Service

Service-to-Process Relationship Mapping

System Service
ubuntu.service

Parent process manager

Execution
Launches and maintains

Persistent process

Malicious Process
nm-inet-dialog

Cryptocurrency miner

Persistence Mechanism
Service Configuration
  • • Located: /etc/systemd/system/ubuntu.service
  • • Description: "TRYHACK3M"
  • • Executable: /lib/NetworkManager/nm-inet-dialog
Persistence Features
  • • Automatically starts on boot
  • • Runs with system privileges
  • • Difficult to detect during casual inspection

3. Cryptocurrency Mining Operation Analysis

3.1 Miner Configuration and Log Files

Log File Discovery

Cryptocurrency mining configuration files in directory
/lib/NetworkManager/inet.conf

The miner log file was discovered in the same directory as the malicious executable, named inet.conf to maintain the deception theme. [45] [51]

Directory: /lib/NetworkManager/
Purpose: Mining operation logs and configuration

Log Content Analysis

[*] confbak: Ready!
[*] Status: Mining!
[*] Bitcoin Miner Thread Started

Log entries confirmed active cryptocurrency mining activity with timestamps and status updates. [45]

Confirmation: Active Bitcoin mining operation
Evidence: Clear mining status messages

3.2 Wallet Address and Transaction Analysis

Wallet Address Extraction

Abstract representation of a Bitcoin wallet
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa

The encrypted string in the log file was decrypted using CyberChef's "Magic" function, revealing a valid Bitcoin wallet address. [48] [57] [58]

Format: Bech32 (bc1) Bitcoin address
Destination: Mining proceeds collection

Blockchain Analysis

Analysis Methodology
  • • Blockchain.com explorer search
  • • Transaction history analysis
  • • Known threat actor wallet comparison
Critical Finding

Wallet involved in transactions with known Lockbit-associated addresses, indicating potential threat actor affiliation. [48] [57]

4. Threat Attribution

Lockbit Threat Group Association

Lockbit ransomware group logo

Transaction Analysis

  • Wallet address involved in transactions with known Lockbit-associated wallets
  • Blockchain analysis revealed financial connections to threat infrastructure
  • Historical transaction patterns match known ransomware operations

Tactical Assessment

  • Cryptocurrency mining as secondary revenue stream
  • Infrastructure reuse across multiple attack campaigns
  • Sophisticated persistence and obfuscation techniques

Confidence Level: High

Blockchain transaction analysis provides strong evidence of Lockbit association. The wallet address's involvement in transactions with known threat actor-controlled addresses, combined with the sophisticated nature of the attack, suggests direct or affiliate involvement with the Lockbit ransomware group. [48] [57]

Lockbit Profile

Type: Ransomware-as-a-Service
Active Since: 2019
Primary Focus: Data Encryption
Secondary: Cryptocurrency Mining

Attack Statistics

Initial Access
WordPress RCE
Persistence
Systemd Service
Primary Goal
Cryptocurrency Mining

Investigation Timeline

Initial Access
WordPress bricks theme exploitation
Service Installation
ubuntu.service with mining payload
Wallet Discovery
Blockchain analysis and attribution

Summary of Key Findings

Category Artifact Value / Name Description
Initial Compromise Hidden File 650c844110baced87e1606453b93f22a.txt A text file left in the web root, containing the first challenge flag.
Initial Compromise Flag Content THM{fl46_650c844110baced87e1606453b93f22a} The content of the hidden file, confirming initial access.
Initial Compromise Vulnerability CVE-2024-25600 An unauthenticated RCE vulnerability in the WordPress "bricks" theme.
Malicious Process Process Name nm-inet-dialog A disguised process name, masquerading as a NetworkManager component.
Malicious Process Service Name ubuntu.service The systemd service responsible for launching and maintaining the malicious process.
Cryptocurrency Miner Log File inet.conf The log file for the mining operation, located in the same directory as the miner executable.
Cryptocurrency Miner Wallet Address bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa The Bitcoin wallet address where mined cryptocurrency was sent.
Threat Attribution Threat Group Lockbit The wallet address was linked to transactions associated with the Lockbit threat group.

Key Insights

  • • Attackers used sophisticated deception techniques
  • • Persistence through system services is highly effective
  • • Blockchain analysis can reveal threat actor connections
  • • WordPress vulnerabilities remain a significant attack vector

Recommendations

  • • Regular WordPress theme and plugin updates
  • • Monitor systemd services for suspicious activity
  • • Implement network-level cryptocurrency mining detection
  • • Conduct regular security assessments

Detection Methods

  • • System process monitoring and analysis
  • • Service configuration validation
  • • Network traffic pattern analysis
  • • File integrity monitoring