Intelligence Bulletin – When Cryptomining Attacks

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers. The attacks are focusing on Linux hosts that are running unpatched versions of Apache, JBoss and WebLogic. Attackers are exploiting Remote Code Execution exploits specific to the services in order to infect hosts with the mining malware. Infected hosts are configured to add a cronjob for download of the minerd ELF 64-bit executable and various configuration files for mining to the attacker’s wallet. Using this technique, the attacker can dynamically change the address and executables to avoid detection, or to migrate an attack upon detection.

 

Once downloaded, hosts are queried for available resources and workers are started based off CPU cores available. Recently, we have noticed that care has been taken to limit the resources used on the infected host in order to avoid detection. In a recent case, threads were only started on half of the available cores in order to not signal unusually high utilization on the machines. Also of note, the bash scripts utilized by the attackers are being disguised as typically non-executable files in order to avoid network detection when downloaded.

 

In order limit exposure to these threats we recommend that systems utilizing vulnerable services are patched in order to avoid the initial foothold. Additionally, file integrity monitoring and or HIDS should be reporting on crontab entries and modifications.

 

Optiv’s gTIC assesses with HIGH confidence that malicious actors will continue to utilize cryptomining malware in order to financially benefit. Additionally, we assess with HIGH confidence that malicious actors that are financially motivated will focus on targets of opportunity and are potentially utilizing tools such as Shodan to uncover vulnerable systems.

 

Intelligence Gaps:

 

  1. How will financially motivated actors continue to change TTPs for continued use of cryptomining malware?
  2. Is this an organized campaign to utilize cryptomining malware?
  3. How are malicious actors determining their targets?

 

A list of network IOCs for the miner binaries can be found below.

 

Hashes

 

  • 7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c
  • 9359f7e7b1dd0f4ce4a2c52fe611c981a3dd7a17f935862e3ce9acb5f2df8ced
  • f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911
  • d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d
  • bcf306bf3c905567ac1a5012be94fe642cac6116192cea6486730341b32b38a4
  • 0c5e960ca2a37cf383a7457bcc82e66d5b94164b12dfca1f21501211d9aca3c9
  • b3aba7582de82a0229b4d4caf73bc50cc18eb98109a0e251447dfb47afabc597
  • 0dc34402be603f563bfb25e7c476a0b4
  • 6455ffef458df6d24dd4df37f3d6df73
  • 9eadc40299864089e8a0959d04b02b39
  • e1df71c38cea61397e713d6e580e9051
  • deeb65dbf4ac5d1d0db6ac4467282f62049a3620
  • 777af085e72a4a19b6971f24c1167989335af508
  • 4f41da624726daf16e1c0034e8a6a99c790be61e
  • 9be68990dd7b071b192b89b0e384f290cce2b2db
  • 0b2bd245ce62787101bc56b1eeda9f74e0f87b72781c8f50a1eff185a2a98391
  • 182812097daabfc3fe52dd485bb0a0f566ddf47f23b9d9f72c2df01a1a4faf84
  • 43f78c1c1b078f29fd5eb75759aa7b1459aa3f1679bbaabc1e67c362620650fb
  • 370109b73fa9dceea9e2b34b466d0d2560025efcc78616387d84732cbe82b6bd
  • 36524172afa85a131bf0075c7ff20dcbfb8a94c4e981300fb33ef56ed912678c
  • 348c7dd59ea1b4e88585863dd788621f1101202d32df67eb0015761d25946420
  • 198e090e86863fb5015e380dc159c5634cc2a598e93b20dd9695e1649bb062ad
  • d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d
  • f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911
  • 3b83c25a00b3820b28941d4be1583af8ed22ca20a8270c318d02e4918d7b3070

IPs

 

  • 104[.]25[.]208[.]15
  • 94[.]130[.]143[.]162
  • 72[.]11[.]140[.]178
  • 88[.]99[.]142[.]163
  • 78[.]46[.]91[.]134
  • 104[.]25[.]209[.]15
  • 136[.]243[.]102[.]154
  • 136[.]243[.]102[.]167
  • 148[.]251[.]133[.]246
  • 104[.]223[.]37[.]150
  • 208[.]92[.]90[.]51
  • 45[.]77[.]106[.]29
  • 181[.]214[.]87[.]240
  • 181[.]214[.]87[.]241

Domains

 

  • hxxp://27[.]148[.]157[.]89:8899/1[.]exe
  • hxxp://221[.]229[.]204[.]177:8888
  • hxxp://27[.]148[.]157[.]89:8899/xmrig
  • hxxp://72[.]11[.]140[.]178/?info=l30
  • hxxp://72[.]11[.]140[.]178/files/
  • hxxp://72[.]11[.]140[.]178/?info=l69
  • hxxp://72[.]11[.]140[.]178/files/w/default
  • hxxp://27[.]148[.]157[.]89:8899/xmr64[.]exe
  • hxxp://72[.]11[.]140[.]178/?info=w0
  • hxxp://27[.]148[.]157[.]89:8899/1[.]sh
  • hxxp://72[.]11[.]140[.]178/files/w/default/auto-upgrade[.]exe
  • hxxp://72[.]11[.]140[.]178/files/w/default?info=w0
  • hxxp://www[.]luoxkexp[.]com:8520/php[.]exe
  • hxxp://72[.]11[.]140[.]178/auto-upgrade
  • hxxp://luoxkexp[.]com:8888/samba[.]exe
  • hxxp://27[.]148[.]157[.]89:8899/xmr86[.]exe
  • hxxp://27[.]148[.]157[.]89:8899/fuckpig[.]jar
  • hxxp://www[.]luoxkexp[.]com:8520/
  • hxxp://72[.]11[.]140[.]178/?info=w9
  • hxxp://72[.]11[.]140[.]178/files/w/default?info=w9
  • hxxp://luoxkexp[.]com:8888/xmr64[.]exe
  • hxxp://luoxkexp[.]com/xmr64[.]exe
  • hxxp://27[.]148[.]157[.]89:8899/112[.]exe
  • hxxp://72[.]11[.]140[.]178/files
  • hxxp://27[.]148[.]157[.]89:8899/jiba
  • hxxp://luoxkexp[.]com
  • hxxp://72[.]11[.]140[.]178/files/w/others
  • hxxp://72[.]11[.]140[.]178/setup-watch
  • hxxp://72[.]11[.]140[.]178/wls-wsat/CoordinatorPortType
  • hxxp://72[.]11[.]140[.]178/?info=l60
  • hxxp://72[.]11[.]140[.]178/files/l/default
  • hxxp://luoxkexp[.]com:8888/xmr86[.]exe
  • hxxp://luoxkexp[.]com:8899/xmr64[.]exe
  • hxxp://72[.]11[.]140[.]178/files/l/others
  • hxxp://luoxkexp[.]com:8899/1[.]exe
  • hxxp://letoscribe[.]ru/includes/libraries/files[.]tar[.]gz
  • hxxp://letoscribe[.]ru/includes/libraries/getsetup[.]php?p=wl
  • hxxp://45[.]77[.]106[.]29/selectv2[.]sh
  • hxxp://45[.]77[.]106[.]29/sourplum
  • hxxp://45[.]77[.]106[.]29/lowerv2[.]sh
  • hxxp://45[.]77[.]106[.]29/rootv2[.]sh
  • hxxp://181[.]214[.]87[.]240/res/logo[.]jp
  • hxxp://5[.]188[.]87[.]12/langs/kworker_na
  • hxxp://181[.]214[.]87[.]240/res/kworker[.]conf
  • hxxp://letoscribe[.]ru/includes/libraries/notify[.]php?p=wl
  • hxxp://104[.]223[.]37[.]150:8090
  • hxxp://k[.]zsw8[.]cc:8080
  • hxxp://i[.]zsw8[.]cc:8080
  • hxxp://pastebin[.]com/raw/rWjyEGDq
  • hxxp://208[.]92[.]90[.]51
  • hxxp://208[.]92[.]90[.]51:443
  • minergate[.]com
  • minexmr[.]com
  • letoscribe[.]ru
  • pool-proxy[.]com
  • fee[.]xmrig[.]com
  • nicehash[.]com
  • data[.]rel[.]ro
  • dkuug[.]dk
  • i[.]zsw8[.]cc
  • k[.]zsw8[.]cc
  • pool[.]supportxmr[.]com
  • pool[.]cortins[.]tk

 

Sources