TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Old Dog, New Targets: Switching to Windows to Mine Electroneum

2018-03-28 · Read original ↗

ATT&CK techniques detected

10 predictions
T1071.001Web Protocols
87%
“compromise ip addresses : - 45 [. ] 77 [. ] 55 [. ] 231 - 181 [. ] 214 [. ] 87 [. ] 240 - 181 [. ] 214 [. ] 87 [. ] 241 - 148 [. ] 251 [. ] 133 [. ] 246 files : - update. b64 : 66107b01bc93c8d4cf2e8a6a8faffb56 - update. exe : 5bb5d3cb837d97174eddc681ca98aa80 - msi64. zip : 8d8b8a…”
T1055.001Dynamic-link Library Injection
80%
“to evade detection, the current attacker is not even trying to hide and is using a more obvious way to install it, which requires just scripting knowledge. figure 5 : the update. exe file content indicating it was created using the nsis software the installer script language is c…”
T1496.001Compute Hijacking
71%
“old dog, new targets : switching to windows to mine electroneum - the long - running apache struts 2 jakarta multipart parser remote code execution ( rce ) ( cve - 2017 - 5638 ) crypto - mining campaign is now targeting windows, not just linux systems. - the campaign is mining el…”
T1496Resource Hijacking
60%
“old dog, new targets : switching to windows to mine electroneum - the long - running apache struts 2 jakarta multipart parser remote code execution ( rce ) ( cve - 2017 - 5638 ) crypto - mining campaign is now targeting windows, not just linux systems. - the campaign is mining el…”
T1055.001Dynamic-link Library Injection
49%
“: mining pool and attacker ’ s wallet information hiding from tasks manager as mentioned before, the mssearchindexer. exe executable file is starting the mssearch. exe miner, while it is also responsible for hiding the mining operation. figure 16 : execution of “ mssearch. exe ” …”
T1218.011Rundll32
35%
“is not being executed or mentioned further in the code. figure 7 : search for “ c : \ program files \ eset ” directory and download of “ nod. lock ” running the malware if eset antivirus is not present on the vulnerable machine, the installer checks the operation system architect…”
T1496.001Compute Hijacking
34%
“executing “ searchindexer. exe ” for persistence, the installer adds a registry entry to run this file on startup. figure 11 : the added registry entry the miner the extracted mssearch. exe file is a fork of cpuminer project called cpuminer - multi. the main difference between th…”
T1197BITS Jobs
34%
“. it ’ s often the case that, as the time passed, the attackers decide to expand their mining operations to new targets. new target : windows systems in figure 1, an example of the original attack request shows that the attackers were initially injecting linux shell payload that …”
T1190Exploit Public-Facing Application
33%
“old dog, new targets : switching to windows to mine electroneum - the long - running apache struts 2 jakarta multipart parser remote code execution ( rce ) ( cve - 2017 - 5638 ) crypto - mining campaign is now targeting windows, not just linux systems. - the campaign is mining el…”
T1105Ingress Tool Transfer
32%
“. it ’ s often the case that, as the time passed, the attackers decide to expand their mining operations to new targets. new target : windows systems in figure 1, an example of the original attack request shows that the attackers were initially injecting linux shell payload that …”

Summary

Apache Struts 2 Jakarta Multipart Parser RCE crypto-mining campaign is now targeting Windows, not just Linux systems.