TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

rTorrent Vulnerability Leveraged in Campaign Spoofing RIAA and NYU User-Agents?

2018-03-08 · Read original ↗

ATT&CK techniques detected

5 predictions
T1190Exploit Public-Facing Application
89%
“rtorrent vulnerability leveraged in campaign spoofing riaa and nyu user - agents? last week, f5 threat researchers spotted a monero ( xmr ) crypto - mining campaign that was taking advantage of a user configuration vulnerability in the rtorrent client, specifically misconfigured …”
T1190Exploit Public-Facing Application
75%
“you are using rtorrent for legitimate purposes, please see the misconfiguration remediation actions in our previous post : https : / / f5. com / labs / articles / threat - intelligence / malware / rtorrent - client - exploited - in - the - wild - to - deploy - monero - crypto - m…”
T1496.001Compute Hijacking
51%
“##ke methods on a victim ’ s machine that can provide a great deal of information about the shared materials on the host ( if, for example, the goal was to delete stolen, copyrighted material ), or execute their own code and use the system to mine crypto - currency like we found …”
T1071.001Web Protocols
43%
“this is the actual riaa, rather a spoofed user agent. figure 4 : riaa campaign originating from 5. 39. 223. 136 figure 4 : riaa campaign originating from 5. 39. 223. 136 nyu campaign all of the originating ip addresses for the nyu campaign ( 185. 130. 104. 198, 62. 210. 152. 47, …”
T1496Resource Hijacking
40%
“##ke methods on a victim ’ s machine that can provide a great deal of information about the shared materials on the host ( if, for example, the goal was to delete stolen, copyrighted material ), or execute their own code and use the system to mine crypto - currency like we found …”

Summary

The same rTorrent XML-RPC function configuration error that was targeted to mine Monero in February was also targeted in January in a campaign apparently spoofing user-agents for RIAA and NYU.