TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Threat Advisory: XMRig Cryptomining By Way Of TeamViewer

2023-05-30 · Read original ↗

ATT&CK techniques detected

10 predictions
T1219Remote Access Tools
97%
“being installed, while the other included screenconnect, splashtop and realvnc. however, a common remote access tool found across multiple endpoints was teamviewer, and in the observed instances, this remote access tool had been installed for a considerable amount of time. for ex…”
T1059.001PowerShell
96%
“powershell. evtx event log file. the initial batch file downloaded to the endpoint once access was achieved via teamviewer is almost identical ( wallet addresses vary ) across all identified endpoints : the above command includes downloading the batch file, running it with a wall…”
T1059.001PowerShell
73%
“team collected data from the endpoints and set about creating timelines to best investigate the sequence of events. incorporating edr telemetry alongside endpoint log data provided unprecedented insight into not only the activity that occurred on the endpoint ( through process cr…”
T1071.001Web Protocols
72%
“001, web protocols impact t1496, resource hijacking special thanks to all involved for their contributions to this blog : faith stratton, sharon martin, and harlan carvey.”
T1496Resource Hijacking
61%
“threat advisory : xmrig cryptomining by way of teamviewer at the end of may 2023, huntress security operations center ( soc ) analysts responded to an alert on an endpoint, indicating the presence of a cryptocurrency miner ( xmrig ). as part of validating the infection itself, th…”
T1219.002Remote Desktop Software
53%
“being installed, while the other included screenconnect, splashtop and realvnc. however, a common remote access tool found across multiple endpoints was teamviewer, and in the observed instances, this remote access tool had been installed for a considerable amount of time. for ex…”
T1059.001PowerShell
35%
“available teamviewer logs. domains the malicious activity identified in may 2023 was almost identical across all identified endpoints ; the initial batch file, and subsequent activity via the batch file, was downloaded from : one endpoint showed signs of prior access, including p…”
T1059.001PowerShell
34%
“; in one instance, the teamviewer “ connections _ incoming. txt ” log file showed indications of suspicious access going back to february 1, 2022. detections in response to the observations during the investigation, the huntress team developed additional detections to assist toc …”
T1496Resource Hijacking
32%
“the impacted endpoint, the huntress team identified unusual activity that preceded the creation of the windows service, and then searched available edr telemetry across the entire huntress customer base, to determine if there were any other impacted endpoints. one system was foun…”
T1219Remote Access Tools
30%
“powershell. evtx event log file. the initial batch file downloaded to the endpoint once access was achieved via teamviewer is almost identical ( wallet addresses vary ) across all identified endpoints : the above command includes downloading the batch file, running it with a wall…”

Summary

Huntress has recently seen an uptick in compromised TeamViewer accounts being used to install the XMRig cryptocurrency miner. Dive into the analysis here.