Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods

description: Piece of malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible. Initially observed in China in early 2019, the methods it previously used to infect networks involved accessing weak passwords and using pass-the-hash technique, Windows admin tools, and brute force attacks with publicly available codes. However, this new case we found in Japan involves the use of the EternalBlue exploit and the abuse of PowerShell to break into the system and evade detection. It appears that the attackers are now expanding this botnet to other countries; TrendMicro telemetry has since detected this threat in Australia, Taiwan, Vietnam, Hong Kong, and India.

publish date:

reference :

IOC Table
total 21
type value
FileHash-SHA256 fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330
FileHash-SHA256 7c402add8feffadc6f07881d201cb21bc4b39df98709917949533f6febd53b6e
FileHash-SHA256 3f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41
FileHash-SHA256 aaef385a090d83639fb924c679b2ff22e90ae9377774674d537670a975513397
FileHash-SHA256 e28b7c8b4fc37b0ef91f32bd856dd71599acd2f2071fcba4984cc331827c0e13
hostname lplp1.beahh.com
hostname lplp1.ackng.com
hostname lplp1.abbny.com
URL http://pp.abbny.com/t.php?ID=
URL http://v.y6h.net/g?l
URL http://oo.beahh.com/t.php?ID=
URL http://down.beahh.com/new.dat?allv5
URL http://lplp1.beahh.com:443
URL http://p.beahh.com/upgrade.php
URL http://lplp1.ackng.com:443
URL http://v.y6h.net/g?h
URL http://v.beahh.com/wm?hp
URL http://log.beahh.com/logging.php?ver=5p?src=wm&target
URL http://lplp1.abbny.com:443
URL http://down.beahh.com/c32.dat
URL http://ii.ackng.com/t.php?ID=