2017-11-27 - "TUNGSTEN ROUNDED" POPUP ON CHROME & FIREFOX PUSHES MONERO CPU MINER

ASSOCIATED FILES:

• Zip archive of the traffic:  2017-11-27-fake-font-update-pcaps.zip   7.9 MB (7,896,748 bytes)

• 2017-11-27-fake-font-update-for-chrome.pcap   (5,499,537 bytes)
• 2017-11-27-fake-font-update-for-firefox.pcap   (2,795,626 bytes)

• Saz archive showing HTTPS URLs:  2017-11-27-fake-font-update-for-chrome.saz   2.6 MB (2,581,674 bytes)

• Zip archive of some artifacts:  2017-11-27-fake-font-update-malware-and-artifacts.zip   4.5 MB (4,486,247 bytes)

• 2017-11-27-page-from-livingwithmyhome.com-with-injected-script-for-chrome.txt   (19,797 bytes)
• 2017-11-27-scheduled-task-to-keep-monero-CPU-miner-persistent.txt   (3,790 bytes)
• 2017-11-27-script-from-laccrochecoeur.shop-for-fake-font-update-for-Chrome.txt   (110,766 bytes)
• ttf.js   (9,464 bytes)
• ttf.zip   (5,154 bytes)
• winhost.exe   (2,468,864 bytes)

 

NOTES:

• Same thing I documented earlier this month on 2017-11-12.
• Last time it was "Mercury Text", and this time it's "Tungsten Rounded"
• In the post-infection traffic, XMRig/2.3.1 indicates the final malware is the Monero CPU miner (same as last time).
• Thanks to the person who notified me of this activity. (You know who you are!)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following partial URLs and domains:

• hxxp://laccrochecoeur.shop/wp-content/service/index.php?m=
• cdn192.168.0.11.pridnestrovie.m234.xyz

 

IMAGES

Shown above:  Fake font update notification on page from compromised site when using Google Chrome.

 

Shown above:  When using Chrome, this notification sends a JavaScript (.js) file within a zip archive.

 

Shown above:  Fake font update notification on page from compromised site when using Firefox.

 

Shown above:  When using Firefox, this notification sends the JavaScript (.js) file directly.

 

Shown above:  Injected script in page from compromised website that generates the fake font update.

 

Shown above:  The contents of the .js file.

 

Shown above:  After executing the .js
file, this popup happens, so things look
legitimate.

 

Shown above:  Monero CPU miner made persistent after the infection through a scheduled task.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  HTTPS URLs that show up in the Fiddler capture.

 

Shown above:  Monero CPU miner activity in the post-infection traffic over TCP port 5000.

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.livingwithmyhome.com - GET /   [compromised site]
• 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=f   [returned Javascript for "Tungsten Rounded" font notification]
• 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=z   [returned ttf.zip when using Google Chrome]
• 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=j   [returned ttf.js when using Firefox]
• 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=e   [returned Monero CPU miner malware]
• 185.202.103.26 port 5000 - cdn192.168.0.11.pridnestrovie.m234.xyz - post-infection TCP traffic for Monero CPU miner

 

MALWARE

DOWNLOADED ZIP ARCHIVE (USING CHROME):

• SHA256 hash:  b4eee25f7c5310b85842a11eb88484c7a0719c03011141cb14935f553d212fe5
  File size:  5,154 bytes
  File name  ttf.zip

DOWNLOADED .JS FILE (USING FIREFOX) OR .JS FILE EXTRACTED FROM ZIP ARCHIVE (USING CHROME):

• SHA256 hash:  804936bbed90495afaf60e6c66edb46912a5b09b974d0e065126f421dde93557
  File size:  9,464 bytes
  File name  ttf.js

MONERO (XMR) CPU MINER:

• SHA256 hash:  1b56f6762bac16ece9920f13fe3d2715180d0e2e301bab541081c101d1b4b7d2
  File size:  2,468,864
  File location  C:\Users\[username]\AppData\Roaming\Microsoft\Windows\winhost.exe

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2017-11-27-fake-font-update-pcaps.zip   7.9 MB (7,896,748 bytes)
• Saz archive showing HTTPS URLs:  2017-11-27-fake-font-update-for-chrome.saz   2.6 MB (2,581,674 bytes)
• Zip archive of some artifacts:  2017-11-27-fake-font-update-malware-and-artifacts.zip   4.5 MB (4,486,247 bytes)

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.