2017-11-27 - "TUNGSTEN ROUNDED" POPUP ON CHROME & FIREFOX PUSHES MONERO CPU MINER
ASSOCIATED FILES:
- Zip archive of the traffic: 2017-11-27-fake-font-update-pcaps.zip 7.9 MB (7,896,748 bytes)
- 2017-11-27-fake-font-update-for-chrome.pcap (5,499,537 bytes)
- 2017-11-27-fake-font-update-for-firefox.pcap (2,795,626 bytes)
- Saz archive showing HTTPS URLs: 2017-11-27-fake-font-update-for-chrome.saz 2.6 MB (2,581,674 bytes)
- Zip archive of some artifacts: 2017-11-27-fake-font-update-malware-and-artifacts.zip 4.5 MB (4,486,247 bytes)
- 2017-11-27-page-from-livingwithmyhome.com-with-injected-script-for-chrome.txt (19,797 bytes)
- 2017-11-27-scheduled-task-to-keep-monero-CPU-miner-persistent.txt (3,790 bytes)
- 2017-11-27-script-from-laccrochecoeur.shop-for-fake-font-update-for-Chrome.txt (110,766 bytes)
- ttf.js (9,464 bytes)
- ttf.zip (5,154 bytes)
- winhost.exe (2,468,864 bytes)
NOTES:
- Same thing I documented earlier this month on 2017-11-12.
- Last time it was "Mercury Text", and this time it's "Tungsten Rounded"
- In the post-infection traffic, XMRig/2.3.1 indicates the final malware is the Monero CPU miner (same as last time).
- Thanks to the person who notified me of this activity. (You know who you are!)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following partial URLs and domains:
- hxxp://laccrochecoeur.shop/wp-content/service/index.php?m=
- cdn192.168.0.11.pridnestrovie.m234.xyz
IMAGES
Shown above: Fake font update notification on page from compromised site when using Google Chrome.
Shown above: When using Chrome, this notification sends a JavaScript (.js) file within a zip archive.
Shown above: Fake font update notification on page from compromised site when using Firefox.
Shown above: When using Firefox, this notification sends the JavaScript (.js) file directly.
Shown above: Injected script in page from compromised website that generates the fake font update.
Shown above: The contents of the .js file.
Shown above: After executing the .js
file, this popup happens, so things look
legitimate.
Shown above: Monero CPU miner made persistent after the infection through a scheduled task.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: HTTPS URLs that show up in the Fiddler capture.
Shown above: Monero CPU miner activity in the post-infection traffic over TCP port 5000.
TRAFFIC
ASSOCIATED DOMAINS:
- www.livingwithmyhome.com - GET / [compromised site]
- 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=f [returned Javascript for "Tungsten Rounded" font notification]
- 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=z [returned ttf.zip when using Google Chrome]
- 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=j [returned ttf.js when using Firefox]
- 92.222.95.48 port 443 - laccrochecoeur.shop - GET /wp-content/service/index.php?m=e [returned Monero CPU miner malware]
- 185.202.103.26 port 5000 - cdn192.168.0.11.pridnestrovie.m234.xyz - post-infection TCP traffic for Monero CPU miner
MALWARE
DOWNLOADED ZIP ARCHIVE (USING CHROME):
- SHA256 hash: b4eee25f7c5310b85842a11eb88484c7a0719c03011141cb14935f553d212fe5
File size: 5,154 bytes
File name ttf.zip
DOWNLOADED .JS FILE (USING FIREFOX) OR .JS FILE EXTRACTED FROM ZIP ARCHIVE (USING CHROME):
- SHA256 hash: 804936bbed90495afaf60e6c66edb46912a5b09b974d0e065126f421dde93557
File size: 9,464 bytes
File name ttf.js
MONERO (XMR) CPU MINER:
- SHA256 hash: 1b56f6762bac16ece9920f13fe3d2715180d0e2e301bab541081c101d1b4b7d2
File size: 2,468,864
File location C:\Users\[username]\AppData\Roaming\Microsoft\Windows\winhost.exe
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2017-11-27-fake-font-update-pcaps.zip 7.9 MB (7,896,748 bytes)
- Saz archive showing HTTPS URLs: 2017-11-27-fake-font-update-for-chrome.saz 2.6 MB (2,581,674 bytes)
- Zip archive of some artifacts: 2017-11-27-fake-font-update-malware-and-artifacts.zip 4.5 MB (4,486,247 bytes)
Zip and saz files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.