2018-08-06 - XMRIG COINMINER CAUSED BY AD TRAFFIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-08-06-XMRig-coinminer-from-ad-traffic.pcap.zip   1.3 MB (1,318,675 bytes)

• 2018-08-06-XMRig-coinminer-from-ad-traffic.pcap   (1,587,122 bytes)

• 2018-08-06-malware-and-artifacts-from-XMRig-infection.zip   28.6 MB (28,637,203 bytes)

• 2018-08-06-scheduled-task-for-persistence-WinInetDriver.xml.txt   (3,550 bytes)
• amd.exe   (325,632 bytes)
• amd.txt   (434,176 bytes)
• ccm.exe   (13,685,760 bytes)
• ccm.txt   (18,247,680 bytes)
• cpu.exe   (441,344 bytes)
• cpu.txt   (588,460 bytes)
• dmclient.exe   (300,032 bytes)

NOTES:

• Did this investigation based on a tweet from @nao_sec at https://twitter.com/nao_sec/status/1026386903254228992
• Found a related malware repository of three base64 text files at account "nd3ro" from a repository named "supersupreme" on bitbucket[.]org.
• bitbucket[.]org is a legitimate service, but it's being abused in this case.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• adobeupdater.mcdir[.]ru
• clearload[.]bid
• zipansion[.]com
• hxxps[:]//2no[.]co/2amqu5
• hxxps[:]//bitbucket[.]org/nd3ro1/supersupreme/

 

INFECTION TRAFFIC

Shown above:  Downloaded file dmclient.exe from malicious URL caused by ad traffic.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + ZEUS PANDA BANKER):

• 104.27.155[.]99 port 80 - zipansion[.]com - GET /2hJsq
• 172.64.103[.]2 port 80 - clearload[.]bid - GET /-36721IUOB/2hJsq?rndad=3328358281-1533563750
• 88.99.66[.]31 port 443 (HTTPS) - 2no[.]co - GET /2amqu5
• 178.208.83[.]45 port 80 - adobeupdater.mcdir[.]ru - GET /dmclient.exe
• port 443 (HTTPS) - bitbucket[.]org - GET /nd3ro1/supersupreme/raw/4dd6e4603a0b529dd5228afdc42349614ffdde12/amd.txt
• port 443 (HTTPS) - bitbucket[.]org - GET /nd3ro1/supersupreme/raw/4dd6e4603a0b529dd5228afdc42349614ffdde12/cpu.txt
• 178.208.83[.]45 port 80 - adobeupdater.mcdir[.]ru - POST /gate.php
• 185.162.131[.]10 port 3333 - XMRig Coinminer traffic

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e
  File size:  300,032 bytes
  File location:  hxxp[:]//adobeupdater.mcdir[.]ru/dmclient.exe
  File location:  C:\ProgramData\b;012345-6789ab-cdef-0123456789abd;\hostdl.exe
  File description:  Windows executable for coinminer infection

OTHER ASSOCIATED MALWARE FROM ND3RO REPOSITORY SUPERSUPREME ON BITBUCKET.ORG:

• SHA256 hash:  95f558abccf6e567db72910dc44e6a1879792433abf0a4a21828a7f4b1a29907
  File size:  325,632 bytes
  File description:  Windows executable based on base64 file amd.txt from "nd3ro" repository "supersupreme" on bitbucket.org

• SHA256 hash:  0ac9dd1d802a0ab9c53508f4e47dcad893ba94aaafa8988669a23bc905dbf247
  File size:  13,685,760 bytes
  File description:  Windows executable based on base64 file ccm.txt from "nd3ro" repository "supersupreme" on bitbucket.org

• SHA256 hash:  9d2ce17f6de4f4e1c7e68f9a926b13c1c986526a38a4c0719f04d2c3948654fc
  File size:  441,344 bytes
  File description:  Windows executable based on base64 file cpu.txt from "nd3ro" repository "supersupreme" on bitbucket.org

 

ADDITIONAL IMAGES

Shown above:  XMRig coinminer traffic from my infected lab host.

 

Shown above:  Traffic from the infection shown in the Fiddler web debugger.

 

Shown above:  Reviewing the HTTPS traffic in Fiddler shows base64-encoded files from bitbucket[.]org.

 

Shown above:  Found three base64 text files for malware at "nd3ro" repository "supersupreme" on bitbucket[.]org.

 

Shown above:  Coinminer malware made persistent on my infected lab host.

 

Click here to return to the main page.