Analysis of Coin Miner Attack Case Against Domestic Web Server
June 18, 2024, 10:40 p.m.
Tags
External References
Description
ASEC has recently confirmed an attack on a domestic medical institution to install a coin miner. The web server that was targeted was a Windows IIS server, and the path name on which the web shell was uploaded suggests that it is a system with the Picture Archiving and Communication System (PACS) product installed.
Date
Published: June 18, 2024, 10:36 p.m.
Created: June 18, 2024, 10:36 p.m.
Modified: June 18, 2024, 10:40 p.m.
Indicators
http://192.210.206.76/sRDI.dat
http://45.130.22.219/aspx.exe
http://14.19.214.36/RingQ.exe
http://14.19.214.36/11.exe
http://14.19.214.36/ew.exe
http://14.19.214.36/fscan.exe
http://14.19.214.36/aa.aspx
http://14.19.214.36:6666/pp.exe
http://sinmaxinter.top:7001/C3-server25.zip
http://sinmaxinter.top:7001/services.zip
Attack Patterns
GodPotato
BadPotato
RingQ
Godzilla Webshell
ALF:Backdoor:ASP/Chopper
ASPXSpy
Trojan:Win32/XMrigMiner
T1136
T1496
T1210
T1219
T1098
T1592
T1190
T1059