Analysis of Coin Miner Attack Case Against Domestic Web Server

June 18, 2024, 10:40 p.m.

Tags
xmrig
2024-06-18
godzilla
aspxspy
badpotato
CVE-2021-1732
coin miner
certutil
iis sever
caidao
chopper
behinder
godpotato
ringq
External References
Description

ASEC has recently confirmed an attack on a domestic medical institution to install a coin miner. The web server that was targeted was a Windows IIS server, and the path name on which the web shell was uploaded suggests that it is a system with the Picture Archiving and Communication System (PACS) product installed.

Date

Published: June 18, 2024, 10:36 p.m.

Created: June 18, 2024, 10:36 p.m.

Modified: June 18, 2024, 10:40 p.m.

Indicators

http://192.210.206.76/sRDI.dat

http://45.130.22.219/aspx.exe

http://14.19.214.36/RingQ.exe

http://14.19.214.36/11.exe

http://14.19.214.36/ew.exe

http://14.19.214.36/fscan.exe

http://14.19.214.36/aa.aspx

http://14.19.214.36:6666/pp.exe

http://sinmaxinter.top:7001/C3-server25.zip

http://sinmaxinter.top:7001/services.zip

Download all indicators here!

Attack Patterns

GodPotato

BadPotato

RingQ

Godzilla Webshell

ALF:Backdoor:ASP/Chopper

ASPXSpy

Trojan:Win32/XMrigMiner

T1136

T1496

T1210

T1219

T1098

T1592

T1190

T1059