Analysis of Coin Miner Attack Case Against Domestic Web Server

June 18, 2024, 10:40 p.m.

Description

ASEC has recently confirmed an attack on a domestic medical institution to install a coin miner. The web server that was targeted was a Windows IIS server, and the path name on which the web shell was uploaded suggests that it is a system with the Picture Archiving and Communication System (PACS) product installed.

External References

https://asec.ahnlab.com/ko/66860/
https://otx.alienvault.com/pulse/66720bf299ccd7c529ad6304
Tags
xmrig
2024-06-18
godzilla
aspxspy
badpotato
CVE-2021-1732
coin miner
certutil
iis sever
caidao
chopper
behinder
godpotato
ringq

Date

  • Created: June 18, 2024, 10:36 p.m.
  • Published: June 18, 2024, 10:36 p.m.
  • Modified: June 18, 2024, 10:40 p.m.

Indicators

  • http://192.210.206.76/sRDI.dat
  • http://45.130.22.219/aspx.exe
  • http://14.19.214.36/RingQ.exe
  • http://14.19.214.36/11.exe
  • http://14.19.214.36/ew.exe
  • http://14.19.214.36/fscan.exe
  • http://14.19.214.36/aa.aspx
  • http://14.19.214.36:6666/pp.exe
  • http://sinmaxinter.top:7001/C3-server25.zip
  • http://sinmaxinter.top:7001/services.zip
Download all indicators here!

Attack Patterns

  • GodPotato
  • BadPotato
  • RingQ
  • Godzilla Webshell
  • ALF:Backdoor:ASP/Chopper
  • ASPXSpy
  • Trojan:Win32/XMrigMiner
  • T1136
  • T1496
  • T1210
  • T1219
  • T1098
  • T1592
  • T1190
  • T1059