Analysis of CoinMiner Attacks Targeting Web Servers

June 24, 2024, 8:56 a.m.

Tags
xmrig
coinminer
privilege escalation
earthworm
badpotato
godpotato
2024-06-24
webshell
netcat
cpolar
fscan
printnotifypotato
External References
Description

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was collected. The first attack involved the use of Chinese tools like Cpolar and installation of a CoinMiner. The second attack used different tools like EarthWorm and RingQ but had the same ultimate goal of installing a CoinMiner. Based on various indicators, the threat actors in both cases are suspected to be Chinese-speaking users.

Date

Published: June 24, 2024, 8:16 a.m.

Created: June 24, 2024, 8:16 a.m.

Modified: June 24, 2024, 8:56 a.m.

Indicators

e95e59984abcb80ba96b6379f31614995d0c462acd83a2180fead7ff11660eff

ef91f4c5e4149f88c02ced681dd277593fc69edbcded8b506c3a2d601afda309

e8fbec25db4f9d95b5e8f41cca51a4b32be8674a4dea7a45b6f7aeb22dbc38db

c3887213c1fb6721c8fe231fc65e62f1dbf7b2a4e3038900fce64807b66b4820

c257ba5d2283a288115e026af12b369b38488737408e1e771794ad6e35b6412b

9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096

9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28

95b115038debcff42c6fe6cf1a89e4072b3e03f360ef62460cffcf7f5f4bdda7

78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029

4ff8820d088b32f5ade6c9bb7d88f0291e08267c70235297c28c448bd42b9ab7

4e1469c61a6017c38d840c4751abfdd21fd98a0ff2d5fdba26d227cd448b5f64

3a6091fd5b5755d0249ef4d6af11c807dbe902c2428f923ad2490e99ebbf06ad

3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571

38440cb4263ab8e89751ddaee65912b1ae9604cffda0d6955191e4e669a57c96

3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858

2e8c7eacd739ca3f3dc4112b41a024157035096b8d0c26ba79d8b893136391bc

24d373bab944de6f019e4c4744e56ed8b2f8803a82fb54bbf0882e11a95483c7

1cd966f10763befded887621ae3a4bf8fdb8f64de06c60e65d69fae19a8aece6

1bc740dcaaf0e2b07609d7f8e1a8823550fe93bba7503c899e5e5503f881bfdb

16c82388c73f744d12813a016539c46edeeea379020d158fb2afbc578d28fb31

f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

45.147.51.78

192.210.206.76

141.11.89.42

14.19.214.36

1.119.3.28

45.130.22.219

http://smtp.wptask.cyou:465

http://sky.wptask.cyou:9999

http://sinmaxinter.top:7005

http://sinmaxinter.top:7001/C3-server25.zip:

http://sinmaxinter.top:7001/services.zip:

http://pop3.wptask.cyou:995

http://info.perflogs.top:995

http://c3.wptask.cyou:33333

http://auto.skypool.xyz:9999

http://auto.c3pool.org:33333

http://45.147.51.78:995

http://45.147.51.78:465

http://45.130.22.219:995

http://45.130.22.219:465

http://45.130.22.219/aspx.exe:

http://192.210.206.76/sRDI.dat:

http://141.11.89.42:995

http://141.11.89.42:8443

http://141.11.89.42:465

http://14.19.214.36/fscan.exe:

http://14.19.214.36:6666/pp.exe:

http://14.19.214.36/ew.exe:

http://14.19.214.36/aa.aspx:

http://14.19.214.36/RingQ.exe:

http://14.19.214.36/11.exe:

smtp.wptask.cyou

sky.wptask.cyou

pop3.wptask.cyou

info.perflogs.top

c3.wptask.cyou

auto.skypool.xyz

sinmaxinter.top

Download all indicators here!

Attack Patterns

PrintNotifyPotato

NetCat

Fscan

EarthWorm

Lcx

Frpc

Cpolar

Ladon

GodPotato

BadPotato

RingQ

XMRig

T1543.003

T1135

T1053.005

T1136

T1059.001

T1087

T1070

T1106

T1082

T1071

T1543

T1055

T1569

T1027

T1053

T1562

T1190

T1072

T1059

CVE-2021-1732