Analysis of CoinMiner Attacks Targeting Web Servers

June 24, 2024, 8:56 a.m.

Description

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was collected. The first attack involved the use of Chinese tools like Cpolar and installation of a CoinMiner. The second attack used different tools like EarthWorm and RingQ but had the same ultimate goal of installing a CoinMiner. Based on various indicators, the threat actors in both cases are suspected to be Chinese-speaking users.

External References

https://asec.ahnlab.com/en/66994/
https://otx.alienvault.com/pulse/66792b528adc701cbc163166
Tags
xmrig
coinminer
privilege escalation
earthworm
badpotato
godpotato
2024-06-24
webshell
netcat
cpolar
fscan
printnotifypotato

Date

  • Created: June 24, 2024, 8:16 a.m.
  • Published: June 24, 2024, 8:16 a.m.
  • Modified: June 24, 2024, 8:56 a.m.

Indicators

  • e95e59984abcb80ba96b6379f31614995d0c462acd83a2180fead7ff11660eff
  • ef91f4c5e4149f88c02ced681dd277593fc69edbcded8b506c3a2d601afda309
  • e8fbec25db4f9d95b5e8f41cca51a4b32be8674a4dea7a45b6f7aeb22dbc38db
  • c3887213c1fb6721c8fe231fc65e62f1dbf7b2a4e3038900fce64807b66b4820
  • c257ba5d2283a288115e026af12b369b38488737408e1e771794ad6e35b6412b
  • 9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096
  • 9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28
  • 95b115038debcff42c6fe6cf1a89e4072b3e03f360ef62460cffcf7f5f4bdda7
  • 78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029
  • 4ff8820d088b32f5ade6c9bb7d88f0291e08267c70235297c28c448bd42b9ab7
  • 4e1469c61a6017c38d840c4751abfdd21fd98a0ff2d5fdba26d227cd448b5f64
  • 3a6091fd5b5755d0249ef4d6af11c807dbe902c2428f923ad2490e99ebbf06ad
  • 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571
  • 38440cb4263ab8e89751ddaee65912b1ae9604cffda0d6955191e4e669a57c96
  • 3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858
  • 2e8c7eacd739ca3f3dc4112b41a024157035096b8d0c26ba79d8b893136391bc
  • 24d373bab944de6f019e4c4744e56ed8b2f8803a82fb54bbf0882e11a95483c7
  • 1cd966f10763befded887621ae3a4bf8fdb8f64de06c60e65d69fae19a8aece6
  • 1bc740dcaaf0e2b07609d7f8e1a8823550fe93bba7503c899e5e5503f881bfdb
  • 16c82388c73f744d12813a016539c46edeeea379020d158fb2afbc578d28fb31
  • f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
  • 45.147.51.78
  • 192.210.206.76
  • 141.11.89.42
  • 14.19.214.36
  • 1.119.3.28
  • 45.130.22.219
  • http://smtp.wptask.cyou:465
  • http://sky.wptask.cyou:9999
  • http://sinmaxinter.top:7005
  • http://sinmaxinter.top:7001/C3-server25.zip:
  • http://sinmaxinter.top:7001/services.zip:
  • http://pop3.wptask.cyou:995
  • http://info.perflogs.top:995
  • http://c3.wptask.cyou:33333
  • http://auto.skypool.xyz:9999
  • http://auto.c3pool.org:33333
  • http://45.147.51.78:995
  • http://45.147.51.78:465
  • http://45.130.22.219:995
  • http://45.130.22.219:465
  • http://45.130.22.219/aspx.exe:
  • http://192.210.206.76/sRDI.dat:
  • http://141.11.89.42:995
  • http://141.11.89.42:8443
  • http://141.11.89.42:465
  • http://14.19.214.36/fscan.exe:
  • http://14.19.214.36:6666/pp.exe:
  • http://14.19.214.36/ew.exe:
  • http://14.19.214.36/aa.aspx:
  • http://14.19.214.36/RingQ.exe:
  • http://14.19.214.36/11.exe:
  • smtp.wptask.cyou
  • sky.wptask.cyou
  • pop3.wptask.cyou
  • info.perflogs.top
  • c3.wptask.cyou
  • auto.skypool.xyz
  • sinmaxinter.top
Download all indicators here!

Attack Patterns

  • PrintNotifyPotato
  • NetCat
  • Fscan
  • EarthWorm
  • Lcx
  • Frpc
  • Cpolar
  • Ladon
  • GodPotato
  • BadPotato
  • RingQ
  • XMRig
  • T1543.003
  • T1135
  • T1053.005
  • T1136
  • T1059.001
  • T1087
  • T1070
  • T1106
  • T1082
  • T1071
  • T1543
  • T1055
  • T1569
  • T1027
  • T1053
  • T1562
  • T1190
  • T1072
  • T1059
  • CVE-2021-1732