Analysis of CoinMiner Attacks Targeting Web Servers
June 24, 2024, 8:56 a.m.
Tags
External References
Description
The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was collected. The first attack involved the use of Chinese tools like Cpolar and installation of a CoinMiner. The second attack used different tools like EarthWorm and RingQ but had the same ultimate goal of installing a CoinMiner. Based on various indicators, the threat actors in both cases are suspected to be Chinese-speaking users.
Date
Published: June 24, 2024, 8:16 a.m.
Created: June 24, 2024, 8:16 a.m.
Modified: June 24, 2024, 8:56 a.m.
Indicators
e95e59984abcb80ba96b6379f31614995d0c462acd83a2180fead7ff11660eff
ef91f4c5e4149f88c02ced681dd277593fc69edbcded8b506c3a2d601afda309
e8fbec25db4f9d95b5e8f41cca51a4b32be8674a4dea7a45b6f7aeb22dbc38db
c3887213c1fb6721c8fe231fc65e62f1dbf7b2a4e3038900fce64807b66b4820
c257ba5d2283a288115e026af12b369b38488737408e1e771794ad6e35b6412b
9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096
9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28
95b115038debcff42c6fe6cf1a89e4072b3e03f360ef62460cffcf7f5f4bdda7
78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029
4ff8820d088b32f5ade6c9bb7d88f0291e08267c70235297c28c448bd42b9ab7
4e1469c61a6017c38d840c4751abfdd21fd98a0ff2d5fdba26d227cd448b5f64
3a6091fd5b5755d0249ef4d6af11c807dbe902c2428f923ad2490e99ebbf06ad
3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571
38440cb4263ab8e89751ddaee65912b1ae9604cffda0d6955191e4e669a57c96
3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858
2e8c7eacd739ca3f3dc4112b41a024157035096b8d0c26ba79d8b893136391bc
24d373bab944de6f019e4c4744e56ed8b2f8803a82fb54bbf0882e11a95483c7
1cd966f10763befded887621ae3a4bf8fdb8f64de06c60e65d69fae19a8aece6
1bc740dcaaf0e2b07609d7f8e1a8823550fe93bba7503c899e5e5503f881bfdb
16c82388c73f744d12813a016539c46edeeea379020d158fb2afbc578d28fb31
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
45.147.51.78
192.210.206.76
141.11.89.42
14.19.214.36
1.119.3.28
45.130.22.219
http://smtp.wptask.cyou:465
http://sky.wptask.cyou:9999
http://sinmaxinter.top:7005
http://sinmaxinter.top:7001/C3-server25.zip:
http://sinmaxinter.top:7001/services.zip:
http://pop3.wptask.cyou:995
http://info.perflogs.top:995
http://c3.wptask.cyou:33333
http://auto.skypool.xyz:9999
http://auto.c3pool.org:33333
http://45.147.51.78:995
http://45.147.51.78:465
http://45.130.22.219:995
http://45.130.22.219:465
http://45.130.22.219/aspx.exe:
http://192.210.206.76/sRDI.dat:
http://141.11.89.42:995
http://141.11.89.42:8443
http://141.11.89.42:465
http://14.19.214.36/fscan.exe:
http://14.19.214.36:6666/pp.exe:
http://14.19.214.36/ew.exe:
http://14.19.214.36/aa.aspx:
http://14.19.214.36/RingQ.exe:
http://14.19.214.36/11.exe:
smtp.wptask.cyou
sky.wptask.cyou
pop3.wptask.cyou
info.perflogs.top
c3.wptask.cyou
auto.skypool.xyz
sinmaxinter.top
Attack Patterns
PrintNotifyPotato
NetCat
Fscan
EarthWorm
Lcx
Frpc
Cpolar
Ladon
GodPotato
BadPotato
RingQ
XMRig
T1543.003
T1135
T1053.005
T1136
T1059.001
T1087
T1070
T1106
T1082
T1071
T1543
T1055
T1569
T1027
T1053
T1562
T1190
T1072
T1059
CVE-2021-1732