Binary Managed Object File (BMOF) Distributing XMRig CoinMiner

Sept. 18, 2024, 8:30 a.m.

Description

This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with Permanent Event Subscription for malware persistence. It describes an attack case attributed to BondNet, where malicious BMOFs are created and executed through mofcomp.exe after compromising SQL servers. The process involves deleting the hosts file, creating guest accounts, downloading VBE files, configuring RDP connections, and executing XMRig CoinMiner. The malware is detectable by AhnLab MDS under specific signatures in sandbox environments.

External References

https://asec.ahnlab.com/en/83081/
https://otx.alienvault.com/pulse/66ea8e94a8ad8301bfc0f6c0
Tags
xmrig
coinminer
2024-09-18
bmof

Date

  • Created: Sept. 18, 2024, 8:25 a.m.
  • Published: Sept. 18, 2024, 8:25 a.m.
  • Modified: Sept. 18, 2024, 8:30 a.m.

Linked vulnerabilities

CVE-2024-43044

None
    Jenkins
  • Version(s): 2.470 and earlier, LTS 2.452.3 and earlier
Published: August 7, 2024

Indicators

  • 50d1b32cf53fe1b0822d2606aa397743d6069785ba0b03a3cad52e63f84c90a8
  • mst2.mymst007.info
  • mst.my03.com
  • m.mymst.top
  • d.mymst.top
Download all indicators here!

Attack Patterns

  • W32.Stuxnet
  • Stuxnet - S0603
  • XMRig CoinMiner
  • BondNet
  • T1021.001
  • T1059.005
  • T1136
  • T1547.001
  • T1059.007
  • T1546
  • T1070.004
  • T1562.001
  • T1570
  • T1543
  • T1053
  • T1078
  • CVE-2024-43044
  • CVE-2024-23897

Additional Informations

  • Energy
  • Iran, Islamic Republic of