Binary Managed Object File (BMOF) Distributing XMRig CoinMiner

Tags

External References

• https://asec.ahnlab.com/
• https://otx.alienvault.com/

Description

This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with Permanent Event Subscription for malware persistence. It describes an attack case attributed to BondNet, where malicious BMOFs are created and executed through mofcomp.exe after compromising SQL servers. The process involves deleting the hosts file, creating guest accounts, downloading VBE files, configuring RDP connections, and executing XMRig CoinMiner. The malware is detectable by AhnLab MDS under specific signatures in sandbox environments.

Date