Binary Managed Object File (BMOF) Distributing XMRig CoinMiner
Sept. 18, 2024, 8:30 a.m.
Tags
External References
Description
This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with Permanent Event Subscription for malware persistence. It describes an attack case attributed to BondNet, where malicious BMOFs are created and executed through mofcomp.exe after compromising SQL servers. The process involves deleting the hosts file, creating guest accounts, downloading VBE files, configuring RDP connections, and executing XMRig CoinMiner. The malware is detectable by AhnLab MDS under specific signatures in sandbox environments.
Date
Published: Sept. 18, 2024, 8:25 a.m.
Created: Sept. 18, 2024, 8:25 a.m.
Modified: Sept. 18, 2024, 8:30 a.m.
Indicators
50d1b32cf53fe1b0822d2606aa397743d6069785ba0b03a3cad52e63f84c90a8
mst2.mymst007.info
mst.my03.com
m.mymst.top
d.mymst.top
Attack Patterns
W32.Stuxnet
Stuxnet - S0603
XMRig CoinMiner
BondNet
T1021.001
T1059.005
T1136
T1547.001
T1059.007
T1546
T1070.004
T1562.001
T1570
T1543
T1053
T1078
CVE-2024-43044
CVE-2024-23897
Additional Informations
Energy
Iran, Islamic Republic of