Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors

June 6, 2024, 8:06 a.m.

Description

This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to the CoinMiner's botnet. The report analyzes the sequence of events and explores the possibility of the attack being intentional or accidental.

External References

https://asec.ahnlab.com/en/66372/
https://otx.alienvault.com/pulse/666163affcce4a1ff5cae35a
Tags
ransomware
coinminer
botnet
2024-06-06
rdp
phobos
havex
backdoor.oldrea
proxy

Date

  • Created: June 6, 2024, 7:22 a.m.
  • Published: June 6, 2024, 7:22 a.m.
  • Modified: June 6, 2024, 8:06 a.m.

Indicators

  • de374c1b9a05c2203e66917202c42d11eac4368f635ccaaadf02346035e82562
  • bc12d3944a21898a2184c190b1ccf141aa38a2ec37f168ff9711e37296afe87c
  • 9ac07d483ed3e055f48dbf031889e51e055bddf16058abb0239af1f0a9cb15dd
  • 9933bd1c96391353eea9986844d283c066d290e3a57df8a4871b4ddc41408d76
  • 90b5cd03b6de6584d47f5ab2d9cbd3eed3ed68d7db4e806b1e327d59ec0a6cde
  • 8ef1fa3f0ce9bb29a5a676a0ca7af67dc554617a8595b1043d1eb9176c248934
  • 8c57b97b04d7eabbae651c3400a5e6b897aea1ae8964507389340c44b99c523a
  • 82dd3926a416016bb5747eab624285c5013ce8ea5a8ae017027bd5c8181d3174
  • 64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c
  • 5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6
  • 4de048ad33f0a710a226d193f92f20417da5ba3628f79b0e25cbe83b0c979fc0
  • 26a3395a4115355e897a7daf04551eba5e62da661d8dbae7c99205a2e74d24ba
  • 1e5a90b5dcd4768964454cdf659620f5939464c6073f1dfc5d9306a869b609d1
  • 0a5be1c9541e0fadce5f1928d3bb95367baef9ce59d487688662b100e88aabf5
  • e71cda5e7c018f18aefcdfbce171cfeee7b8d556e5036d8b8f0864efc5f2156b
  • 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019
  • 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26
  • 205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964
  • 46.59.214.14
  • 47.99.155.111
  • 46.59.210.69
  • 223.223.188.19
  • 185.141.26.116
  • 84.46.22.158
  • http://84.46.22.158:7000
  • http://46.59.214.14:7000
  • http://46.59.210.69:7000
  • http://185.141.26.116/winupdate.css
  • http://185.141.26.116/stats.php
  • http://185.141.26.116/hotfixl.ico
  • m.mymst.top
  • frp.mymst007.top
  • d.mymst.top
  • svchost.com
Download all indicators here!

Attack Patterns

  • Ransomware
  • Havex
  • Backdoor.Oldrea - S0093
  • Phobos
  • CoinMiner
  • T1534
  • T1572
  • T1189
  • T1021
  • T1486
  • T1105
  • T1053
  • T1195
  • T1078
  • T1003
  • T1059