In this article, we will talk about a campaign which is being run by Chinese Cyber criminals and this time they don’t want to watch what we are doing,
Some researchers from Barracuda have researched about a new variant of Golang (a high level language) malware that is making victim's machine a cryptominer. This malware does not affect our local machines,
ANATOMY OF THE ATTACK
After getting installed in the
After these scrips get installed in the victim's
After miner get started on the victim's system, the malware calls a watchdog from its command and control
In the next step, the malware installs a clean.bat file that works as a backdoor in the victim's system. After that a scanner is installed as networkservice or networkservice.exe based on the architecture. This file will search for vulnerable machines inside the network of the
Additionally, this malware tries to
Source:
Ссылка скрыта от гостей
her they want some resou
Ссылка скрыта от гостей
s from our system to mine cryptocurrency.Some researchers from Barracuda have researched about a new variant of Golang (a high level language) malware that is making victim's machine a cryptominer. This malware does not affect our local machines,
Ссылка скрыта от гостей
her it targets the back end
Ссылка скрыта от гостей
s which are either running on
Ссылка скрыта от гостей
or windows. They directly attack on the backbone of a web application framework and
Ссылка скрыта от гостей
some vulnerabilities in the
Ссылка скрыта от гостей
. After getting settled inside the machine, they start to mine Monero Cryptocurrency . Unlike other cryptocurrencies, Monero is an open-sou
Ссылка скрыта от гостей
cryptocurrency created in April 2014 that focuses on privacy and decentralization. Monero uses an
Ссылка скрыта от гостей
public ledger which means that anybody can broadcast or send transactions but sender and receiver always remain unknown about their origin. This open sou
Ссылка скрыта от гостей
cryptocurrency is used for illegal purposes and generally the evil actors use this cryptocurrency to accept payments anonymously from their victims. Let's see the anatomy of the attack.ANATOMY OF THE ATTACK
After getting installed in the
Ссылка скрыта от гостей
, this malware start downloading some files from its C&C
Ссылка скрыта от гостей
. The first file it downloads is an init script. This init script sets an environment for the cryptominer to run the actual cryptominer on the target
Ссылка скрыта от гостей
. Based on the attacking architecture, this malware install init.sh or init.ps1 based on the architecture of device, init.sh for Linux and init.ps1 for Windows. The researchers behind this malware also said that this init script for linux is even capable of removing competing miners and malwares, blocking ports, adding backdoor keys, and disabling SELINUX . The next script the malware downloads is the update script (same as .sh or .ps1 for Linux and Windows respectively), that run as a scheduled task in the
Ссылка скрыта от гостей
.After these scrips get installed in the victim's
Ссылка скрыта от гостей
, the malware download the actual cryptominer sysupdate in the victim's
Ссылка скрыта от гостей
which is actually a XMRig Miner to mine the Monero cryptocurrency. This XMRig Miner is a legitimate cryptocurrency mining program that is used to mine for cryptocurrency using a computer's CPU. This miner is a open sou
Ссылка скрыта от гостей
miner and is generally used by malware or trojan developers to extract cryptocurrency from the system.After miner get started on the victim's system, the malware calls a watchdog from its command and control
Ссылка скрыта от гостей
to monitor all the processes. This watchdog monitors all the processes, and check that the miner is working properly and all the components are updated. If the connection gets lost, this watchdog re initiates the connection to the
Ссылка скрыта от гостей
. This watchdog gets installed as a sysguard or sysguard.exe based on the architecture of the victim's device.In the next step, the malware installs a clean.bat file that works as a backdoor in the victim's system. After that a scanner is installed as networkservice or networkservice.exe based on the architecture. This file will search for vulnerable machines inside the network of the
Ссылка скрыта от гостей
machine and installs this malware in the neighbors machines if found vulnerable and report the machine status to the command and control
Ссылка скрыта от гостей
of the malware which is hxxp: //185.181.10.234/E5DB0E07C3D7BE80V520 .Additionally, this malware tries to
Ссылка скрыта от гостей
vulnerabilities of the
Ссылка скрыта от гостей
and the
Ссылка скрыта от гостей
which is targeted mostly is that running Think PHP framework as it is the most popular in china. Here is the list of some vulnerabilities which this malware tries to install in the target
Ссылка скрыта от гостей
:Source:
Ссылка скрыта от гостей