Ransomware Attack on CoinMiner: A Glimpse into Cybercriminal Conflict
This report delves into a recent ransomware attack on a CoinMiner’s proxy server, highlighting a surprising twist in the cybersecurity landscape. This incident showcases a growing trend: malicious actors themselves becoming prey to rival cybercriminal groups.
CoinMiner’s Downfall: Built on Weak Security
The ransomware attack on the CoinMiner originated from lax security measures on victim machines. The CoinMiner likely exploited weak points through social engineering or brute-force attacks, stealing credentials to deploy a backdoor on compromised systems. This backdoor served as a gateway to download and execute CoinMiner malware, hijacking processing power for cryptocurrency mining.
Cybercriminals Exploit Each Other: A Ransomware Attack on a CoinMiner
This report analyzes a recent ransomware attack targeting a CoinMiner’s proxy server. This incident exemplifies a growing trend – malicious actors becoming prey to other cybercriminal groups. Cybersecurity researchers discovered a ransomware attack specifically targeting the proxy server of a CoinMiner attacker.
Cybersecurity researchers at ASEC recently uncovered a ransomware attack targeting the proxy server of a CoinMiner attacker.
CoinMiner’s Demise: Weak Security Creates Opportunity for Ransomware Attack
The ransomware attack on the CoinMiner began with the CoinMiner compromising victim machines through weak security. Stolen credentials, potentially obtained via social engineering or brute-force attacks, enabled the deployment of a backdoor. This backdoor downloaded and ran CoinMiner malware, allowing the attacker to hijack processing power for cryptocurrency mining.
Exposed Achilles Heel: The Vulnerable Proxy Server in the Ransomware Attack on CoinMiner
The CoinMiner attacker made a critical error by establishing a reverse RDP configuration on a proxy server to manage their botnet of infected machines. This configuration allowed remote connection through the proxy server. However, a crucial security flaw existed: the proxy server itself remained exposed to the internet, likely due to misconfiguration or a lack of security protocols like firewalls or intrusion detection systems (IDS). This open access created a vulnerable entry point for a future attacker, leading to the ransomware attack on the CoinMiner.
Ransomware Actor’s Unexpected Intrusion
The ransomware actor capitalized on this vulnerability by employing internet-wide scanning techniques to identify and exploit exposed Remote Desktop Protocol (RDP) ports. This process likely included the CoinMiner’s vulnerable proxy server in the ransomware attack. The ransomware actor then launched a brute-force attack against the RDP port, gaining access due to another security weakness – a lack of login restrictions on the administrator account. This unrestricted access allowed the attacker to crack the weak password through trial-and-error.
Turning the Tables: Ransomware Infiltrates the CoinMiner Network
Having gained administrator access to the compromised proxy server, the ransomware actor established a foothold within the CoinMiner attacker’s network. They then utilized network scanning and credential-hijacking tools to move laterally and spread ransomware throughout the CoinMiner botnet. This effectively turned the tables on the CoinMiner, who became the victim of their own compromised infrastructure in the ransomware attack.
Motives Behind the Ransomware Attack on CoinMiner: Unintentional or Intentional?
The report explores two possible motives for the ransomware actor’s targeting of the CoinMiner’s proxy server:
- Unintentional Inclusion: The ransomware actor’s automated scanning process might have randomly included the CoinMiner’s proxy server among other vulnerable RDP ports on the internet. The attacker may not have been aware they were infiltrating another threat actor’s infrastructure in the ransomware attack.
- Deliberate Targeting: This scenario suggests a more calculated attack on the CoinMiner. Upon gaining access to the proxy server, the ransomware actor might have recognized its role in controlling infected systems. This recognition could have occurred through various means, such as repeatedly compromising the same system via the proxy server (indicating a botnet) or by analyzing traffic patterns or logs on the proxy server. In either case, the ransomware actor exploited the vulnerability to launch a ransomware attack on the CoinMiner’s botnet, potentially aiming to disrupt the competitor’s operations or generate additional profits through extortion.
Uncertainties and a Future of Cybercriminal Conflict
The report acknowledges the limitations in definitively determining the attacker’s intent based on a single incident. However, it highlights a significant point – threat actors themselves can become targets. Traditionally, cybercriminals focused on compromising user or enterprise systems. This incident suggests a potential future trend where cybercriminals target each other’s infrastructure, leading to a more complex and unpredictable threat landscape.
Conclusion: Security for All in the Digital Age
The report emphasizes the importance of robust security practices for all actors in the digital landscape.
[File Detection]
- CoinMiner/Win.XMRig.C5449500(2023.07.05.00)
- Downloader/FOMB.Agent(2024.02.27.00)
- Downloader/Win64.Agent.C2426880(2018.03.29.04)
- HackTool/Win.Agent(2024.03.15.00)
- HackTool/Win.Frpc.C5473755(2023.08.20.03)
- HackTool/Win.PassViewer.C5353351(2023.01.09.03)
- HackTool/Win.PassViewer.C5353353(2023.04.26.02)
- HackTool/Win.PstPass.C5135577(2022.08.31.02)
- HackTool/Win.PSWTool.R345815(2023.06.02.01)
- HackTool/Win32.Mailpassview.R165244(2016.07.12.09)
- Ransomware/Win.Phobos.R363595(2023.08.28.04)
- Trojan/BAT.RUNNER.SC198137(2024.03.15.00)
- Trojan/BAT.RUNNER.SC198138(2024.03.15.00)
- Trojan/BAT.Runner.SC198226(2024.03.18.02)
- Trojan/RL.Mimikatz.R248084(2018.12.10.01)
- Trojan/Win.Lazardoor.R496534(2022.05.14.01)
- Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
- Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
- Trojan/Win32.Infostealer.C1259157(2020.07.17.00)
- Trojan/Win32.Miner.C2462674(2018.04.13.09)
- Trojan/Win32.Neshta.X2117(2018.03.16.06)
- Unwanted/Win.PassView.C5359535(2023.01.16.03)
- Unwanted/Win32.HackTool.C613821(2014.11.02.03)
- Unwanted/Win32.Masscan.C3122810(2019.12.06.00)
- Unwanted/Win32.Passview.C568442(2014.09.23.00)
- Unwanted/Win32.PassView.R333746(2020.04.22.08)
[IOCs]
MD5s
- D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
- 2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
- E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
- 432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
- 9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
- 7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
- D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
- 6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
- 0753CAB27F143E009012053208B7F63E(netpass64.exe)
- 782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
- 8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
- 00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
- AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
- 15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
- 28C2B019082763C7A90EF63BFD2F833A(dss.bat)
- 5410539E34FB934133D6C689072BA49D(mimikatz.exe)
- 59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
- 0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
- 057D5C5E6B3F3D366E72195B0954283B(check.exe)
- 35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
- 1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
- DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
- 76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
- 44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
- E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
- DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
- 35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)
URLs & C2s
- 223.223.188[.]19
- 185.141.26[.]116/stats.php
- 185.141.26[.]116/hotfixl.ico
- 185.141.26[.]116/winupdate.css
- 84.46.22[.]158:7000
- 46.59.214[.]14:7000
- 46.59.210[.]69:7000
- 47.99.155[.]111
- d.mymst[.]top
- m.mymst[.]top
- frp.mymst007[.]top
