On the afternoon of Friday, February 23rd, 2018 the Emagined Security Research team reviewed an alert passed through our Security Operations team involving a JMXInvokerServlet hit.
Based upon traffic patterns and the user agent strings, the team believes the actor is using JexBoss to automate this exploit.
Within the attack code was an obvious PowerShell Downloader pointing to 200[.]7[.]97[.]205, using port 8086. The IP address is reportedly in the Netherlands.
The team immediately captured the text file, which itself was a PowerShell file that downloaded a second stage binary.
The files noted, 32Kilences and 64Kilences.exe provide different versions of the executable file, one for 32 bit windows and another for 64 bit. In Hungarian, Kilences means "Nine."
The team also found that a "lin.txt" is present on the same host, which provides two files, for Linux OS's:
BoomBoom is a 64bit statically compiled ELF binary, while BoomBoom2 is the 32bit version.
The team set to decompile the binary; which the attackers made very easy:
32Kilences.exe: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
After decompressing the RAR self-extracting executable we're provided two new files:
MD5 (run.bat) = ac229848385ba895cffd5523602b7162
MD5 (systemgo.exe) = 646cb81ec7e8aaa93a7580491edeb56e
SystemGo.exe is a popular Monero miner, and Run.bat gives us all of the important details:
The actors Monero wallet, 45cToD1FzkjAxHRBhYKKLg5utMGENqyamWrY8nLNkVQ4hJgLHex1KNRZcz4finRjMpAYmPxDaXVpN2rV1jMNyXRdMEaH1YA, is clearly visible in the batch file, and is searchable on MineXMR.com:
With the actor making somewhere around 11 XMR, the current value of Monero puts that around $3228 USD.
Evidence that even unskilled attackers can use open source technology to make a few dollars.
This campaign has been logged with Alienvault's OTX,
The original win.txt and lin.txt are available here.
Observables:
MD5 (32Kilences.exe) = 5f980357049bec59acf4fa3f64ad076f
MD5 (64Kilences.exe) = 41f120f918d226275471e00f1fd7bd2f
MD5 (win.txt) = e7f9375443cd29f771875c185062c6ba
MD5 (BoomBoom) = f75a3ee5fba082e6ccc38373cff39176
MD5 (BoomBoom2) = 2e49d437c95119becb881a3a269832d6
MD5 (lin.txt) = 0d3784ddb430cdeb2f0641a68b7715e4
SHA1 (32Kilences.exe) = 33a714dd10caf6f7e1ecfd7290de02ac0ef565ac
SHA1 (64Kilences.exe) = 4d17be57e35eecf5a7ba6fa54084179527594635
SHA1 (win.txt) = 7966aba65e7f64a746ecb34eac14f515156a8145
SHA1 (lin.txt) = bf095c444bcae7aae21a4a823e7f83b42a626547
SHA1 (BoomBoom) = 2652eea0140a0b0de3a642b9a0263a7f67ce83ac
SHA1 (BoomBoom2) = 957109bd145306ff38f703d8cd0955f1114c3a85
IP = 200.7.97.205 PORT: 8086