Monero-miner variant found leveraging RADMIN and MIMIKATZ tool kits to spread across networks

• The attack campaign primarily targets companies in China, Taiwan, Italy, and Hong Kong.
• The attack kits scan vulnerable machines in the open port 445 for its infection process.

A Monero cryptocurrency-mining malware variant has been found using a combination of RADMIN and MIMIKATZ exploit tools to spread across the local area networks and over the internet. The attack campaign primarily targets companies in China, Taiwan, Italy, and Hong Kong.

Propagation method

Trend Micro’s security researcher Don Ovid Ladores, Michael Jhon Ofiaza, and Gilbert Sison detected that the attack kits scanned for vulnerable machines in the open port 445 for its infection process. It mainly focused on systems vulnerable to SMB Server vulnerability MS17-010 to propagate the malware.

The malware variant, detected by Trend Micro as Trojan.Win32.INFOSTEAL.ADS is installed on a victim’s system when a visitor visits infected websites or is dropped by other malware. Once executed, Trojan.Win32.INFOSTEAL.ADS removes the older versions of itself, files and processes to ensure that the infection process is updated.

Functionalities

The malware then connects to several URLs and IP addresses to send back information regarding the infected machine. Later, it downloads the encrypted coinminer and Trojan.Win32.MIMIKATZ.ADU in the second stage of its infection process.

Explaining further, researchers said that Python-compiled variant of the MIMIKATZ trojan is also dropped as part of its infection process.

“It is also capable of randomly scanning generated IP addresses over the internet and local networks for open port 445. Using another Python module named impacket, it drops a hack tool (detected by Trend Micro as HackTool.Win32.Radmin.GB) for remote command communication from a malicious user by creating a named pipe \.\pipe\RemCom_communicaton,” the researchers noted.

This is not the first time that free tools and off-the-shelf malware have been used as a part of a malware campaign. A similar kind of attack was also observed in the mid-2017 against multiple organizations in West Africa.