Cybercriminals now leveraging new hacking tools and remote access software to drop cryptocurrency malware by exploiting a Windows SMB Server Vulnerability .
There are 2 main hacking tools that are used by attackers to drop random file info to the targeted systems windows registry.
First one is MIMIKATZ , a powerful post-exploitation hacking tool which is used with other hacking tools to collect user accounts and system credentials.
At the same time threat actors using another legitimate remote access tool
RADMIN, enterprise tool for remote access to network computers and servers.
RADMIN mainly used by attackers to gain admin rights and introduce other malware into targeted systems.
In this case, both MIMIKATZ and RADMIN combined to targeting the enterprise assets for data exfiltration by evading the detection by lunching random name with valid Windows functions.
Malware Infection Process
Apart from the samples of a random name, its drops finally a Monero miner malware payload from a remote server through the command sent via RADMIN to the target machine.
This malware variant mainly drops when user visiting the compromising websites or it some time drop into victims system by other malware. later its create a file from its resource and name it as names it as C:windowstempttt.exe and finally execute it.
After the complete infection process, it connects to the command & control server IP address and send the information and download the coinminer into the infected system and later it will decrypt and execute the Monero miner.
According to Trend Micro research, “It continues to save and execute the downloaded file a Python-compiled executable that imports several other Python modules to gather credentials, as well as psexec, enabling the attacker to remotely execute commands. It is also capable of randomly scanning generated IP addresses over the internet and local networks for open port 445. “
Threat actors behind this malware targeting victims with the main motivation of stealing credentials and developing the module for future attack via escalated privileges and remote access.
“Since the info stealer is able to send back information such as user accounts, port forwarding, and system specifics, and capable of planting the hack tool for remote admin functions, it can let attackers remotely access the system to initiate more attacks in the future if left unchecked.” Trend Micro said.