2018-08-06 - XMRIG COINMINER CAUSED BY AD TRAFFIC LEADING TO ADOBEUPDATER.MCDIR.RU

ASSOCIATED FILES:

  • 2018-08-06-XMRig-coinminer-from-ad-traffic.pcap   (1,587,122 bytes)
  • 2018-08-06-scheduled-task-for-persistence-WinInetDriver.xml.txt   (3,550 bytes)
  • amd.exe   (325,632 bytes)
  • amd.txt   (434,176 bytes)
  • ccm.exe   (13,685,760 bytes)
  • ccm.txt   (18,247,680 bytes)
  • cpu.exe   (441,344 bytes)
  • cpu.txt   (588,460 bytes)
  • dmclient.exe   (300,032 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

INFECTION TRAFFIC


Shown above:  Downloaded file dmclient.exe from malicious URL caused by ad traffic.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + ZEUS PANDA BANKER):

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

OTHER ASSOCIATED MALWARE FROM ND3RO REPOSITORY SUPERSUPREME ON BITBUCKET.ORG:

 

ADDITIONAL IMAGES


Shown above:  XMRig coinminer traffic from my infected lab host.

 


Shown above:  Traffic from the infection shown in the Fiddler web debugger.

 


Shown above:  Reviewing the HTTPS traffic in Fiddler shows base64-encoded files from bitbucket.org.

 


Shown above:  Found three base64 text files for malware at "nd3ro" repository "supersupreme" on bitbucket.org.

 


Shown above:  Coinminer malware made persistent on my infected lab host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.