One Article Review
| Source |  RedTeam PL |
|---|---|
| Identifiant | 1798881 |
| Date de publication | 2020-06-03 13:55:20 (vue: 2020-07-09 15:05:42) |
| Titre | Kinsing cryptocurrency mining malware (TTPs & IOC) |
| Texte | We would like to share with the community the following TTPs and IOC related to Kinsing cryptocurrency mining malware as most research is focused directly on analysis malware samples rather than how it infects the system.TTPsAttackers are using RCE vulnerability in Liferay which is identified as CVE-2020-7961 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7961]. There is a publicly available PoC on GitHub [https://github.com/mzer0one/CVE-2020-7961-POC/blob/master/poc.py] for this vulnerability, which matched most artifacts we have found on the targeted system.Attackers are sending the payload using a HTTP POST request:POST /api/jsonws/invoke |
| Envoyé | Oui |
| Condensat | java /api/jsonws/invokeafter /dev/null 117 118/lf 142 146 146/kinsing2http://185 146/kinsinghttp://144 146/lf 146/lifexp 151 153 163 180/kinsing2http://95 180/lifexp 202 2020 208/kinsing2http://45 208/lifexp 217 231 245 254/kinsing2https://bitbucket 254/lifexp 28/lifexp 2>&1please 7961 :https://gist :wget additional addresses after analysis are artifacts attackers available bash been bin/cvename binary bitbucket case cgi class classhttp://144 classhttp://160 classhttp://185 classhttp://45 classhttp://95 classhttp://virustotal classsha142dc7206e1b10684b5a3a76251788c65460ad3a6 classsha256d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b classwe code code:get com/adamziaja/6d56e9c5e3b943e08cd476c6ac9deda6content com/adamziaja/b0b1a48d9b8db8dcea9777244817b793in com/gui/file/42dc7206e1b10684b5a3a76251788c65460ad3a6/detectionhttp://virustotal com/gui/file/42ee6e0eb0be6879831732e6cae43ee2c0aea948/detection com/gui/file/9c1fcf9a7b16ff0a42ee25cf267e2cb577fd080f/detectionhttp://virustotal com/mzer0one/cve communication community crontab cryptocurrency cve decompiled directly domain downloaded easy exploitation expressions files finding focused following found from github has have how http http://195 http://x https://attack https://cve https://github identified indicates infected infects ioc ipv4 kinsing kinsing2 kinsing20455858c81d0c303d906c6752a118129e71d535b62297dc7110b4c70b67bbecc kinsing29c1fcf9a7b16ff0a42ee25cf267e2cb577fd080f kinsing2ad6d3f917c4c7cb0ee57369a6eef70ea liferay lifexp like logs machine mainly malicious malware matched mining mitre monitor most mostly name name=cve names not note only org/cgi org/sam3cr12/git/raw/master/kinsinghttp://144 org/sam3cr12/git/raw/master/kinsingiochttp://144 org/techniques/t1168/ other payload persistence poc poc/blob/master/poc post proxy publicly quite rather rce regular related removing request request:https://bitbucket request:post requested requests research retrieve samples script sending sent server sets sh42ee6e0eb0be6879831732e6cae43ee2c0aea948 sh6ec5b8ea86d0af908182d6afc63c85a817e0612dba6e5e4b126b5639ab048b16 share shfd0f6c3ee4af75939bf21d55c3e4d32c shhttp://195 shmd5a71ad3167f9402d8c5388910862b16ae successful summary system take targeted than these ttps ttpsattackers two used username using vulnerability well which would x/lifexp “random” |
| Tags | Malware Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.