One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 456470 |
| Date de publication | 2018-01-08 14:00:00 (vue: 2018-01-08 14:00:00) |
| Titre | A North Korean Monero Cryptocurrency Miner |
| Texte | AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig. It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero. The Installer executes Xmrig with the following command: "-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)" The installer passes xmrig the following arguments: 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University. The password, KJU, is a possible reference to Kim Jong-un Why was this application created? The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors - on most networks. It may be that: The application is designed to be run within another network, such as that of the university itself; The address used to resolve but no longer does; or The usage of a North Korean server is a prank to trick security researchers. It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of |
| Envoyé | Oui |
| Condensat | $951 “high text 4 arguments directory else file if newlatebinding operators windowstyle char console file if int newlatebinding object objectvalue process random string while // public // internal linked to you 0123456789 0x00000328 0x00002128 0x02000008 0x0600000f 175 178 1a306069d1a5 2014/2015 2017 4094 42344bb45f351757e8638656e12a0135 4judgzvrmfdwruuwy 4judgzvrmfdwruuwy3tojatsenwjn54lkcnkbprzduhzi5vsephfuckjnxrl2gjknrsqtcoruredagrwsqvvcjzbry5yefcqgoumnzumvs 4judgzvrmfdwruuwy3tojatsenwjn54lkcnkbprzduhzi5vsephfuckjnxrl2gjknrsqtcoruredagrwsqvvcjzbry5yefcqgoumnzumvs is 6a261443299788af1467142d5f538b2c 762c3249904a8bf76802effb54426655 82e999fb a6e0 aa1f abdcefghijklnmopqrstvuwxyz about above access additional address addresses alienvault all also amateur an application compiled analysed andariel andariel mined another any anything appear appears appendix application are argument arguments arguments: array array2 as blackmine as reported by ascii assigned associated attack attacker attackers attacks attacks; attempt attempted aucun author authors available available here avoid aware bangladesh bank bank; barjuok based basic be: been active on best between big bitcoin bithumb blackmine bluenorroff bluenorroff mined but called campaigns can can’t capable cdoman@alienvault central checked christmas class clear code code: coincidental com command: company compilation compilerservices; compromise compromised computer concatenateobject conclusion condition: considered consists consoleapp5 contains conventions conversions copied copies copy could country craft created createdirectory createobject createshortcut crypto cryptocurrencies cryptocurrency currencies currencies: currency currently dat debugging decompiled defense description designed desktop detection detects developers diagnostics; differ different directory documentaries documents does; doesn’t domain during earlier early edu empty; endeavours engaged entirely environment eve even events evidence evolution example exchange exe executed executes executing exists expandenvironmentstrings experts exploit exploiting fairly fake fans file filename filenames financia |
| Tags | |
| Stories | Wannacry Bithumb APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.