Hackers Use Advanced Targeted Attack Tools to Compromise Machines Running Older Versions of Microsoft Windows OS

A new large scale cyber attack combines both the regular cybercrime and targeted attack tools to deliver cryptocurrency miners and ransomware. The campaign makes use of sophisticated hacking tools that previously used in targeted attacks.

Trend Micro researchers observed that the threat actors using a package of tools from the Equation group known publically as Shadow Brokers and the attack mainly targets the outdated versions of Microsoft Windows OS.

“The technique of using advanced tools to spread more ubiquitous types of malware is a trend we have been observing lately.”

The campaign targets only the organization around the globe and not the individuals; it delivers cryptocurrency miner into the vulnerable machines. The campaign has two unique features

  • No individual users being targeted.
  • All of the compromised machines were running outdated Windows OS.

With this campaign, threat actors use EternalBlue-based backdoor to delivery cryptocurrency miners and other malware into the system. Researchers also spotted a number of tools in the infected system that includes password dumping tool Mimikatz and Equation group tools.

All the infected machines contain a file Diagnostics[.]txt, but that us a ZIP archive and the TXT extension used to avoid detection. The tools used in the campaign are open to the Internet and accessible to everyone, and the vulnerabilities exploited are already patched one.

“Since we began tracking it in March 2019, we found more than 80 different files in the wild that are involved in the campaign based on their hashes. All these files are variants of the open-source XMRig (Monero) miner, which is used at scale by numerous cybercriminals worldwide,” reads Trend Micro report.

The campaign targets all the regions, highly targeted countries are China and India. It targets across a wide range of business industries that include education, communication and media, banking, manufacturing, and technology.

Around 83% of the affected computers were running Windows Server 2003 SP2, followed by Windows 7 Ultimate Professional SP1 and Windows XP Professional.

Indicators of Compromise (IoCs)
Network IOC

sminiast[.]com:443
tenchier[.]com:443
boreye[.]com:80
boreye[.]com:53
pilutce[.]com:443

Coin miner sample hashes
SHA256 Detection


dd21a9ce1d87e3a7f9f2a592ec9dd642ca19aee4a60502c8df21d9c25f9acf86
2af73c8603e1d51661b0fffc09be306797558204bcbd4f95dd2dfe8363901606
ed2febf310ae90739002b9ddb07a29d0b2c8e92462ae4a0a6dcc19cc537ddef3
007f81debf1c984c5b4d5b84d6a8c06bcdf84d1a4cccdd9633e45de35015faf3
125f93883ccccb3c33964c8bcdd17b409b53fbc44de1e3b4afd7dfe79aa358cd
1ac26e86540610d1293c421ed05c13cd6ed51759be153c45d194ff7552c88855
4c3575c7b6c530603e4cd76c7dcaed12fc5ebadbf4d4d6b46352eb08458683e8
4e46cec7f6e7fa13c10e808f0da104a8c810b7ef17c40d0e9a908453be87e7f4
5472f9ba3bc623450cc208669dacddb1b6a73ffe4dc705b85cf41637070fda28
572c3943f70a3e362d9bf195ce37cec68074235eb1abba9f0cdbb91f5231a572
5db45fa654910495592cf1ca00d7ef537708c38c4803d10d89eaa0ddba0e7d8c
6ee5c5724ecc70f77aadcf00c77829e5313f44c61b2720113ada0c8263ac662c
7ced0990ac94f36fab21821395f543f3a06be486c9f34cdc137874912573fb27
7f5bddeb0c9ecde4d64ddac8b046859fb1627811d96c29dfa2b88102740571ce
94af094fc02cfe85a80f2f90d408f9598f9d77def36155e16a90e2bd8f8fdcce
975dc8ecda9a9c15d19c4d9d67f961366d2f0ac1074b5eb5d3b36e653092a6a3
bafe63e8fd76f1c9010137e6cd5137655ea12ab5c25d0b86700627b2ebad2be0
ce5025a484b3e2481e248dee404e6d321b6d7f58bae77b284ec9e602672e6a10
ce8cb7c8dc29b9e4feab463fdf53b569b69e6a5c4ab0e50513b264563d74a6ac
9af55d177e7d7628dc63f7753de4780031073098e1c674e619826cb97c190744
f81dd3e5b0507d78815f5909ab442545cb3f5262397abd89b5947e1e7b3fef12
35d10df58e340b6a7d69e590852b84a6a02f774306c3eb29e60e6b24740456eb
13800d1075e56f9bd0d87b2e85555040233e8b2ec679770101d046ffa4e39582
199e0419622e108ffdd7c9de571931d9aedc4f980a602766c0fdcb17bdddfc2a
1bc9762470423393521d9aa64d505501d201d3cb50c8e6576d4381590b090d75
2d6a5eb8a78cddee8ce90321aab80f85784b11a87b00fde75c4c457998a5aebd
3638ee8c0153b2763eb36246d9ffe4f7ec6d1f7e76876fb6f579c45e6e55e260
469e7ac4b5bad89e305e1e7ec65773844f3d639e84476da4b1fdf442a7c28504
59e3cf8f342a2bb5ce22bb03f8671568f68751f807002f9b329ed58e12a8831c
5cd9ff29454e84923d4178484ecfb3bc48561d4401fa94b98f9d2693d47a740a
6173542183c304ac2efc0348df799c1e3dea508cceaaac461bd509dc436d4edf
82c0b0fbb0f44ad2bc46c8b105f167f0feadf936ff811f97aab3a9a6cccc2fb2
87488d9ad54b88e5488c18d8de6a338eaf4fe7bdeec2df7eeaf90380de1533b6
8d402a3871bada94d84dd8a7c29361f27b75ac37394f6de059b06afb340fe3d6
9853e7bd0906cf92d2767fa55ee0a645f23099b37d59654d3c388d897a19fb1e
af21fb86d48b60ee58084570fba12cf3dbc3992c713421a265cd451c169967d2
cf60518d2a22631d0539964ff97bc396b44ef5f6979f7a9e59e03c89598db0bf
ec85ec44771401d4a71cb7f8bc3597d55ec02b84178464ab33161c77c4f51f0b
ecfcd390712f6ac57b822ef519063f8e9151e90549e245e4e2a70d02ff584634

Also Read

Hacker Leaked New Windows 10 Zero-day Exploit Online To Bypass Already Patched Bug

New RDP Zero-Day Bug Let Hackers to Bypass the Windows Lock Screen on Remote Desktop Sessions

Microsoft Warned Second Time to Update Windows for Bluekeep RDP Flaw – Exploits Already Available in Hackers Hand

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

10 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

10 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

13 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

16 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

17 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

18 hours ago