Cybercriminals now leveraging new hacking tools and remote access software to drop cryptocurrency malware by exploiting a Windows SMB Server Vulnerability .
There are 2 main hacking tools that are used by attackers to drop random file info to the targeted systems windows registry.
First one is
At the same time threat actors using another legitimate remote access tool
RADMIN, enterprise tool for remote access to network computers and servers.
RADMIN mainly used by attackers to gain admin rights and introduce other malware into targeted systems.
In this case, both MIMIKATZ and RADMIN combined to targeting the enterprise assets for data exfiltration by evading the detection by lunching random name with valid Windows functions.
Malware Infection Process
Apart from the samples of a random name, its drops finally a Monero miner malware payload from a remote server through the command sent via RADMIN to the target machine.
This malware variant mainly drops when
After the complete infection process, it connects to the command & control server IP address and send the information and download the
According to Trend Micro research, “It continues to save and execute the downloaded file a Python-compiled executable that imports several other Python modules to gather credentials, as well as
Threat actors behind this malware targeting victims with the main motivation of stealing credentials and developing the module for future attack via escalated privileges and remote access.
“Since the info stealer is able to send back information such as user accounts, port forwarding, and system specifics, and capable of planting the hack tool for remote admin functions, it can let attackers remotely access the system to initiate more attacks in the future if left unchecked.” Trend Micro said.