Since the end of March LIFARS DFIR team has observed an increase in the number of incidents related to Monero cryptocurrency miners.
Some of the companies affected by this type of malware came to us, which prompted us to begin an investigation. Based on the initial discussion with the clients, we determined a few machines from which to start our investigation. As we collected and analyzed more and more data about the current state of the incident as well as the attacker’s abilities, we utilized approaches from forensic analysis, monitoring and threat hunting.
Reconstructing the attacker’s steps and working backwards, we found Patient Zero – machine, which was first compromised by attackers to gain access to the client network. LIFARS detected and analyzed the exploitation of CVE-2019-18935 vulnerability in Telerik Web UI for ASP.NET, lateral movement and the compromise of hundreds of machines in the internal network, remote backdoors and cryptocurrency miners with multiple persistence techniques used, including a not as common one based on COR Profilers.
We found the linking between the publicly available exploit for CVE-2019-18935 and the custom malware used as an installer of CoinMiners. Later we were able to reconstruct the whole installation and CoinMiner infection process, including the installation artifacts which had been deleted. Based on our investigation, we confirmed the origin of these attacks to the Blue Mockingbird group of attackers.
In this case study, we summarize findings and describe some of our methods and techniques.
|Contact Us to Start Threat Hunting|
Please learn more about DEF COM conference’ presentations by Ladislav B. here: