Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – 8 Year-Old Bug Resurrected for LimeRAT Campaign
April 2, 2020Rewterz Threat Alert – Formbook delivered by Covid-19 lure
April 3, 2020
Severity
High
Description
Password blast attacks on SSH server are being initiated by the large mining botnet DDGMiner to mine Monero, consuming excessive system resources and disabling some security products.
Analysis Summary
Recently, a weak password blast attack on the SSH server was detected by a security researcher. It was an attack initiated by the large mining botnet DDGMiner. It is characterized by scanning and attacking SSH service, Redis database, OrientDB database and other servers, and implanting a mining Trojan on the compromised server to mine Monero for profit. DDGMiner’s main propagation method is still SSH blasting. Hackers first download the shell script i.sh after being hacked through weak passwords or exploits, and install it as a crontab scheduled task to be executed every 15 minutes.The DDG botnet mainly scans the SSH service and the Redis service for violent invasion of the LINUX system to dig Monero for profit. The mining Trojan is continuously being updated by attackers, as 9 new versions were released in the past month alone. After the DDG mining trojan is executed, it will request a configuration file to be downloaded. According to the configuration file, the mining trojan wordpress and virus script i.sh will be executed. In addition, the latest version of the DDG mining trojan will download the uninstall.sh , quartz_uninstall script . sh uninstalls security protection products such as Tencent Yunyun Mirror and Ali Yunan Knight to enhance the survival time of mining Trojans on the server. Virus mining behavior will greatly affect server performance. Additionally, the trojan modifies the hosts file to map the URLs of competing Trojans such as trumpzwlvlyrvlss.onion to the IP address 0.0.0.0 to achieve the purpose of shielding competitors’ Trojan horses from monopolizing system resources. The Monero Mining Trojan wordpress is compiled by the open source mining program XMRig.
Impact
- Consumption of system resources
- Possible denial of service
- Disabling of some security products
Indicators of Compromise
MD5
- f84a0180ebf1596df4e8e8b8cfcedf63
- 14fcb1d3a0f6ecea9e18eff2016bc271
- d146612bed765ba32200e0f97d0330c8
- e64b247d4cd9f8c58aedc708c822e84b
- 682f839c1097af5fae75e0c5c39fa054
- 495dfc4ba85fac2a93e7b3f19d12ea7d
- dc87e9c91503cc8f2e8e3249cd0b52d7
SHA-256
- feb6e520d901c2bf56a87b1dda9144e7a534d11ed0269a43146e18d926844662
- a30d73e25d83117b372494b65c289e6be41f68999d53843970f1d5d7bcab9497
- 1309a879002171c6fc080ed7f2d63341576a9b1168d7d6f6125968bb5b8840b7
- 471713ed425d7b7b0ef8a188218e0fa79b06ba5f1174e2193d6d08d14d114118
- 49c1c3eb642ab70fcdda73a20cb82cc64cf617872e3130190d09a94edf954dff
- 306e23b30a282b5d58c82fd267ba3bc8c292c2ee48384f976c3513437182f9be
- c7b43e209df939969c9ad3c8d6d1dbeeb87e3abd85f5a87f4d1cb74127065067
Source IP
- 67[.]205[.]168[.]20
Remediation
- Block the threat indicators at their respective controls.
- Prioritize the patching of security vulnerabilities of the relevant components of the enterprise server.
- Use high-strength Redis login password and SSH login password.
- Add firewall rules if necessary to avoid IP access from other untrusted sources.