• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Sodinokibi/REvil Ransomware – Active IoCs
July 30, 2020
Rewterz Threat Alert – ProLock Ransomware – IoCs
July 30, 2020

Rewterz Threat Alert – MSSQL Servers Hijacked and Made into Monero Mining Machines

July 30, 2020

Severity

High

Analysis Summary

A mining Trojan is found targeting MSSQL servers. The mining Trojan mainly targeted MS SQL services to blast weak password attacks. After successful blasting, Monero mining Trojans would be implanted for mining. At the same time, the attacker downloads the frpc intranet penetration tool to install the backdoor, and will add users to facilitate the intruder to log in to the server remotely.

Judging from the HFS server count of the mining Trojan, tens of thousands of MSSQL servers have been implanted with the mining Trojan, and dozens of servers have been installed with backdoors. The attacker installs intranet penetration tools on the compromised server that will further increase the risk of hacker intrusion, and the compromise of the corporate database server will lead to serious information leakage incidents.

Impact

  • Unauthorized remote access 
  • Intrusion
  • Information leakage
  • Server compromise

Indicators of Compromise

Domain Name

  • d3d[.]hex7e4[.]ru
  • xxx[.]hex7e4[.]ru
  • xmr[.]hex7e4[.]ru
  • pornvega[.]com
  • hex7e4[.]ru

MD5

  • 88527fecde10ca426680d5baf6b384d1
  • 9a22fe62ebad16edc5c489c9493a5882
  • f457a5f0472e309c574795ca339ab566
  • 301257a23e2cad9da915cd942c833146

SHA-256

  • 222ae3a9be3b99dfd95d8b873a9c3977116673e1bbe2a35b4c63d5ba4ed7e30c
  • d038337b668c8222ef57868536a916ec6d249762a9c0c9a922a253213b1cbf1a
  • f7e6d12821ffba29e2dcb7dca2d77f247711aaef41923d394e959e3ba2849d1c
  • 25a8d5804932a33d45a7598e8f503f2cec01e6a334e4076795d50a22fc3b35de

SHA1

  • 1321627e0fb442217080b28c4031f23cbb50b05d
  • ad35f1ae3d969e81737e88302de358228463d72e
  • 155066309beddc77984e1d65bac06b2bd15ef055
  • 4e123e7b831b27a71f939f5dbc27adbf19b41768

Source IP

  • 43[.]229[.]149[.]62
  • 185[.]212[.]128[.]180

URL

  • http[:]//43[.]229[.]149[.]62[:]8080/web/xx[.]txt
  • http[:]//43[.]229[.]149[.]62[:]8080/web/frpc[.]exe
  • http[:]//43[.]229[.]149[.]62[:]8080/web/frpc[.]ini
  • http[:]//43[.]229[.]149[.]62[:]8080/web/se[.]jpg
  • http[:]//43[.]229[.]149[.]62[:]8080/web/po[.]jpg
  • http[:]//43[.]229[.]149[.]62[:]8080/web/sqlwriters1[.]jpg
  • http[:]//43[.]229[.]149[.]62[:]8080/web/SQL[.]exe
  • http[:]//43[.]229[.]149[.]62[:]8080/web/xxx[.]txt
  • http[:]//43[.]229[.]149[.]62[:]8080/web/Frp_C[.]exe
  • http[:]//43[.]229[.]149[.]62[:]8080/web/sqlwriters[.]jpg
  • http[:]//43[.]229[.]149[.]62[:]8080/web/dw[.]exe
  • http[:]//43[.]229[.]149[.]62[:]8080/web/Add[.]exe
  • http[:]//43[.]229[.]149[.]62[:]8080/web/AddUser[.]exe
  • http[:]//43[.]229[.]149[.]62[:]8080/web/
  • http[:]//43[.]229[.]149[.]62/web/
  • http[:]//xxx[.]hex7e4[.]ru/sqlwriter[.]jpg

Remediation

  • Block the threat indicators at their respective controls.
  • Avoid using weak passwords on all servers. 
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.