Rewterz Threat Alert – Sodinokibi/REvil Ransomware – Active IoCs
July 30, 2020Rewterz Threat Alert – ProLock Ransomware – IoCs
July 30, 2020Rewterz Threat Alert – Sodinokibi/REvil Ransomware – Active IoCs
July 30, 2020Rewterz Threat Alert – ProLock Ransomware – IoCs
July 30, 2020Severity
High
Analysis Summary
A mining Trojan is found targeting MSSQL servers. The mining Trojan mainly targeted MS SQL services to blast weak password attacks. After successful blasting, Monero mining Trojans would be implanted for mining. At the same time, the attacker downloads the frpc intranet penetration tool to install the backdoor, and will add users to facilitate the intruder to log in to the server remotely.
Judging from the HFS server count of the mining Trojan, tens of thousands of MSSQL servers have been implanted with the mining Trojan, and dozens of servers have been installed with backdoors. The attacker installs intranet penetration tools on the compromised server that will further increase the risk of hacker intrusion, and the compromise of the corporate database server will lead to serious information leakage incidents.
Impact
- Unauthorized remote access
- Intrusion
- Information leakage
- Server compromise
Indicators of Compromise
Domain Name
- d3d[.]hex7e4[.]ru
- xxx[.]hex7e4[.]ru
- xmr[.]hex7e4[.]ru
- pornvega[.]com
- hex7e4[.]ru
MD5
- 88527fecde10ca426680d5baf6b384d1
- 9a22fe62ebad16edc5c489c9493a5882
- f457a5f0472e309c574795ca339ab566
- 301257a23e2cad9da915cd942c833146
SHA-256
- 222ae3a9be3b99dfd95d8b873a9c3977116673e1bbe2a35b4c63d5ba4ed7e30c
- d038337b668c8222ef57868536a916ec6d249762a9c0c9a922a253213b1cbf1a
- f7e6d12821ffba29e2dcb7dca2d77f247711aaef41923d394e959e3ba2849d1c
- 25a8d5804932a33d45a7598e8f503f2cec01e6a334e4076795d50a22fc3b35de
SHA1
- 1321627e0fb442217080b28c4031f23cbb50b05d
- ad35f1ae3d969e81737e88302de358228463d72e
- 155066309beddc77984e1d65bac06b2bd15ef055
- 4e123e7b831b27a71f939f5dbc27adbf19b41768
Source IP
- 43[.]229[.]149[.]62
- 185[.]212[.]128[.]180
URL
- http[:]//43[.]229[.]149[.]62[:]8080/web/xx[.]txt
- http[:]//43[.]229[.]149[.]62[:]8080/web/frpc[.]exe
- http[:]//43[.]229[.]149[.]62[:]8080/web/frpc[.]ini
- http[:]//43[.]229[.]149[.]62[:]8080/web/se[.]jpg
- http[:]//43[.]229[.]149[.]62[:]8080/web/po[.]jpg
- http[:]//43[.]229[.]149[.]62[:]8080/web/sqlwriters1[.]jpg
- http[:]//43[.]229[.]149[.]62[:]8080/web/SQL[.]exe
- http[:]//43[.]229[.]149[.]62[:]8080/web/xxx[.]txt
- http[:]//43[.]229[.]149[.]62[:]8080/web/Frp_C[.]exe
- http[:]//43[.]229[.]149[.]62[:]8080/web/sqlwriters[.]jpg
- http[:]//43[.]229[.]149[.]62[:]8080/web/dw[.]exe
- http[:]//43[.]229[.]149[.]62[:]8080/web/Add[.]exe
- http[:]//43[.]229[.]149[.]62[:]8080/web/AddUser[.]exe
- http[:]//43[.]229[.]149[.]62[:]8080/web/
- http[:]//43[.]229[.]149[.]62/web/
- http[:]//xxx[.]hex7e4[.]ru/sqlwriter[.]jpg
Remediation
- Block the threat indicators at their respective controls.
- Avoid using weak passwords on all servers.