• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Diving Into Sodinokibi Ransomware
October 16, 2019
Rewterz Threat Alert – Eternal Blue Trojan Upgraded to Detect & Exploit BlueKeep Vulnerability
October 16, 2019

Rewterz Threat Alert – Chinese Hackers Evade Detection with Advanced Cryptojacking Tactics

October 16, 2019

Severity

Medium

Analysis Summary

Chinese-speaking cybercrime group Rocke, known for operating multiple large-scale malicious crypto-mining campaigns, is a financially motivated threat group using new tactics to evade detection.

This new malware strain is designed to help them set up Monero (XMR) cryptojacking operations on compromised systems, to almost non-existent detection rates. In addition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088.

Impact

Cryptojacking

Indicators of Compromise

Domain Name

  • cron[.]iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com
  • 1×32[.]iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com
  • update[.]systemten[.]org
  • lsd[.]systemten[.]org

MD5

  • 781fb531354d6f291f1ccab48da6d39f
  • a9175094b275a0aaed30604f7dceeb14
  • 0b7b52302c8c5df59d960dd97e3abdaf

SH256

  • 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
  • 5a4a7d72e3a410b15ab59d0a387bf31d8935f991f517d8d24d353d3945d7705c
  • a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0

Source IP

185[.]205[.]210[.]48

Remediation

  • Block the threat indicators at their respective controls.
  • Make sure all ActiveMQ servers vulnerable to CVE-2016-3088 have been updated to patched versions.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.