Marcus Adams<p>So I was experimenting with <a href="https://mastodon.social/tags/XMrig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMrig</span></a> yesterday; was thinking of using my Ryzen 9 mini PC to do some <a href="https://mastodon.social/tags/Monero" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Monero</span></a> mining. I noticed a status message that said something about the hash rate being limited because of lack of access to an "MSR Mod". Apparently the "fix" for this is to run xmrig as root and disable secure boot.</p><p>Call me paranoid, but that seems really suspicious. I aint giving no third party software root privileges.</p><p><a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a></p>
Recent searches
Search options
#xmrig
1 post1 participant0 posts today
Happy Friday everyone!
#Cryptominers and #CVE20173506 is featured in today's #readoftheday! Trend Micro takes us through a riveting tale where the protagonist, #WaterSigbin, abuses a vulnerability in Oracle WebLogic Servers. After exploitation, a Base64-encoded payload is run that drops the initial stage loader named "wireguard2-3.exe", which masquerades itself as a legitimate VPN technology to help with it's defense evasion. It also plays a role in getting the attack to the next stages which involve DLL-reflection, C2 communication, and finally the #XMRig cyrptominer.
Significant details that are included is a scheduled task created for Windows Defender exclusion, some discovery using WMI, and another scheduled task for persistence. As usual, I am not going to spoil it all, go and have a read for yourself! Enjoy and Happy Hunting!
Notable MITRE ATT&CK TTPs (thanks to the authors):
TA0001 - Initial Access
T1190 - Exploit Public-Facing Application
TA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell
T1047 - Windows Management Instumentation
TA0005 - Defense Evasion
T1620 - Reflective Code Loading
T1036.005 - Masquerading: Match Legitimate Name or Location
T1562.001 - Impair Defenses: Disable or Modify Tools
TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task
TA0011 - Command And Control
T1571 - Non-Standard Port
T1071 - Application Layer Protocol
TA0007 - Discovery
T1057 - Process Discovery
T1012 - Query Registry
Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting
Trend Micro · Examining Water Sigbin's Infection Routine Leading to an XMRig CryptominerWe analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner.
"All You Need to Know About Emotet in 2022"
#Emotet #malware > #XMRig #CobaltStrike #IcedID #exploitkit #trojan
#cybersecurity #infosec #TTP #IoC
https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html
The Hacker NewsAll You Need to Know About Emotet in 2022For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam.