ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.4K
active users

#xmrig

1 post1 participant0 posts today
Marcus Adams<p>So I was experimenting with <a href="https://mastodon.social/tags/XMrig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMrig</span></a> yesterday; was thinking of using my Ryzen 9 mini PC to do some <a href="https://mastodon.social/tags/Monero" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Monero</span></a> mining. I noticed a status message that said something about the hash rate being limited because of lack of access to an "MSR Mod". Apparently the "fix" for this is to run xmrig as root and disable secure boot.</p><p>Call me paranoid, but that seems really suspicious. I aint giving no third party software root privileges.</p><p><a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a></p>
LavX News<p>StaryDobry: The Malware Campaign Targeting Gamers with Cryptominers</p><p>A sophisticated malware campaign named 'StaryDobry' has been infecting gamers through cracked versions of popular titles like Garry’s Mod and BeamNG.drive. This multi-stage attack highlights the growi...</p><p><a href="https://news.lavx.hu/article/starydobry-the-malware-campaign-targeting-gamers-with-cryptominers" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">news.lavx.hu/article/starydobr</span><span class="invisible">y-the-malware-campaign-targeting-gamers-with-cryptominers</span></a></p><p><a href="https://mastodon.cloud/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>news</span></a> <a href="https://mastodon.cloud/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tech</span></a> <a href="https://mastodon.cloud/tags/XMRig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMRig</span></a> <a href="https://mastodon.cloud/tags/StaryDobry" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>StaryDobry</span></a> <a href="https://mastodon.cloud/tags/GameSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GameSecurity</span></a></p>
Pyrzout :vm:<p>StaryDobry ruins New Year’s Eve, delivering miner instead of presents – Source: securelist.com <a href="https://ciso2ciso.com/starydobry-ruins-new-years-eve-delivering-miner-instead-of-presents-source-securelist-com/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/starydobry-ruins</span><span class="invisible">-new-years-eve-delivering-miner-instead-of-presents-source-securelist-com/</span></a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/MalwareDescriptions" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MalwareDescriptions</span></a> <a href="https://social.skynetcloud.site/tags/MalwareTechnologies" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MalwareTechnologies</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/Financialthreats" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Financialthreats</span></a> <a href="https://social.skynetcloud.site/tags/Windowsmalware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windowsmalware</span></a> <a href="https://social.skynetcloud.site/tags/Gamingmalware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gamingmalware</span></a> <a href="https://social.skynetcloud.site/tags/securelistcom" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securelistcom</span></a> <a href="https://social.skynetcloud.site/tags/spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>spoofing</span></a> <a href="https://social.skynetcloud.site/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.skynetcloud.site/tags/Torrent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Torrent</span></a> <a href="https://social.skynetcloud.site/tags/Trojan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trojan</span></a> <a href="https://social.skynetcloud.site/tags/Miner" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Miner</span></a> <a href="https://social.skynetcloud.site/tags/XMrig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMrig</span></a> <a href="https://social.skynetcloud.site/tags/DLL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DLL</span></a></p>
Tarnkappe.info<p>📬 CrowdStrike-Phishing: Jobsuchende bekommen Crypto-Miner untergeschoben<br><a href="https://social.tchncs.de/tags/ITSicherheit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ITSicherheit</span></a> <a href="https://social.tchncs.de/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.tchncs.de/tags/Crowdstrike" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Crowdstrike</span></a> <a href="https://social.tchncs.de/tags/CrowdStrikePhishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CrowdStrikePhishing</span></a> <a href="https://social.tchncs.de/tags/CryptoMiningMalware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CryptoMiningMalware</span></a> <a href="https://social.tchncs.de/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.tchncs.de/tags/PhishingAngriff" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PhishingAngriff</span></a> <a href="https://social.tchncs.de/tags/XMRig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMRig</span></a> <a href="https://sc.tarnkappe.info/83c4fd" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">sc.tarnkappe.info/83c4fd</span><span class="invisible"></span></a></p>
Pyrzout :vm:<p>Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner – Source:hackread.com <a href="https://ciso2ciso.com/supply-chain-attack-hits-rspack-vant-npm-packages-with-monero-miner-sourcehackread-com/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/supply-chain-att</span><span class="invisible">ack-hits-rspack-vant-npm-packages-with-monero-miner-sourcehackread-com/</span></a> <a href="https://social.skynetcloud.site/tags/1CyberSecurityNewsPost" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>1CyberSecurityNewsPost</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://social.skynetcloud.site/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://social.skynetcloud.site/tags/CyberAttacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberAttacks</span></a> <a href="https://social.skynetcloud.site/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberAttack</span></a> <a href="https://social.skynetcloud.site/tags/Hackread" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Hackread</span></a> <a href="https://social.skynetcloud.site/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://social.skynetcloud.site/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://social.skynetcloud.site/tags/Monero" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Monero</span></a> <a href="https://social.skynetcloud.site/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://social.skynetcloud.site/tags/XMRig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMRig</span></a> <a href="https://social.skynetcloud.site/tags/NPM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NPM</span></a></p>
Pyrzout :vm:<p>Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner <a href="https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackread.com/supply-chain-atta</span><span class="invisible">ck-rspack-vant-npm-monero-miner/</span></a> <a href="https://social.skynetcloud.site/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://social.skynetcloud.site/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://social.skynetcloud.site/tags/CyberAttacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberAttacks</span></a> <a href="https://social.skynetcloud.site/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberAttack</span></a> <a href="https://social.skynetcloud.site/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://social.skynetcloud.site/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.skynetcloud.site/tags/Monero" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Monero</span></a> <a href="https://social.skynetcloud.site/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://social.skynetcloud.site/tags/XMRig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMRig</span></a> <a href="https://social.skynetcloud.site/tags/NPM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NPM</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@n_dimension" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>n_dimension</span></a></span> most <a href="https://infosec.space/tags/Cryptojacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cryptojacking</span></a> <a href="https://infosec.space/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> is highly automated in that the attackers merely want to maximize profit and minimize labour, as their operations demand so.</p><p>Ideally you'd extract the target wallet address and other parameters like pool / login that their instance of <a href="https://infosec.space/tags/xmrig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xmrig</span></a> uses so it can be attributed, blocked and burned for any future use.</p><p>Please let me know of any details, so I can add them to blocklists.</p>

Happy Friday everyone!

and is featured in today's ! Trend Micro takes us through a riveting tale where the protagonist, , abuses a vulnerability in Oracle WebLogic Servers. After exploitation, a Base64-encoded payload is run that drops the initial stage loader named "wireguard2-3.exe", which masquerades itself as a legitimate VPN technology to help with it's defense evasion. It also plays a role in getting the attack to the next stages which involve DLL-reflection, C2 communication, and finally the cyrptominer.

Significant details that are included is a scheduled task created for Windows Defender exclusion, some discovery using WMI, and another scheduled task for persistence. As usual, I am not going to spoil it all, go and have a read for yourself! Enjoy and Happy Hunting!

Notable MITRE ATT&CK TTPs (thanks to the authors):
TA0001 - Initial Access
T1190 - Exploit Public-Facing Application

TA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell
T1047 - Windows Management Instumentation

TA0005 - Defense Evasion
T1620 - Reflective Code Loading
T1036.005 - Masquerading: Match Legitimate Name or Location
T1562.001 - Impair Defenses: Disable or Modify Tools

TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task

TA0011 - Command And Control
T1571 - Non-Standard Port
T1071 - Application Layer Protocol

TA0007 - Discovery
T1057 - Process Discovery
T1012 - Query Registry

Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
trendmicro.com/en_us/research/

Intel 471

Trend Micro · Examining Water Sigbin's Infection Routine Leading to an XMRig CryptominerWe analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner.