CoinMiner

Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike

AhnLab Security Emergency response Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed. Because web servers are externally exposed for the purpose of providing web services to all available users, these become major attack targets for threat actors. Major examples of web services that support Windows environments include Internet Information Services (IIS), Apache, Apache Tomcat, and Nginx. While the Apache web service is usually used in Linux environments, there are some…

Shadow Force Group’s Viticdoor and CoinMiner

The Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea. Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked. In March 2020, AhnLab published an analysis report on Operation Shadow Force. It was introduced as a single campaign as there was the possibility of it being the activities of an existing threat group. However, no relevant threat…

Attack Cases of CoinMiners Mining Ethereum Classic Coins

The ASEC analysis team is monitoring CoinMiners that are targeting Korean and overseas users. We have covered cases of various types of CoinMiner attacks over multiple blog posts in the past. This post aims to introduce the recently discovered malware that mine Ethereum Classic coins. 0. Overview CoinMiners are installed without user awareness and use the system’s resources to mine cryptocurrency, leading to low system performance. Threat actors that distribute CoinMiners tend to mine coins that guarantee anonymity, such as…

Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack

The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware…

CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server

The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed. The attackers used JexBoss, a vulnerability exploitation tool, to install a WebShell before gaining control over the target system with the Meterpreter malware. Ordinarily,…