IOC de Cryptojacking

  • 2
  • Idea
  • Updated 2 years ago
Teniendo en cuenta que el crecimiento de este tipo de incidentes es superior al 700% en lo presente del año, les propongo a la comunidad crear una lista sobre los indicadores de compromiso que encontremos, para así poder ayudar a los equipos de SOC y de seguridad a mantener actualizados entre sus reglas estas direcciones, mitigando así la probabilidad del incidente.

IOC de PowerGhost https://securelist.com/a-mining-multitool/86950/
  • update.7h4uk[.]com
  • 185.128.43.62
  • info.7h4uk[.]com

IOC de Smominru https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html
  • 89.248.169[.]136
  • 128.199.86[.]57
  • qyvtls749tio[.]com
  • youronionlink[.]onion

IOC persisten webmining https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browse...

  • 145.239.64.86,yourporn[.]sexy,Adult site
  • 54.239.168.149,elthamely[.]com,Ad Maven popunder
  • 52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad
  • 54.209.216.237,hatevery[.]info,Cryptomining site






Photo of dsespitia

dsespitia

  • 74 Posts
  • 39 Reply Likes

Posted 2 years ago

  • 2
Photo of dsespitia

dsespitia

  • 74 Posts
  • 39 Reply Likes
IOC Coinhive
  • coinhive.com
  • load.jsecoin.com
  • crypto-loot.com
  • coin-have.com
  • ppoi.org
  • cryptoloot.pro
  • papoto.com
  • coinlab.biz

Photo of dsespitia

dsespitia

  • 74 Posts
  • 39 Reply Likes
Rocke es uno de los cryptojacking que más detecciones ha generado en el último mes, acá les dejo los IOC detectados hasta el momento

IOC Rocke (https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html)

  • 52.167.219.168:
  • 120.55.226.24
  • 27.193.180.224
  • 112.226.250.77
  • 27.210.170.197
  • 112.226.74.162
  • 123.249.9.149
  • 118.24.150.172

  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/a
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/h32
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/upd
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/h64
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/x
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/run
  • hxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/a
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/run
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/upd
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/x
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/h64
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/a
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/run
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/h32
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64
  • hxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz
  • hxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg
  • hxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg
  • hxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe
  • hxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=12275&s=3717&dc_ref=http%3A%2F%2Fwww.amazon.com
  • hxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • sydwzl.cn
  • blockbitcoin.com
  • dazqc4f140wtl.cloudfront.net
  • 3g2upl4pq6kufc4m.tk:
  • d3goboxon32grk2l.tk
  • enjoytopic.tk
  • realtimenews.tk
  • 8282.space

(Edited)
Photo of Carlos Avila

Carlos Avila

  • 49 Posts
  • 8 Reply Likes
Photo of dsespitia

dsespitia

  • 74 Posts
  • 39 Reply Likes
IOC Kodi (https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/)


Example mirror of Bubbles
github[.]com/yooperman17/trailerpark/blob/master/repository/repository.bubbles.3/repository.bubbles.3-4.2.0[.]zip
github[.]com/yooperman17/trailerpark/blob/master/repository/common/script.module.urllib.3/script.module.urllib.3-1.22.3[.]zip

Example mirror of Gaia
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.python.requests/script.module.python.requests-2.16.1[.]zip
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.simplejson/script.module.simplejson-3.4.1[.]zip

Malicious files previously available on XvBMC repository

github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module[.]simplejson
github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module.python[.]requests
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.python.requests/script.module.python.requests-2.16.3[.]zip
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.simplejson/script.module.simplejson-3.4.1[.]zip

Sampling of malicious Kodi builds

archive[.]org/download/retrogamesworld7_gmail_Kodi_20180418/kodi[.]zip
archive[.]org/download/DuggzProBuildWithSlyPVRguideV0.3/DuggzProBuildWithSlyPVRguideV0.3[.]zipukodi1[.]xyz/
ukodi1/builds/Testosterone%20build%2017[.]zip

C&C URLs

openserver[.]eu/ax.phpkodinet.atspace[.]tv/ax.php
kodiupdate.hostkda[.]com/ax.php
kodihost[.]rf.gd/ax.php
updatecenter[.]net/ax.php
stearti.atspace[.]eu/ax.php
mastercloud.atspace[.]cc/ax.php
globalregistry.atspace.co[.]uk/ax.php
meliova.atwebpages[.]com/ax.php
krystry.onlinewebshop[.]net/ax.php

Downloader module (Windows)

openserver[.]eu/wib
kodinet.atspace[.]tv/wib
kodiupdate.hostkda[.]com/wib
kodihost.rf[.]gd/wib
updatecenter[.]net/wib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/wib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/wib
www.dropbox[.]com/s/51fgb0ec9lgmi0u/wib?dl=1&raw=1

Downloader module (Linux)

openserver[.]eu/lib
kodinet.atspace[.]tv/lib
kodiupdate.hostkda[.]com/lib
kodihost.rf[.]gd/lib
updatecenter[.]net/lib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/lib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/lib
www.dropbox[.]com/s/e36u2wxmq1jcjjr/lib?dl=1&raw=1

Cryptominer binaries (Windows)
updatecenter[.]net/wubopenserver[.]eu/wub
glocato.atspace[.]eu/wub
oraceur.hostkda[.]com/wub
dilarti.1free-host[.]com/wub
utudict.vastserve[.]com/wubencelan.atspace[.]cc/wub

Cryptominer binaries (Linux)

updatecenter[.]net/lub
openserver[.]eu/lub
glocato.atspace[.]eu/lub
oraceur.hostkda[.]com/lub
dilarti.1free-host[.]com/lub
utudict.vastserve[.]com/lub
encelan.atspace[.]cc/lub
Photo of Carlos Avila

Carlos Avila

  • 49 Posts
  • 8 Reply Likes
Buscador de Indicadores de Compromiso - The open IOC search engine >> https://maltiverse.com/search
Photo of dsespitia

dsespitia

  • 74 Posts
  • 39 Reply Likes
IoC de Sustes
  • IP Address:
    • 103[.]99[.]115[.]220  (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 104[.]160[.]171[.]94 (Org:  Sharktech  Country: USA)
    • 121[.]18[.]238[.]56 (Org:  ChinaUnicom,  Country: CN)
    • 170[.]178[.]178[.]57 (Org:  Sharktech  Country: USA)
    • 27[.]155[.]87[.]59 (Org:  CHINANET-FJ  Country: CN)
    • 52[.]15[.]62[.]13 (Org:   Amazon Technologies Inc.,  Country: USA)
    • 52[.]15[.]72[.]79 (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 91[.]236[.]182[.]1 (Org:  Brillant Auto Kft,  Country: HU)
  • Custom Monero Pools:
    • 158[.]69[.]133[.]20:3333
    • 192[.]99[.]142[.]249:3333
    • 202[.]144[.]193[.]110:3333 
  • Wallets:
    • W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg


Photo of dsespitia

dsespitia

  • 74 Posts
  • 39 Reply Likes
Continuando con algunos IOC, les dejo uno que aunque no es nuevo sus mejoradas funcionalidades lo han hecho más peligroso

IOC King Miner (https://research.checkpoint.com/kingminer-the-new-and-improved-cryptojacker/)

  • Files SHA256
  • dea32433519c4628deeac802c0f1435a1b0d27d89f1ae5c1729ec7223f9eb04d
  • 147d572d7f6664c8adf42ef92e4dbad06c5d21cc820a20163d814c77136cfbab
  • 122b7906a359deb22bf777c602ac2619ca5ea156c4937dcdf96583210677db52
  • c5894d2afc946c064f8c2b58791fe64b48e26f0da5bdcc6ef9ba147f334f43f9
  • e61fbe58c28720ac4c0a1822d5da9a622a24f352d34e6c1cf5f704dbdd9b9b34
  • 2b54329a13c4f79bea3886a21a7ba5fe19c4418596b774893fdef020e03ed07d
  • f128a63c107c3006ebf448d6ec743d11eb491ecb508e4ce63ba084f9792c25da

  • URLs
  • http://q[.]112adfdae.tk/
  • http://a[.]1b051fdae.tk/
  • http://a[.]869d4fdae.tk/
  • http://a[.]qwerr.ga/
  • IP
  • 95[.]179.131.54:9760
  • w[.]homewrt.com:9760


(Edited)