Teniendo en cuenta que el crecimiento de este tipo de incidentes es superior al 700% en lo presente del año, les propongo a la comunidad crear una lista sobre los indicadores de compromiso que encontremos, para así poder ayudar a los equipos de SOC y de seguridad a mantener actualizados entre sus reglas estas direcciones, mitigando así la probabilidad del incidente.
IOC de PowerGhost https://securelist.com/a-mining-multitool/86950/
IOC de Smominru https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html
IOC persisten webmining https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browse...
IOC de PowerGhost https://securelist.com/a-mining-multitool/86950/
- update.7h4uk[.]com
- 185.128.43.62
- info.7h4uk[.]com
IOC de Smominru https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html
- 89.248.169[.]136
- 128.199.86[.]57
- qyvtls749tio[.]com
- youronionlink[.]onion
IOC persisten webmining https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browse...
- 145.239.64.86,yourporn[.]sexy,Adult site
- 54.239.168.149,elthamely[.]com,Ad Maven popunder
- 52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad
- 54.209.216.237,hatevery[.]info,Cryptomining site
- 74 Posts
- 39 Reply Likes
Posted 2 years ago
- 74 Posts
- 39 Reply Likes
IOC Coinhive
- coinhive.com
- load.jsecoin.com
- crypto-loot.com
- coin-have.com
- ppoi.org
- cryptoloot.pro
- papoto.com
- coinlab.biz
- 74 Posts
- 39 Reply Likes
Rocke es uno de los cryptojacking que más detecciones ha generado en el último mes, acá les dejo los IOC detectados hasta el momento
IOC Rocke (https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html)
IOC Rocke (https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html)
- 52.167.219.168:
- 120.55.226.24
- 27.193.180.224
- 112.226.250.77
- 27.210.170.197
- 112.226.74.162
- 123.249.9.149
- 118.24.150.172
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/a
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/h32
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/upd
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/h64
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/x
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/run
- hxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/a
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/run
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/upd
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/x
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/h64
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/a
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/run
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/h32
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64
- hxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz
- hxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg
- hxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg
- hxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe
- hxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=12275&s=3717&dc_ref=http%3A%2F%2Fwww.amazon.com
- hxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
- sydwzl.cn
- blockbitcoin.com
- dazqc4f140wtl.cloudfront.net
- 3g2upl4pq6kufc4m.tk:
- d3goboxon32grk2l.tk
- enjoytopic.tk
- realtimenews.tk
- 8282.space
(Edited)
- 49 Posts
- 8 Reply Likes
Algunas referencias sobre como mutan este tipo de ataques mediante diversas tecnicas y tecnologias.
https://unaaldia.hispasec.com/2018/06/detectados-contenedores-maliciosos.html
https://sysdig.com/blog/detecting-cryptojacking/
https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-tr...
https://unaaldia.hispasec.com/2018/06/detectados-contenedores-maliciosos.html
https://sysdig.com/blog/detecting-cryptojacking/
https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-tr...
- 74 Posts
- 39 Reply Likes
IOC Kodi (https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/)
Example mirror of Bubbles
github[.]com/yooperman17/trailerpark/blob/master/repository/repository.bubbles.3/repository.bubbles.3-4.2.0[.]zip
github[.]com/yooperman17/trailerpark/blob/master/repository/common/script.module.urllib.3/script.module.urllib.3-1.22.3[.]zip
Example mirror of Gaia
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.python.requests/script.module.python.requests-2.16.1[.]zip
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.simplejson/script.module.simplejson-3.4.1[.]zip
Malicious files previously available on XvBMC repository
github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module[.]simplejson
github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module.python[.]requests
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.python.requests/script.module.python.requests-2.16.3[.]zip
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.simplejson/script.module.simplejson-3.4.1[.]zip
Sampling of malicious Kodi builds
archive[.]org/download/retrogamesworld7_gmail_Kodi_20180418/kodi[.]zip
archive[.]org/download/DuggzProBuildWithSlyPVRguideV0.3/DuggzProBuildWithSlyPVRguideV0.3[.]zipukodi1[.]xyz/
ukodi1/builds/Testosterone%20build%2017[.]zip
C&C URLs
openserver[.]eu/ax.phpkodinet.atspace[.]tv/ax.php
kodiupdate.hostkda[.]com/ax.php
kodihost[.]rf.gd/ax.php
updatecenter[.]net/ax.php
stearti.atspace[.]eu/ax.php
mastercloud.atspace[.]cc/ax.php
globalregistry.atspace.co[.]uk/ax.php
meliova.atwebpages[.]com/ax.php
krystry.onlinewebshop[.]net/ax.php
Downloader module (Windows)
openserver[.]eu/wib
kodinet.atspace[.]tv/wib
kodiupdate.hostkda[.]com/wib
kodihost.rf[.]gd/wib
updatecenter[.]net/wib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/wib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/wib
www.dropbox[.]com/s/51fgb0ec9lgmi0u/wib?dl=1&raw=1
Downloader module (Linux)
openserver[.]eu/lib
kodinet.atspace[.]tv/lib
kodiupdate.hostkda[.]com/lib
kodihost.rf[.]gd/lib
updatecenter[.]net/lib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/lib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/lib
www.dropbox[.]com/s/e36u2wxmq1jcjjr/lib?dl=1&raw=1
Cryptominer binaries (Windows)
updatecenter[.]net/wubopenserver[.]eu/wub
glocato.atspace[.]eu/wub
oraceur.hostkda[.]com/wub
dilarti.1free-host[.]com/wub
utudict.vastserve[.]com/wubencelan.atspace[.]cc/wub
Cryptominer binaries (Linux)
updatecenter[.]net/lub
openserver[.]eu/lub
glocato.atspace[.]eu/lub
oraceur.hostkda[.]com/lub
dilarti.1free-host[.]com/lub
utudict.vastserve[.]com/lub
encelan.atspace[.]cc/lub
Example mirror of Bubbles
github[.]com/yooperman17/trailerpark/blob/master/repository/repository.bubbles.3/repository.bubbles.3-4.2.0[.]zip
github[.]com/yooperman17/trailerpark/blob/master/repository/common/script.module.urllib.3/script.module.urllib.3-1.22.3[.]zip
Example mirror of Gaia
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.python.requests/script.module.python.requests-2.16.1[.]zip
github[.]com/josephlreyes/gaiaorigin/blob/master/common/script.module.simplejson/script.module.simplejson-3.4.1[.]zip
Malicious files previously available on XvBMC repository
github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module[.]simplejson
github[.]com/XvBMC/repository.xvbmc/tree/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/script.module.python[.]requests
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.python.requests/script.module.python.requests-2.16.3[.]zip
github[.]com/XvBMC/repository.xvbmc/blob/b8f5dd59961f2e452d0ff3fca38b26c526c1aecb/Dependencies/zips/script.module.simplejson/script.module.simplejson-3.4.1[.]zip
Sampling of malicious Kodi builds
archive[.]org/download/retrogamesworld7_gmail_Kodi_20180418/kodi[.]zip
archive[.]org/download/DuggzProBuildWithSlyPVRguideV0.3/DuggzProBuildWithSlyPVRguideV0.3[.]zipukodi1[.]xyz/
ukodi1/builds/Testosterone%20build%2017[.]zip
C&C URLs
openserver[.]eu/ax.phpkodinet.atspace[.]tv/ax.php
kodiupdate.hostkda[.]com/ax.php
kodihost[.]rf.gd/ax.php
updatecenter[.]net/ax.php
stearti.atspace[.]eu/ax.php
mastercloud.atspace[.]cc/ax.php
globalregistry.atspace.co[.]uk/ax.php
meliova.atwebpages[.]com/ax.php
krystry.onlinewebshop[.]net/ax.php
Downloader module (Windows)
openserver[.]eu/wib
kodinet.atspace[.]tv/wib
kodiupdate.hostkda[.]com/wib
kodihost.rf[.]gd/wib
updatecenter[.]net/wib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/wib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/wib
www.dropbox[.]com/s/51fgb0ec9lgmi0u/wib?dl=1&raw=1
Downloader module (Linux)
openserver[.]eu/lib
kodinet.atspace[.]tv/lib
kodiupdate.hostkda[.]com/lib
kodihost.rf[.]gd/lib
updatecenter[.]net/lib
bitbucket[.]org/kodiserver/plugin.video.youtube/raw/HEAD/resources/lib/lib
gitlab[.]com/kodiupdate/plugin.video.youtube/raw/master/resources/lib/lib
www.dropbox[.]com/s/e36u2wxmq1jcjjr/lib?dl=1&raw=1
Cryptominer binaries (Windows)
updatecenter[.]net/wubopenserver[.]eu/wub
glocato.atspace[.]eu/wub
oraceur.hostkda[.]com/wub
dilarti.1free-host[.]com/wub
utudict.vastserve[.]com/wubencelan.atspace[.]cc/wub
Cryptominer binaries (Linux)
updatecenter[.]net/lub
openserver[.]eu/lub
glocato.atspace[.]eu/lub
oraceur.hostkda[.]com/lub
dilarti.1free-host[.]com/lub
utudict.vastserve[.]com/lub
encelan.atspace[.]cc/lub
- 49 Posts
- 8 Reply Likes
Buscador de Indicadores de Compromiso - The open IOC search engine >> https://maltiverse.com/search
- 74 Posts
- 39 Reply Likes
IoC de Sustes
- IP Address:
- 103[.]99[.]115[.]220 (Org: HOST EDU (OPC) PRIVATE LIMITED, Country: IN)
- 104[.]160[.]171[.]94 (Org: Sharktech Country: USA)
- 121[.]18[.]238[.]56 (Org: ChinaUnicom, Country: CN)
- 170[.]178[.]178[.]57 (Org: Sharktech Country: USA)
- 27[.]155[.]87[.]59 (Org: CHINANET-FJ Country: CN)
- 52[.]15[.]62[.]13 (Org: Amazon Technologies Inc., Country: USA)
- 52[.]15[.]72[.]79 (Org: HOST EDU (OPC) PRIVATE LIMITED, Country: IN)
- 91[.]236[.]182[.]1 (Org: Brillant Auto Kft, Country: HU)
- Custom Monero Pools:
- 158[.]69[.]133[.]20:3333
- 192[.]99[.]142[.]249:3333
- 202[.]144[.]193[.]110:3333
- Wallets:
- W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
- W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
- W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
- 74 Posts
- 39 Reply Likes
Continuando con algunos IOC, les dejo uno que aunque no es nuevo sus mejoradas funcionalidades lo han hecho más peligroso
IOC King Miner (https://research.checkpoint.com/kingminer-the-new-and-improved-cryptojacker/)
IOC King Miner (https://research.checkpoint.com/kingminer-the-new-and-improved-cryptojacker/)
-
Files SHA256
- dea32433519c4628deeac802c0f1435a1b0d27d89f1ae5c1729ec7223f9eb04d
- 147d572d7f6664c8adf42ef92e4dbad06c5d21cc820a20163d814c77136cfbab
- 122b7906a359deb22bf777c602ac2619ca5ea156c4937dcdf96583210677db52
- c5894d2afc946c064f8c2b58791fe64b48e26f0da5bdcc6ef9ba147f334f43f9
- e61fbe58c28720ac4c0a1822d5da9a622a24f352d34e6c1cf5f704dbdd9b9b34
- 2b54329a13c4f79bea3886a21a7ba5fe19c4418596b774893fdef020e03ed07d
- f128a63c107c3006ebf448d6ec743d11eb491ecb508e4ce63ba084f9792c25da
-
URLs
http://q[.]112adfdae.tk/http://a[.]1b051fdae.tk/http://a[.]869d4fdae.tk/http://a[.]qwerr.ga/
- IP
- 95[.]179.131.54:9760
- w[.]homewrt.com:9760
(Edited)
Related Categories
-
Small Talk
- 131 Conversations
- 70 Followers

