MadoMiner Cryptocurrency Worm
MadoMiner is a newly observed cryptocurrency mining worm that uses large portions of the ZombieBoy remote access trojan’s code.
MadoMiner uses the EternalBlue and DoublePulsar exploits, along with known RDP exploits, to compromise a device. The modules used for this are identical to those in ZombieBoy, even down to the comments within the exploits. Once access to a vulnerable device has been gained, a Dynamic-link Library (DLL) file is delivered which, when executed, will download two Ultimate Packer for eXecutables(UPX) modules referred to as Install.exe and Mask.exe.
Once installed, MadoMiner will contact a command and control server, which will provide it with a list of mining pool URLs and IP addresses to scan. It will then connect to one of these URLs and begin mining (at less than 50% CPU utilisation). Install.exe is then used to scan the IP ranges using the WinEggDrop tool, and will deploy the exploit modules against any vulnerable systems it identifies.
During the execution of the Install module, MadoMiner makes use of several exploits:
- CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
- CVE-2017-0143, SMB exploit
- CVE-2017-0146, SMB exploit
Further technical details can be found here
Indicators of Compromise
URLs
- 3322[.]net
- alibuf[.]com
- alibuf[.]info
- frebuf[.]info
- freebuf[.]info
- hobuff[.]info
- ip138[.]com
- posthash[.]org
MD5 File Hashes
- 2df2d6d9db08558e88f1636ed2acc146
- 3c720a55b043564313000a4efb1d85c0
- 4a14e7fb274462e844b5595210350400
- 4ae31911c1ef2ca4eded1fdbaa2c7a49
- 69833a3ecc52f57a02656d46e1799dcc
- ce606d80b44ea2aae81056b9088ba1e4
- d09f2340818511d396f6aaf844c7e325
- d8470f5c12f5a5fee89de4d4c425d614
- e9c6bf0de42aa2449f1ed4bbb50ddcd6
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.