The combination of MIMIKATZ and RADMIN are being used to spread the Monero malware over LANs and over the internet, targeting companies in China, Taiwan, Hong Kong, and Italy. Attack kits run scans in search of vulnerable machines located in port 445, where they check the infection process. The malware gets installed when an infected webpage is visited and if it is executed, the old version is deleted to ensure the update of the infection process. Numerous URLs and IP addresses are then connected to, and that is where information about the infected machines is gathered. The coinminer is then downloaded as a part of the second stage. Researchers noted, “It is also capable of randomly scanning generated IP addresses over the internet and local networks for open port 445. Using another Python module named impacket, it drops a hack tool (detected by Trend Micro as HackTool.Win32.Radmin.GB) for remote command communication from a malicious user by creating a named pipe .pipeRemCom_communicaton.”
Analyst Notes
Users should analyze DNS traffic as well as use an intrusion detection software which will detect specific text string and patterns within network packets. IRC communication should also be monitored on a regular basis.
