New Version Of Monero CryptoMiner Campaign Adapts APT [Fsysna]

Fsysna is an advanced trojan that is being used in an ongoing cryptocurrencymining and ransomware campaign.

The malware used in the attack consists of two variants of Trojans identified as “Trojan.Win32.Fsysna” and a variant of a Monero cryptominer.

This new copied version will perform the same actions as the first Fsysna variant, but will also launch PowerShell scripts to execute Invoke-SMBClient, an open-source SMB application, and Invoke-Cats, a script-based version of the Mimikatz credential harvester. These are used to propagate laterally to other devices. It will then connect to a separate C2 server to download and install the intended payloads. Once this is done it will maintain a C2 connection to control the payloads and collect system information.

It is unclear how the initial infection of an unprotected PC in a network occurs but since the malware utilizes Mimikatz, it is clear that it spreads through unpatched network systems easily and rapidly.

Example of taskmgr.exe file

Further details – http://infosectechnews.blogspot.com/2019/03/check-point-forensic-files-monero.html

Indicators of Compromise

IP Addresses

  • 153.92.4[.]49
  • 172.104.177[.]202
  • 185.243.114[.]99
  • 216.250.99[.]49
  • 224.0.0[.]22
  • 68.183.178[.]71

URLs

  • 216.250.99.49/ins9[.]exez
  • 216.250.99.49/stak[.]mlz
  • d.beahh[.]com
  • d.beahh.com/update[.]png
  • dl.haqo.net/ig[.]mlz
  • dl.haqo.net/ins4[.]exez
  • i.haqo[.]net
  • i.haqo.net/i[.]png
  • p.beahh[.]com
  • p.beahh.com/upgrade[.]php
  • sv.symcd[.]com
  • v.beahh[.]com/vWORKGROUP.

MD5 File Hashes

  • 1c791ae1e8356395f0c4a9a4a8fb65e8 = znhcfvzxd.exe
  • 59b18d6146a2aa066f661599c496090d = svchost.exe
  • 5ab6f8ca1f22d88b8ef9a4e39fca0c03 = taskmgr.exe
  • a4b7940b3d6b03269194f728610784d6 = wmiex.exe
  • d4e2ebcf92cf1b2e759ff7ce1f5688ca = taskmgr.exe
  • d81233988ec80f56ea4094bad7ab5814 = update.png

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.