A North Korean Monero Cryptocurrency Miner
Contents
AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.
The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.
It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero.
"-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)"
The installer passes xmrig the following arguments:
-
4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet
-
barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University.
-
The password, KJU, is a possible reference …
The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.
It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero.
"-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)"
The installer passes xmrig the following arguments:
-
4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet
-
barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University.
-
The password, KJU, is a possible reference …
IoC
175.45.178.19
42344bb45f351757e8638656e12a0135
6a261443299788af1467142d5f538b2c
762c3249904a8bf76802effb54426655
rule nkminer_monero { meta: description = "Detects installer of Monero miner that points to a NK domain" author = "[email protected]" tlp = "white" license = "MIT License" strings: $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" nocase wide ascii $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" nocase wide ascii $c = "barjuok.ryongnamsan.edu.kp" nocase wide ascii $d = "C:\SoftwaresInstall\soft" nocase wide ascii $e = "C:\Windows\Sys64\intelservice.exe" nocase wide ascii $f = "C:\Windows\Sys64\updater.exe" nocase wide ascii $g = "C:\Users\Jawhar\documents\" nocase wide ascii condition: any of them }
42344bb45f351757e8638656e12a0135
6a261443299788af1467142d5f538b2c
762c3249904a8bf76802effb54426655
rule nkminer_monero { meta: description = "Detects installer of Monero miner that points to a NK domain" author = "[email protected]" tlp = "white" license = "MIT License" strings: $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" nocase wide ascii $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" nocase wide ascii $c = "barjuok.ryongnamsan.edu.kp" nocase wide ascii $d = "C:\SoftwaresInstall\soft" nocase wide ascii $e = "C:\Windows\Sys64\intelservice.exe" nocase wide ascii $f = "C:\Windows\Sys64\updater.exe" nocase wide ascii $g = "C:\Users\Jawhar\documents\" nocase wide ascii condition: any of them }