Cryptominers
A list of cryptominer and cryptojacker malware.
Authors
| Authors and/or Contributors |
|---|
| Cisco Talos |
| raw-data |
Lemon Duck
The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.
Internal MISP references
UUID fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9 which can be used as unique global reference for Lemon Duck in MISP communities and other software using the MISP galaxy
External references
- https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html - webarchive
- https://success.trendmicro.com/solution/000261916 - webarchive
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer - webarchive
- https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| type | ['cryptojacker'] |
WannaMine
WannaMine is a cryptojacker that takes advantage of EternalBlue.
Internal MISP references
UUID 20e563b0-f0c9-4253-aedd-a4542d6689ed which can be used as unique global reference for WannaMine in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE - webarchive
- https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/ - webarchive
- https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| type | ['cryptojacker'] |
Blue Mockingbird Cryptominer
Blue Mockingbird Crypto miner is a crypto-mining payload within DLLs on Windows Systems.
Internal MISP references
UUID 3dd091c9-608f-44d6-ac0c-5dfdf9bb4518 which can be used as unique global reference for Blue Mockingbird Cryptominer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Krane
The Krane malware uses SSH brute-force techniques to drop the XMRig cryptominer on the target to mine for the Hashvault pool.
Internal MISP references
UUID a0c0ab05-c390-425c-9311-f64bf7ca9145 which can be used as unique global reference for Krane in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Hezb
“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.
Internal MISP references
UUID 428bbf01-7756-48a2-848d-6bca3997f1df which can be used as unique global reference for Hezb in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|