|
1. Background 2. Currency Price Curve and Major Security Incidents
2.1WannaCry
2.2 The first rise
2.3 Fluctuation and decline
2.4 The second rise 3. 2019 Mining Trojan Infection Trends
3.1 Sample yield
3.2 Regional Distribution
3.3 Industry Distribution
3.4 Active Family
3.5 Main invasion methods 4. Technical characteristics of the 2019 mining trojan
4.1 Propagation characteristics
4.2 Malicious Code Execution
4.3 Persistent Attack 5. Mining Trojan Defense and Disposal Suggestions
5.1 Defense Plan
5.2 Disposal suggestions 6. Future Trends of Mining Trojans
6.1 “EternalBlue” vulnerability
6.2 BlueKeep Vulnerability
6.3 Botnet Reference Links
In August 2019, the state issued an opinion on supporting Shenzhen in building a pilot demonstration zone of socialism with Chinese characteristics, which mentioned that it supports the development of digital currency research and innovative applications such as mobile payments in Shenzhen. Industry insiders believe that conducting digital currency research will play a positive role in the digital economy.
Bitcoin was born in 2009, and it has been ten years since then. Monero, which was created in 2014, has also reached its fifth year. Digital cryptocurrencies represented by Bitcoin and Monero have gradually become known to the public in recent years, and many people use digital currency trading to earn profits.
With the booming development of the digital economy, the security issues of digital assets have also continued to emerge. According to the basic principles of digital currency: it does not rely on the issuance of specific monetary institutions, is based on specific algorithms, and is generated through a large amount of calculations, making "mining" the most basic way to obtain digital cryptocurrency. The only way to obtain more coins through "mining" is to increase computing power, so a large amount of money needs to be invested in purchasing computing equipment.
Hackers always want to get a lot of returns without investing money, so the idea of "controlling other people's computers to mine" comes naturally, which is the concept of "mining Trojan". The earliest appearance time of "mining Trojan" is currently uncertain, but it began to become popular on a large scale in early 2017.
After hackers invade and control a large number of computers and implant mining programs, they use the computer's CPU or GPU resources to complete a large number of calculations, thereby obtaining digital cryptocurrencies. At the same time, most of the illegal data or digital weapons sold on the dark web use Bitcoin as a transaction currency, causing digital cryptocurrencies to become the circulation medium of the black and gray industries, and also giving rise to the continued prosperity of the mining industry. Since its outbreak in 2017, mining Trojans have gradually become one of the main threats in the cyber world.
Mining process CPU usage
This report first introduces the major security incidents that occurred during the period with the Bitcoin price change curve as the timeline, then summarizes the overall trend and technical characteristics of mining Trojans in 2019, and provides general and targeted defense and disposal suggestions. Finally, it predicts the future trend of mining Trojans.
2. Currency Price Curve and Major Security Incidents Bitcoin price and security incidents
By observing the Bitcoin price curve and major security incidents from 2017 to 2019, we can find that during this period, "the price of the currency fluctuated sharply at a high level, and security incidents emerged in an endless stream." Some of the more influential attacks are as follows:
On May 12, 2017, the WannaCry worm broke out globally through the MS17-010 vulnerability, infecting a large number of corporate computers. After infecting the computer, the worm implanted a blackmail virus into the computer, causing a large number of computer files to be encrypted, and then demanded Bitcoin from the victim as a ransom for restoring the files. In the six months after the WannaCry worm outbreak (from May 2017 to December 2017), the price of Bitcoin experienced explosive growth, rising from $1,000/BTC to $17,000/BTC.
For a period of time after WannaCry, no other ransomware used the "Eternal Blue" vulnerability to spread on a large scale, but mining Trojans saw a "business opportunity" in it. In the second half of 2017, mining Trojans that used "Eternal Blue" to attack began to appear one after another. The first to be discovered was the large botnet MyKings.
2.2.1 MyKings
The Mykings botnet is one of the most complex botnets discovered so far. Its main attack features are to exploit the "EternalBlue" vulnerability and crack passwords for services such as MsSQL, RDP, and Telnet, then implant mining modules and remote control modules into the compromised hosts, and use scanning attack modules to spread in a worm-like manner.
After April 2017, the spread of MyKings began to explode, which was caused by its use of the "EternalBlue" vulnerability weapon attack. By installing Monero mining machines in the botnet and using server resources to mine, MyKings' Monero wallet has earned more than one million RMB.
2.2.2 ZombieBoy
In December 2017, Tencent Yujian Threat Intelligence Center detected a mining Trojan. The plaintext string "C:\Users\ZombieBoy\Documents\Visual Studio 2017\Projects\nc\Release\nc.pdb" was found in its PDB file. We searched online with the keyword "ZombieBoy" and found a "Eternal Blue" vulnerability exploit tool. We speculated that hackers modified this tool to spread mining Trojans. We named it ZombieBoyMiner based on its characteristics. Yujian backend statistics show that the Trojan infected more than 70,000 computers at its peak. Vulnerability Exploitation Tool ZombieBoy 2.3 Fluctuation and decline When ZombieBoyMiner appeared (December 2017), the price of Bitcoin was at its peak, and then it began to fluctuate and fall. Then, in March 2018, another mining worm WannaMiner was discovered that used the "EternalBlue" vulnerability to launch large-scale attacks.
2.3.1 WannaMiner
The WannaMiner Trojan builds infected machines into a robust botnet and supports self-updates on the intranet. Its ultimate goal is to make profits through mining. Since it attacks the kernel via SMB during its intranet propagation, it may cause a large number of machines on the enterprise intranet to experience blue screens. According to statistics, the WannaMiner mining worm has infected more than 30,000 machines.
WannaMiner’s attack process is as follows: WannaMiner attack process
2.3.2 BuleHero
In August 2018, the mining worm BuleHero, which has the “strongest vulnerability attack”, appeared. According to the continuous tracking results of the Yujian Threat Intelligence Center, in addition to the “EternalBlue” vulnerability, BuleHero used the following vulnerabilities to attack:
LNK vulnerability CVE-2017-8464
Tomcat Arbitrary File Upload Vulnerability CVE-2017-12615
Apache Struts2 Remote Code Execution Vulnerability CVE-2017-5638
WebLogic Deserialization Arbitrary Code Execution Vulnerabilities CVE-2018-2628, CVE-2019-2725
Drupal Remote Code Execution Vulnerability CVE-2018-7600
Apache Solr Remote Code Execution Vulnerability CVE-2019-0193
THinkphpV5 vulnerability CNDV-2018-24942
In addition to the above vulnerabilities, the latest version of BuleHero also uses the vulnerability in the php_xmlrpc.dll module disclosed in the "PHPStudy" backdoor incident announced by the Hangzhou police in Zhejiang Province on September 20, 2019.
"PHPStudy" backdoor exploit
2.3.3 DTLMiner
In December 2018, the DTLMiner (Eternal Blue Downloader) mining Trojan broke out. Hackers hacked into a company's server and modified the upgrade configuration file of a certain software, causing users who installed the software to download the Trojan file during the upgrade. After the Trojan was running, it used the "Eternal Blue" vulnerability to spread rapidly in the intranet, resulting in 100,000 users being attacked in just two hours.
After DTLMiner built a botnet, it implanted a Monero mining program in the infected machines to mine. Since DTLMiner infected a large number of machines in a short period of time in the early stage, and continued to update, adding attack methods such as MsSQL blasting, IPC$ blasting, RDP blasting and Lnk vulnerability exploitation, it has remained active in 2019.
Upgrade component vulnerability exploited attack statement
2.3.4 “Invisibility”
After DTLMiner, the "Hidden Shadow" mining trojan appeared in early March 2019. This trojan makes extensive use of functional network disks and image storage to hide itself, and carries the NSA arsenal to have the ability to spread horizontally in the local area network. The large number of public services used by "Hidden Shadow" are as follows:
Public services used by “invisible people” At the same time as the "Hidden Shadow" mining trojan appeared, the price of Bitcoin resumed its rise. From March 2019 to June 2019, the price of Bitcoin rose from $4,000/BTC to $12,000/BTC.
sodinokibi
In June 2019, when the price of Bitcoin rebounded to a high point again, the sodinokibi ransomware broke out. The ransomware first appeared at the end of April 2019. In the early days, it used web service-related vulnerabilities to spread, which was similar to the famous GandCrab ransomware. At this time, GandCrab had announced that it would cease operations, and sodinokibi almost completely inherited GandCrab's transmission channels.
Around June, the Sodinokibi ransomware began disguising itself as tax agencies and judicial institutions, and used phishing scam emails to spread. Since the system default setting does not display file extensions, EXE viruses disguised as doc documents are often mistakenly identified as documents and opened by double-clicking. Sodinokib ransomware disguised as a document
After June 2019, the price of Bitcoin began to slowly fall. In the second half of 2019, no new mining Trojan families with significant impact appeared.
3. 2019 Mining Trojan Infection Trends According to statistics from Tencent Security's Threat Intelligence Center, mining Trojan attacks in 2019 showed a trend of "rising-falling-remaining stable". The data shows that mining Trojans were very active in the first half of 2019, with more than 100,000 attack samples detected per day at the peak; the attack trend slowed down after May, falling to 60,000 per day, and then remained stable. Overall, mining Trojans have a large number of infections on both hosts and servers, making mining Trojans one of the most serious security threats facing enterprises. Daily production trend of mining trojans in 2019 3.2 Regional Distribution From the perspective of regional distribution, mining Trojans were distributed throughout the country in 2019, with the most severely infected areas being Guangdong Province, Zhejiang Province, Beijing, and Jiangsu Province. Regional distribution of malware infections in 2019 3.3 Industry Distribution In terms of industry distribution, the industries most severely affected by mining Trojans in 2019 were the Internet, manufacturing, scientific research and technical services, and real estate. Distribution of industries affected by mining trojans in 2019 The three most active mining Trojan families in 2019 were WannaMiner, MyKings, and DTLMiner (Eternal Blue Downloader Trojan). MyKings is a long-established botnet family, while WannaMiner and DTLMiner appeared in early 2018 and late 2018, respectively. In 2019, these families infected more than 20,000 users. Their common feature is that they exploit the "Eternal Blue" vulnerability to spread in a worm-like manner and use a variety of persistent attack techniques, making them difficult to completely remove. Top list of most active mining trojans in 2019 3.5 Main invasion methods The top three main ways of intrusion of mining trojans in 2019 were vulnerability attacks, weak password blasting, and using botnets. Since mining trojans need to obtain more computing resources, they prefer to exploit common vulnerabilities and weak passwords, or control botnets that control a large number of machines for large-scale spread. Main invasion methods of mining trojans
3.5.1 Vulnerability Attack Types The main type of vulnerability exploited by mining trojans is Windows system vulnerability ("Eternal Blue"), followed by WebLogic-related component vulnerabilities and Apache-related component vulnerabilities. Commonly used vulnerabilities include the following CVE numbers:
MS17-010 “Eternal Blue” CVE-2017-0143
WebLogic Deserialization Arbitrary Code Execution Vulnerabilities CVE-2017-10271, CVE-2018-2628, CVE-2019-2725
Apache Struts2 Remote Code Execution Vulnerability CVE-2017-5638
Apache Solr Remote Code Execution Vulnerability CVE-2019-0193
Apache Tomcat Remote Code Execution Vulnerability CVE-2017-12615
Main vulnerability attack types of mining trojans
3.5.2 Brute Force Attack Types The main brute force attack type of mining trojans is SQL brute force (including MsSQL, MySQL), followed by IPC$ and SSH. Due to the lack of security awareness of some IT managers, many databases and remote login services are set to weak passwords. The top five worst passwords in 2019 announced by SplashData are "123456", "123456789", "qwerty", "password" and "1234567", which are also the first choice of hackers in brute force attacks.
The mining trojan automatically matches the built-in dictionary containing a large number of simple passwords, which can easily crack such weak passwords and invade the system. Main blasting attack types of mining trojans 4. Technical characteristics of mining trojans in 2019 4.1 Propagation characteristics 4.1.1 Supply Chain Infection
DTLMiner, which appeared at the end of 2018, used the upgrade function of existing software to distribute Trojans. It is a typical case of supply chain infection. Hackers inserted Trojan download links in the background configuration files, causing the software to download Trojan files when upgrading. Since the software itself has a huge number of users, the Trojan infected a large number of machines in a short period of time. Configuration files tampered by DTLMiner
4.1.2 Cross-platform attack mining Trojans have undergone changes from controlling ordinary computers to mainly controlling enterprise hosts, and from only controlling Windows mining to mixed infection of multiple platforms. In 2019, Tencent Yujian Threat Intelligence Center discovered "Agwl", "Lolita Gang", WannaMine, Satan and other mining Trojans targeting Linux.
In March 2019, the latest variant of the Satan virus appeared. This variant virus indiscriminately attacks Windows and Linux systems, and then implants a ransomware virus in the affected computers to extort Bitcoin and a mining Trojan to mine Monero.
Satan virus cross-platform attack
We found that in order to maximize their profits, the black industry will also package mining Trojans with ransomware, remote control backdoors, clipboard thieves, DDOS and other Trojans for mixed attacks. The following are 7 popular families in 2019 and the types of viruses they implant in attacks:
Multiple virus combined attack
4.1.3 Social Networks
In December 2019, Yujian Threat Intelligence Center discovered the "Tiger" mining Trojan (LaofuMiner) spread through social engineering scams. The attacker disguised the remote control Trojan program as "hot news", "pornographic content", "privacy information", "fraud skills" and other file names, and sent them to the target computer through social networks. The victim double-clicked to view the file and the "Big Bad Wolf" remote control Trojan was immediately installed. Then the attacker used the remote control Trojan to control the infected computer to download the mining Trojan, and the infected computer immediately became a miner.
Some of the file names used in phishing attacks are as follows:
Phishing files used by LaofuMiner
4.1.4 VNC Exploitation
In March 2019, the Phorpiex botnet launched a brute force attack on the default port 5900 of the widely used remote management tool "VNC", downloading and running the GandCrab 5.2 ransomware on high-value servers to encrypt important system data and carry out extortion; if a computer with digital currency transactions was hacked, it would run a digital currency wallet hijacking Trojan to steal money; if the attacked computer was just an ordinary computer, it would be implanted with a Monero mining Trojan and become a miner computer controlled by Phorpiex.
Phorpiex blasts VNC services 4.1.5 Infectious viruses
In April 2019, the infectious virus Sality was discovered to use the established P2P network to spread the "Clipboard Thief" Trojan horse for the purpose of stealing and hijacking virtual currency transactions.
Sality can infect executable files on local hard drives, removable storage devices, and remote shared directories. It can also use the autoplay function of removable and remote shared drives to infect, and then download and execute the "Clipboard Thief" Trojan on the infected system.
Sality modifies the entry point of the executable file and replaces the original file code with the virus code, so that all infected programs execute the virus function when they are started: Sality infected executable files
The "Clipboard Thief" Trojan determines the Ethereum or Bitcoin wallet address based on the character format characteristics in the clipboard content, and replaces the clipboard content with the specified wallet. If the user pastes and transfers the money at this time, the digital assets will fall into the hacker's pocket:
“Clipboard Thief” Trojan replaces wallet address 4.2 Malicious Code Execution 4.2.1 Powershell
On April 3, 2019, DTLMiner reflectively loaded a PE image in Powershell to execute the mining program in a "fileless" manner. This method runs malicious code directly in the Powershell.exe process, and the method of injecting it into a "white process" for execution may make it difficult to detect and remove the mining code. This is also the first time that a mining Trojan has been discovered that uses a "fileless" form of execution on a large scale.
DTLMiner installs a scheduled task on the infected system, repeatedly downloads and executes an encrypted Powershell script, and embeds a Base64-encoded character $Code64 in the script code. This character is actually the binary data of the XMRIG mining program. Base64 encoded XMRig binary data
Powershell first decodes $Code64 into Bytes format, and then calls the Invoke-ReflectivePEInjection function to reflectively inject PE into memory to execute the mining program.
DTLMiner reflective injection executes mining program
4.2.2 DLL Sideloading
KingMiner first appeared in mid-June 2018. It is a Monero mining Trojan that performs brute force attacks on Windows server MSSQL. The attacker uses a variety of evasion techniques to bypass the virtual machine environment and security detection, making it impossible for some anti-virus engines to accurately detect and kill it.
In order to evade antivirus software detection, KingMiner uses DLL Side-Loading technology, also known as "white + black" technology, to launch the mining trojan, using normal white files with digital signatures to call malicious DLLs. It uses Microsoft's system file "Credential Backup and Restore Wizard" and digitally signed files from several well-known companies:
"GuangZhou KuGou Computer Technology Co.,Ltd."
“Google Inc”
"Fujian Creative Jiahe Software Co., Ltd."
White file signature used by KingMiner 4.3.1 Planning tasks
KingMiner uses RegisterTaskDefinition to create a scheduled task named WindowsMonitor to execute a Powershell script every 15 minutes; or installs a scheduled task WindowsHelper that is executed at system startup and installs a scheduled task WindowsMonitor in WindowsHelper to execute a VBS script code. KingMiner installation schedule
4.3.2 WMI Timer
KingMiner is created as a timer named WindowsSystemUpdate_WMITimer in WMI, and the event consumer WindowsSystemUpdate_consumer that executes a script code is bound to the timer through the event filter WindowsSystemUpdate _filter. As the timer is triggered, the VBS script code is executed every 15 minutes.
KingMiner installs WMI timer
4.3.3 Blocking external intrusion
KingMiner determines whether the computer version is affected by the CVE-2019-0708 vulnerability, and whether the computer has installed the specified patches kb4499175, kb4500331, KB4499149, KB4499180, KB4499164 (these patches are the patch numbers for the CVE-2019-0708 Remote Desktop Service remote code execution vulnerability released by Microsoft).
If the CVE-2019-0708 patch is not installed, modify the settings to prohibit other machines from accessing the local machine through the remote desktop service, so as to prevent other Trojans from entering the system and achieve the purpose of monopolizing mining resources.
KingMiner shuts down RDP service 5. Mining Trojan Defense and Disposal Suggestions 5.1.1 Password Management The server uses a secure password policy, especially the sa account password of the SQL server. Do not use the following weak passwords;
123456, admin, root, 123456789, qwert, password, 1234567, 12345678, 12345, lloveyou, 111111, 123123, 888888, 1234567890, 88888888, 666666, etc.
5.1.2 Port Management Server temporarily closes unnecessary ports (such as 135, 139, 445, 3389). For more information, please refer to: https://guanjia.qq.com/web_clinic/s8/585.html;
Enterprise users can deploy Tencent T-sec Advanced Threat Detection System (Tencent Yujie) to discover and track hacker attack clues. Tencent T-sec Advanced Threat Detection System is a unique threat intelligence and malicious detection model system developed based on the security capabilities of Tencent Security Anti-Virus Laboratory and relying on Tencent's massive data in the cloud and on the end. (https://s.tencent.com/product/gjwxjc/index.html) Tencent Yujie Advanced Threat Detection System SQL Server Exploit Alert
5.1.3 Windows vulnerability repair The following high-risk Windows system vulnerabilities were repaired in a timely manner according to Microsoft's announcement;
MS17-010 EternalBlue Vulnerability
XP, Windows Server 2003, Win8 and other system access:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Win7, win8.1, Windows Server 2008, Windows10, WindowsServer2016 and other systems: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx
Office Formula Editor Vulnerability CVE-2017-11882
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
Lnk vulnerability CVE-2017-8464
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-8464
IE Vulnerability CVE-2018-8174
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8174
RDP Service Vulnerability CVE-2019-0708
Windows XP, Windows 2003:
https://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708
Windows 7, Windows 2008R2:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499175
Windows 2008:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499180
You can also use Tencent Yudian or Tencent PC Manager to scan and repair vulnerabilities.
(https://s.tencent.com/product/yd/index.html) Tencent Royal Point fixes system vulnerabilities 5.1.4 Server component vulnerability repair a. Oracle WebLogic Arbitrary Code Execution Vulnerability
CVE-2017-10271
Affected versions
OracleWebLogic Server10.3.6.0.0
OracleWebLogic Server12.1.3.0.0
OracleWebLogic Server12.2.1.1.0
OracleWebLogic Server12.2.1.2.0
Official patch announcement:
https://www.oracle.com/security-alerts/cpuoct2017.html
CVE-2018-2628
Affected versions
Oracle WebLogic Server10.3.6.0
Oracle WebLogic Server12.2.1.2
Oracle WebLogic Server12.2.1.3
Oracle WebLogic Server12.1.3.0
Official patch announcement:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
CVE-2019-2725
Affected versions
Oracle WebLogic Server10.3.6.0
Oracle WebLogic Server12.1.3.0
Official patch announcement:
https://www.oracle.com/security-alerts/alert-cve-2019-2725.html
b. Apache related component vulnerabilities
Apache Struts2 Remote Code Execution Vulnerability CVE-2017-5638
Impact
Struts 2.3.5 – Struts 2.3.31
Struts 2.5 – Struts 2.5.10
Official patch announcement:
https://cwiki.apache.org/confluence/display/WW/S2-045?from=timeline&isappinstalled=0
Apache Solr Remote Code Execution Vulnerability CVE-2019-0193
Affected versions
Apache Solr < 8.2.0
Official patch announcement:
https://issues.apache.org/jira/browse/SOLR-13669
Apache Tomcat Remote Code Execution Vulnerability CVE-2017-12615
Affected versions
Apache Tomcat 7.0.0-7.0.79
Official patch announcement:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
You can also use the Yuzhi Network Asset Risk Monitoring System developed by Tencent Security to check the security risks of network assets, conduct regular security scans, continuous risk warnings and vulnerability detection on the availability, security and compliance of the company's network assets and various applications. (https://s.tencent.com/product/narms/index.html) Tencent Yuzhi detects Apache struts2 vulnerabilities If the host system is found to be significantly slow, or the server process occupies more than 80% of the CPU for a long time, it may be infected with a mining trojan. You can follow the steps below to confirm and remove it.
5.2.1 Confirmation of infection 1) Individual users
a. Use Windows Task Manager (or PCHunter or Process Explorer) or Linux command ps -aux to find the processes and files with high CPU usage. If the file is in the system directory, find a normal system file with the same name on another machine and compare it with the suspicious file; if it is in a software directory, find a normal file with the same name of the software and compare it with the suspicious file. Mining process CPU usage
b. Use PCHunter or the command netstat -tup in Linux to find the IP and port of the process network connection, especially suspicious remote port connections such as 5559, 7777, 4444, 13333, etc. Then use the IP address to reverse the domain name, and pay attention to whether the domain name pointing to the IP contains words such as "miner", "pool", etc.
If system files or normal software files are excluded in step a above, and the file has a suspicious network connection as shown in step b, it may be infected with a mining Trojan.
2) Enterprise users are advised to deploy Tencent Yujie advanced threat detection system, which can identify the communication protocols in the mining process and detect mining behavior from network traffic.
Yujie detects mining behavior
5.2.2 Virus Removal After confirming that you are infected with the mining trojan, you can use Tencent PC Manager to remove it, or you can try to manually remove it by following the steps below:
1) In Windows system, use PCHunter or other management tools to exit suspicious processes, delete process files, and find and delete the items that start the file image in startup items, services, and scheduled tasks.
PCHunter deletes mining trojan startup items
2) In Linux system, use the command pkill -9 to exit the process;
Delete the process file and check the Trojan-related scheduled tasks displayed under the crontab command;
Delete the Trojan-related scheduled tasks in the following directories;
/var/spool/cron/root/
/var/spool/cron/crontabs
Delete Trojan-related startup items in the following directories;
/etc/rcS.d/
/etc/rc.d/init.d/
Enterprise users can deploy Tencent Yudian Terminal Security Management System on the server to clean up mining Trojans.
5.2.3 Cleaning up botnets
1) MyKings MyKings botnet cleanup advice
Check the database job names and remove jobs containing malicious code;
Check the database storage procedures and clean up the contents containing malicious code;
Since the latest version of MyKings can also infect stubborn viruses such as "Dark Cloud" MBR and Rookit, users can use the PC Manager System First Aid Kit to check and clean it. User guide and download link: https://guanjia.qq.com/avast/283/index.html
Computer Manager System First Aid Kit cleans up MBR and kernel-level viruses
2) WannaMiner
WannaMiner Cleanup Suggestions 3) DTLMiner (Eternal Blue Downloader Trojan) DTLMiner Cleanup Recommendations
Delete random name scheduled tasks: "VDoaC", "hadpeRz\oABwX", "lKNVFjCJm\oWuUXql"
DTLMiner random name planning task The startup programs are: /c "set A=power& call %A%shell -ep bypass -e " /c "set A=power& call %A%shell -ep bypass -e ==" /c "set A=power& call %A%shell -ep bypass -e " 6. Future Trends of Mining Trojans 6.1 “EternalBlue” vulnerability Since the NSA weapons leak in 2017, the "Eternal Blue" vulnerability has been widely exploited by mining Trojans. As major security vendors fix and defend against the vulnerability, the impact of the vulnerability is gradually decreasing. However, according to the data, about 30% of the "Eternal Blue" vulnerability patches are still not installed, so it is expected that new mining Trojans that exploit the "Eternal Blue" vulnerability may appear in 2020. 6.2 BlueKeep Vulnerability On May 15, 2019, Microsoft released a fix for the critical remote code execution vulnerability CVE-2019-0708 in Remote Desktop Services (formerly known as Terminal Services), which affects multiple versions of Windows, including Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003, and Windows XP. Once an attacker successfully triggers the vulnerability, they can execute arbitrary code on the target system.
In September 2019, we noticed that the EXP code that exploits the CVE-2019-0708 vulnerability has been publicly released to the metasploit-framework Pull requests. After testing, it can achieve remote code execution. At the same time, in October 2019, the mining worm DTLMiner also added the CVE-2019-0708 vulnerability detection code to its attack module. Therefore, we speculate that a new mining Trojan that exploits this vulnerability is very likely to appear in 2020. Mining botnets such as MyKings, KingMiner, and WannaMiner infected a large number of machines in the early stage. After controlling the system, they carried out persistent attacks through scheduled tasks, database stored procedures, WMI and other technologies. Therefore, they can download the latest version of malicious code from the server at any time, making it difficult to completely remove them. In the future, security vendors will continue to fight against these virus gangs.
Detailed Analysis of the WannaCry Worm
https://www.freebuf.com/articles/system/134578.html
WannaMiner mining trojan attack incident report
https://mp.weixin.qq.com/s/FEyaQ_AHn2TZPy-5FeMP7A
Analysis of ZombieBoy Trojan
https://www.freebuf.com/column/157584.html
"VNC Robber" attack warning: Affected companies suffered a series of critical attacks from multiple viruses including GandCrab 5.2
https://www.freebuf.com/column/198957.html
Sality virus infects 30,000 computers and steals Bitcoin
https://www.freebuf.com/column/218404.html
Exploit attack against weak SQL passwords strikes again, KingMiner miners have controlled tens of thousands of computers
https://www.freebuf.com/column/221248.html
Eternal Blue Trojan Downloader Creates a New "Fileless Mining" Model
https://www.freebuf.com/column/200241.html
GandCrab quits the game, beware of the successor sodinokibi ransomware virus
https://www.freebuf.com/column/205215.html
BlueHero worm upgraded again, adding Stuxnet 3rd generation arsenal, one look and you'll be infected
https://www.freebuf.com/column/181604.html
The worm virus Bulehero once again uses "Eternal Blue" to attack and spread in corporate intranets
https://www.freebuf.com/column/180544.html
BuleHero 4.0 mining worm is really crazy, with more than ten ways to attack corporate networks
https://www.freebuf.com/column/219973.html
Supporting digital currency research in Shenzhen
https://finance.sina.com.cn/blockchain/coin/2019-08-19/doc-ihytcitn0105787.shtml
The quietly rising mining botnet: attacking servers to mine millions of Monero coins
https://www.freebuf.com/articles/web/146393.html
Detailed analysis report of the "Drive Life" Trojan that infected 100,000 computers in 2 hours to mine Monero
https://www.freebuf.com/column/192015.html
Analysis of a carefully planned targeted attack against DriveLife
https://www.freebuf.com/articles/system/192194.html
| 
