The open-source Go binary bitcoin miner has been altered to hard-code the wallet address and unique Dero mining pool URLs. Additionally, it is obfuscated to thwart examination using the freely available UPX packer. The primary benefit of encoding the mining setup into the code is that it allows the miner to operate without the need for any command-line parameters, which are usually inspected by security measures. Researchers discovered other tools created by the threat actor, including a Windows sample of a Dero miner loaded with UPX and a dropper shell script intended to remove GMiner from GitHub and end rival miner operations on an affected computer.

To avoid suspicion and to blend in more naturally with legitimate online traffic, the attacker registered domains with innocent-looking names. This allowed them to conceal connections with mining pools that are otherwise well-known. The attacker's continuous attempts to modify their strategies and keep one step ahead of defenses are evident in these integrated tactics.

Impact

• Cryptocurrency Theft
• Financial Loss
• Security Bypass

Indicators of Compromise

IP

• 209.141.32.182

MD5

• 22de8e4b08be5c2b1cc5eb2012739786
• cc47cb1bbef442d2f6aa7bc0b0843c88
• b6224dc51657a32e1aec1ca2a74c424a
• eea6a4938a53eb5e4e254812b3f150c6
• 0576d33ec4bcd20966c3a24c210e0cad
• 207e358ed42fe1346213480f64a91442
• 7c28e0727c74890b3998716967ab8339
• 42e82a37cc6b44f7bc58c6ef6bf3e9e2

SHA-256

SHA1

• 427aee9ff60df3c102c3feab5319da34ecbf4b70
• 464c26c2ed6c06508ce975aeee2d589c9a2fdac2
• 244e98c20acb54d7ef65b57d4cd364aa9d46731d
• 02e20e6d1b870d1365028246617ede951f399567
• 59a835e812374c748d038498b70c04d0f36a8751
• 812860c0db73cb2224fe862c0bfd8c7485fc0807
• 8fd9157811ea69a7253d3fadbea19b4cbb1a6ccd
• 8c6793ec6b0459a75f114d0d18785af9ca56b75e

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.