Threat Research

Old Miner, New Tricks

Fortinet
Old Miner, New Tricks

The article investigates a campaign involving the H2Miner crypto-mining botnet and a newly discovered AI-generated ransomware variant called Lcrypt0rx, which targets Linux, Windows, and container environments. This combined threat delivers multiple malicious tools, including miners and stealers, resulting in data encryption, compute hijacking, and system defacement. #H2Miner #Lcrypt0rx #Kinsing #Xmrig #LummaStealer

Keypoints

  • H2Miner is a long-standing crypto-mining botnet active since 2019, recently linked to campaigns deploying updated tools and targeting multiple platforms.
  • Lcrypt0rx is a new VBScript ransomware variant, suspected to be AI-generated, with flawed encryption logic and ineffective persistence attempts.
  • This campaign shows the first known operational overlap between H2Miner and Lcrypt0rx, suggesting a possible collaboration or reuse by threat actors.
  • The adversary infrastructure hosts multiple commercial hacking tools, including Kinsing RAT, Xmrig miners, Lumma stealer, DCRat, Cobalt Strike, Amadey, RustyStealer, and ScreenConnect.
  • Scripts associated with H2Miner disable security defenses, deploy Kinsing malware, terminate competing miners, and establish persistence via cron jobs and scheduled tasks.
  • Lcrypt0rx performs extensive system modifications to disable user controls, overwrite the Master Boot Record, delete backups, and display ransom demands while deploying miners and information stealers.
  • Fortinet products provide layered detection and prevention for this threat, including antivirus signatures, web filtering, intrusion prevention, and cloud protection capabilities.

MITRE Techniques

  • [T1543] Create or Modify System Process – Persistence established by registering scripts as services and scheduled tasks (“…establishes persistence by registering itself as a service” and “creates a scheduled task… to ensure persistence”).
  • [T1059] Command and Scripting Interpreter – Use of VBScript and PowerShell scripts to deploy miners, disable defenses, and execute payloads (“Analysis of this sample shows… relaunches itself with elevated rights using Shell.Application…”).
  • [T1086] PowerShell – Deployment of XMRig miner via PowerShell script “1.ps1” (“downloads an XMRig Monero miner… to the system’s temporary directory as sysupdate”).
  • [T1110] Brute Force – Attempted privilege escalation through relaunching scripts with elevated rights (“Lcrypt0rx first checks… relaunches itself with elevated rights”).
  • [T1490] Inhibit System Recovery – Deletes volume shadow copies and backup catalogs to prevent recovery (“cmd.exe /c vssadmin delete shadows /all /quietcmd.exe /c wbadmin delete catalog -quiet”).
  • [T1489] Disk Wipe – Overwrites the Master Boot Record rendering the system unbootable (“proceeds to overwrite the Master Boot Record (MBR)—a destructive move”).
  • [T1027] Obfuscated Files or Information – Use of XOR encryption routine with generated master key and salt (“XORs each character of the file content… producing the obfuscated output”).
  • [T1499] Endpoint Denial of Service – Disables system input by remapping and disabling keyboard keys and mouse buttons (“modifies the Scancode Map registry to disable… Mouse buttons are reversed”).
  • [T1562] Impair Defenses – Attempts to disable antivirus software and firewalls (“attempts to disable Windows Defender real-time protection, BitDefender, and Kaspersky” and “The firewall is disabled via netsh”).
  • [T1071] Application Layer Protocol – Use of HTTP and TOR network for command-and-control and ransom note delivery (“The .onion address in the ransom note… does not conform to valid TOR address specifications”).

Indicators of Compromise

  • [IP Addresses] Hosting and C2 servers – 78.153.140.66 (Monero miner download), 80.64.16.241 (cron download), 89.208.104.175 (Trojan hosting), 47.97.113.36 (Cobalt Strike), 176.65.137.203 (Trojan and Metasploit), 185.156.72.96 (Amadey C2), 80.64.18.161 (RustyStealer), 207.231.109.252 (ScreenConnect), 104.21.32.1 (Web hosting).
  • [File Hashes] Malicious payloads and tools – ce.sh script (1bf1efeadedf52c0ed50941b10a2f468), Lcrypt0rx.vbs (06a482a6096e8ff4499ae69a9c150e92), Kinsing RAT (dbc9125192bd1994cbb764f577ba5dda), Xmrig miner executable (57f0fdec4d919db0bd4576dc84aec752), Lumma stealer (a729410de4dc397d1fb2ab8f7ae560d3), Amadey stealer (0680df49e1866c86697028ea73d28d28), and others.
  • [Domains] Malicious hosting and C2 – bitbucket.org (payload hosting), s10.krakenfiles.com (wallpaper download), ragebot.fun (backdoor command and control), disciplipna.top, praetori.live, opusculy.top, scriptao.digital, civitasu.run, exitiumt.digital, viriatoe.live, brandihx.run, triremeo.digital (Lumma stealer C2).
  • [File Names] Malware components and persistence scripts – sysupdate (Monero miner), msvcr80.dll.bat, systemconfig.exe.vbs, advapi32_ext.vbs, USB_bridge.vbs, CDConnector.vbs, slmgr.bat.vbs.
  • [Monero Wallets] Mining payout addresses – 4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC, 89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X.

Read more: https://feeds.fortinet.com/~/921739931/0/fortinet/blog/threat-research~Old-Miner-New-Tricks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint