Threat Research

Binary Managed Object File (BMOF) Distributing XMRig CoinMiner Detected by MDS

Ahnlab

Binary Managed Object Files (BMOFs) are compiled MOFs used in Windows Management Instrumentation, which threat actors exploit to deliver XMRig CoinMiner and persist via Permanent Event Subscriptions. The article also describes how attackers can abuse BMOFs to create guest accounts, delete the hosts file, configure RDP, and how AhnLab MDS detects related activity under multiple names. #BMOF #XMRig #BondNet #Stuxnet

Keypoints

  • BMOFs are compiled versions of MOFs used in Windows Management Instrumentation (WMI) and exist by default in the C:WindowsSystem32wbem path.
  • They can execute JScript and VBScript, enabling the delivery and execution of malware via MOF configurations.
  • Permanent Event Subscription enables persistence for the BMOF-based malware even after system reboot.
  • XMRig CoinMiner is distributed through malicious BMOFs and executed through mofcomp.exe.
  • Attackers can create guest accounts, delete the hosts file, download additional VBE files, and configure RDP connections when the system is high-performance.
  • AhnLab MDS detects this malware family under multiple names, reflecting its behavior and file-based detections.

MITRE Techniques

  • [T1203] Execution – Malicious BMOFs are executed through mofcomp.exe. ‘Malicious BMOFs are executed through “mofcomp.exe”.’
  • [T1070] Defense Evasion – Deleting the hosts file to evade detection. ‘Deleting the hosts file to evade detection.’
  • [T1547] Persistence – Using Permanent Event Subscription to maintain persistence. ‘Using Permanent Event Subscription to maintain persistence.’
  • [T1078] Credential Access – Creating guest accounts to gain unauthorized access. ‘Creating guest accounts to gain unauthorized access.’

Indicators of Compromise

  • [MD5] – File hashes detected by the analysis: 0c8622c4871541e89d0173d5be0db8aa, 2407c4ef1588fa67dd5bd7c64f419abd
  • [FQDN] – Obfuscated malicious domains used for C2: d[.]mymst[.]top, m[.]mymst[.]top
  • [Executable] – Notable executable names involved in the workflow: mofcomp.exe, scrcons.exe
  • [File] – Detection signatures observed in security tooling: CoinMiner/Win.XMRig.R649143, CoinMiner/Win.XMRig.R636370

Read more: https://asec.ahnlab.com/en/83081/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint