Skip to main content

MineBridge Backdoor

MineBridge is a sophisticated backdoor that utilises the TeamViewer remote administration tool as both a preliminary loader and to provide additional functionality to its operators.

Threat ID:
CC-3728
Category:
Backdoor
Threat Severity:
Medium
Threat Vector:
Email spam
Published:
21 January 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

MineBridge is a sophisticated backdoor that utilises the TeamViewer remote administration tool as both a preliminary loader and to provide additional functionality to its operators.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in early January, MineBridge (stylised as MINEBRIDGE in some instances) is a C++ based backdoor primarily targeting Western financial organisations, although infections have been discovered in engineering, telecommunications, media businesses worldwide.

Delivery

MineBridge is typically delivered in targeted email spam campaigns operated via the Acelle self-hosted mailing service. Emails sent in the campaigns contain VBA macro-laden tailored lure documents. When opened, the macros are executed and connect to an attacker-controlled domain to download a MineBridge DLL file. A separate macro then downloads a ZIP archive containing an outdated but legitimate copy of the TeamViewer remote admin software.

The TeamViewer archive is then extracted, renamed, and executed. If successful, it immediately side-loads the MineBridge DLL.

Activities

Once deployed, MineBridge hooks several Windows APIs to hide the TeamViewer instance before collecting system and user information. This information is then sent to a command and control server over HTTPS POST.

MineBridge is able to download an execute secondary payloads directly into memory, reboot the affected system, and transfer files. Additionally, it can also control the hidden TeamViewer, providing attacker with secondary set of capabilities including remote shell, recording audio and video, or keylogging.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

  • 123faster[.]top
  • agent4career[.]com
  • badiconreg[.]com
  • bestrecruitments[.]com
  • compilator333[.]top
  • conversia91[.]top
  • creatorz123[.]top
  • fatoftheland[.]top
  • marendoger[.]com
  • neurogon[.]com
  • pt-cpaaccountant[.]com
  • rogervecpa[.]com
  • seigortan[.]com
  • tiparcano[.]com

User-agents

  • Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1
Host indicators

Filepaths

  • %APPDATA%\Windows Media Player\msi.dll
  • %APPDATA%\Windows Media Player\msi.dll.old
  • %APPDATA%\Windows Media Player\TeamViewer_Desktop.exe
  • %APPDATA%\Windows Media Player\TeamViewer_Resource_en.dll
  • %APPDATA%\Windows Media Player\TeamViewer_StaticRes.dll
  • %APPDATA%\Windows Media Player\TeamViewer.ini
  • %APPDATA%\Windows Media Player\tvdll.cmd
  • %APPDATA%\Windows Media Player\wpvnetwks.exe
  • %CSIDL_PROFILE%\<dll_name>.xpdf
  • %CSIDL_STARTUP%\Windows WMI.lnk
  • %TEMP%\<32 random characters>
  • %TEMP%\<32 random characters>.exe
  • %TEMP%\~8426bcrtv7bdf.bin

 

SHA256 hashes

  • 03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525
  • 0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a
  • 0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032
  • 0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a
  • 0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df
  • 1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621
  • 182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97
  • 18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e
  • 212793a915bdd75bede8a744cd99123e2a5ac70825d7b2e1fc27104276a3aafd
  • 23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254
  • 23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7
  • 2722583e6895d6d1d1a3c7baad1090fb8e9395ee5fb58c4e035a1ee8a54751bd
  • 30025da34f6f311efe6b7b2c3fe334f934f3f6e6024e4d95e8c808c18eb6de03
  • 36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab9557d
  • 383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd
  • 3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb
  • 3f121c714f18dfb59074cbb665ff9e7f36b2b372cfe6d58a2a8fb1a34dd71952
  • 3f4f546fba4f1e2ee4b32193abcaaa207efe8a767580ab92e546d75a7e978a0b
  • 3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae
  • 48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85
  • 4ff9bfde5b5d3614e6aa753cacc68d26c12601b88e61e03e4727ee6d9fe3cdc2
  • 57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb
  • 5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444
  • 5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb
  • 5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573
  • 6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c
  • 6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb
  • 6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f
  • 65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b
  • 6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352
  • 6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a
  • 6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f
  • 6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d
  • 6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8
  • 77a33d9a4610c4b794a61c79c93e2be87886d27402968310d93988dfd32a2ccf
  • 7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4
  • 7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6
  • 7b20e7e4e0b1c0e41de72c75b1866866a8f61df5a8af0ebf6e8dbd8f4e7bdc57
  • 80e48391ed32e6c1ca13079d900d3afad62e05c08bd6e929dffdd2e3b9f69299
  • 8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12
  • 8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba
  • 858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94
  • 86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12
  • 88c4019e66564ad8c15b189b903276910f9d828d5e180cac30f1f341647278fc
  • 8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710
  • 9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4
  • 92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7
  • 92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84
  • 9812123d2367b952e68fa09bd3d1b3b3db81f0d3e2b3c03a53c21f12f1f4c889
  • 99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add
  • 999d4f434bbc5d355656cc2a05982d61d6770a4c3c837dd8ec6aff8437ae405a
  • a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c
  • aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec
  • abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268
  • ac7e622e0d1d518f1b002d514c348a60f7a7e7885192e28626808a7b9228eab6
  • b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84
  • b8f64a83ad770add6919d243222c62471600e64789264d116c560b7c574669ec
  • ba013420bd2306ecb9be8901db905b4696d93b9674bd7b10b4d0ef6f52fbd069
  • bf0adb30ca230eee6401861e1669b9cfeaa64122cc29c5294c2198f2d82f760e
  • c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d
  • c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b
  • c9f6ba5368760bf384399c9fd6b4f33185e7d0b6ea258909d7516f41a0821056
  • cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2
  • ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318
  • cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a
  • d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b
  • d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421
  • d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb
  • ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740
  • de7c7a962e78ceeee0d8359197daeb2c3ca5484dc7cf0d8663fb32003068c655
  • e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830
  • e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712
  • e895dc605c6dcaf2c3173b5ec1a74a24390c4c274571d6e17b55955c9bd48799
  • eba3c07155c47a47ee4d9b5201f47a9473255f4d7a6590b5c4e7b6e9fc533c08
  • ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677
  • f3917832c68ed3f877df4cd01635b1c14a9c7e217c93150bebf9302223f52065
  • f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb
  • fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f

Last edited: 21 January 2021 2:42 pm