A new malware-powered attack kit that stitches up two Trojans and a coinminer to mine for data and Monero was observed while scanning for vulnerable machines from China, Taiwan, Italy, and Hong Kong, and spreading itself over the Internet and local area networks.

Trend Micro's Don Ovid Ladores, Michael Jhon Ofiaza, and Gilbert Sison detected the attack kit while it was dropping what looked like random files in the Windows folder of computers who had the 445 port open and ready to be compromised with an SMB exploit targeting the Windows MS17-010 Server Vulnerability already patched back in 2017.

The multi-stage infection process uses what Trend Micro calls Trojan.Win32.INFOSTEAL.ADS to gain an initial foothold after successfully exploiting its victims, a malware strain which will connect to a command-and-control (C&C) server to send its masters info about the infected host and to grab the next malware payloads.

Infection numbers in China and Taiwan

As part of the second infection stage, a Python-compiled variant of the MIMIKATZ Trojan will be dropped and executed on the compromised system, with the Trojan automatically loading a number of extra modules designed to collect and exfiltrate data, as well as to scan for Windows machines it can infect using an exploit for the MS17-010 SMB server vulnerability.

The MIMIKATZ component will also download the Python psexec module which it uses to execute commands sent by the attackers remotely using an additional hacking tool dropped by the Trojan beforehand and detected as HackTool.Win32.Radmin.GB by Trend Micro.

Attack Kit Architecture

The next stage consists of downloading and executing an encrypted Monero coinminer payload following a command sent by the malicious actors via the Radmin hacking tool dropped on the victim's system in the previous stage.

As detailed by Trend Micro's researchers:

We suspect that the cybercriminals behind this malware deployment are developing this modular structure to infect as many systems possible for future attacks via escalated privileges, remote access, and using stolen credentials. Since the info stealer is able to send back information such as user accounts, port forwarding, and system specifics, and capable of planting the hack tool for remote admin functions, it can let attackers remotely access the system to initiate more attacks in the future if left unchecked.

The attack kit has been built using multiple free tools, "from Python-compiled malware, open-source modules, outdated exploit and freeware hacktools" which hints at these actors possibly being new to the scene.

This is also suggested by the fact that the tools used to construct the attack kit are quite old, with both the open source MIMIKATZ and the Radmin tool being well-known and easily detectable by most if not all anti-malware solutions.

Similar operations have been active since at least mid-2017

However, the technique used for propagation and the randomly named files added to the compromised Windows targets does point to some level of refinement and it helps it stay unnoticed at least until the coinminer starts working and slowing down the victims' systems.

As further noticed by Trend Micro, the attackers might also take "advantage of the fact that the companies in these countries can’t detect the malware’s activity as the dates coincided with regional holiday celebrations and events."

This is not the first time free tools and off-the-shelf malware have been used as part of a malware campaign, with multiple financial organizations in West Africa having experienced similar attack patterns since at least mid-2017.

According to the Symantec report, during these attacks, the threat actors used a combination of commercial penetration testing tool Cobalt Strike, the MIMIKATZ and NonoCore Trojans, free hacking tools, and a number of PowerShell scripts.