Monero (XMR) Mining Malware Combining RADMIN and MIMKATZ Is A Concern “For Data Exfiltration Of Enterprise Assets And Information”

Trend Micro researchers have just reported that there’s been a surge in a hack tool installation attempts that exploits a Windows SMB Server vulnerability.

This has been reportedly patched since 2017, and now, according to experts the targets are various organizations which are located in China, Hong Kong, Taiwan, and Italy.

It seems that the enterprise-level resources are perfect for the final payload of the campaign which is an XMR miner.

Technadu explained that “attackers use the Mimikatz utility to view the credential information in the infected machine (passwords, Kerberos tickets, etc.), combined with the Radmin remote access tool. This combination empowers them to infect the device with the mining payload remotely.”

The propagation of this malware involves worm-like behavior

Now, SCMagazine also addresses the proliferation of this malware detailing more on the exploiting of the critical vulnerabilities in order to spread in a worm-like behavior.

They note that the rise in malicious activities between the last week of January and February 2019 coincided with the local holiday celebrations and events.

Trend Micro noted that the attacks did not decrease after the Lunar New Year holidays at all.

“This combination of RADMIN and MIMIKATZ becomes a concern for data exfiltration of enterprise assets and information because of the randomly named and seemingly-valid Windows functions that may go undetected.” researchers said as reported by the online magazine.

They continued and explained, “Also, we found it interesting that the sample itself does not download the coinminer.”

Monero was mined by eight cryptojacking apps in the Microsoft Store

This news comes right after more reports addressed another severe Monero-related issue: Symantec’s new reports which revealed that eight cryptojacking apps had been removed from the Microsoft Store after they have been detected as being malicious back in January.

The conclusion was that these apps have been developed by the same group or person.


Follow us on Linkedin | Twitter | Facebook


Please enter your comment!
Please enter your name here