Coin Miner

[mayowa 1]

Hello All,

A customer  was infiltrated with coin miners malware virus, ESET file security on the server was used to scan with threat-sense parameters of in-depth scan and strict cleaning,

We are still experiencing pop up's of  the presence of coin miner on the server as detected by ESET every minutes

Does anyone have any ideal on how to deal with this situation ?

For you perusal kindly find attached document for the Log collected from the file security installed on the server 

eset log.rar

[Marcos 5,070]

Does temporarily disconnecting the server from the network stop the malware from being created / detected ? Please gather logs with ESET Log Collector and provide me with the generated archive.

[mayowa 1]

1 hour ago, Marcos said:

Does temporarily disconnecting the server from the network stop the malware from being created / detected ? Please gather logs with ESET Log Collector and provide me with the generated archive.

Thanks Marcos for your swift response

Kindly check the ftp support server for the log as requested with the name Egbin efsw_logs.zip

I await your feedback for a resolution 

Thanks in anticipation 

Best Regards 

Edited May 24, 2018 by mayowa

[mayowa 1]

On 5/24/2018 at 4:18 PM, mayowa said:

Thanks Marcos for your swift response

Kindly check the ftp support server for the log as requested with the name Egbin efsw_logs.zip

I await your feedback for a resolution 

Thanks in anticipation 

Best Regards 

Hello Macros

I will like to follow up on the subject matter as reported earlier 

[mayowa 1]

On 5/28/2018 at 1:43 PM, mayowa said:

Hello Macros

I will like to follow up on the subject matter as reported earlier 

Hello All,

kindly help with above subject caption,we need immediate remediation because the client is running out of patience as it keeps coming backing after ESET detects and deletes it

Actually we thought of isolating the server,but it has spread to other servers and work stations 

[itman 1,659]

Post screen shots of what Eset is detecting. For example, the actual alert popup and entries from the log file.

[mayowa 1]

15 minutes ago, itman said:

Post screen shots of what Eset is detecting. For example, the actual alert popup and entries from the log file.

Thanks Itman for your response as requested please find attached document for "screen shot of what ESET is detecting "on entries from the log file",Kindly check the ftp support server for the log as requested with the name Egbin efsw_logs.zip

I await your response in anticipation for a quick resolution 

Regards 

[itman 1,659]

Since it sounds like it is pretty well entrenched in your network, I would start with the servers and then proceed to the endpoints.

Download SysInternals Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns .

Run it as Admin. Under the Options setting, the only thing "hidden" should be empty locations. Under Scan Options in this section, checkmark VirusTotal.

Look for anything suspicious in any auto start locations such as registry run keys, etc. and Task Scheduler entries. Also under the WMI tab, look for suspicious events. Best way to remove items is to "uncheck" them in Autoruns. This way they are not permanently deleted and can be restored by re-checkmarking them if anything gets "borked."