200. Threat Actors Eliminate Competitors from Compromised Systems
Hello everyone!
It's not a secret that in some cases a network can be already compromised. And in some cases by threat actors with the same goal. What are new unwanted guests going to do? Yes, eliminate the competitors!
Today we're going to talk about another very common threat - miners. One may say it's not a real threat, but beleive me, I saw cases where the whole enterprise was disrupted due to such infection.
So, let's look at Kinsing (we track this activity cluster as Resourceful Wolf). It abuses pkill to terminate a list of processes related to other cryptominers, for example:
pkill -f .git/kthreaddw
pkill -f 80.211.206.105
pkill -f 207.38.87.6
pkill -f p8444
pkill -f supportxmr
pkill -f monero
pkill -f kthreaddi
pkill -f srv00
pkill -f /tmp/.javae/javae
pkill -f .javae
pkill -f .syna
pkill -f xmm
pkill -f solr.sh
pkill -f /tmp/.solr/solrd
pkill -f /tmp/javac
pkill -f /tmp/.go.sh
pkill -f /tmp/.x/agetty
pkill -f /tmp/.x/kworker
pkill -f c3pool
pkill -f /tmp/.X11-unix/gitag-ssh
pkill -f /tmp/1
pkill -f /tmp/okk.sh
pkill -f /tmp/gitaly
pkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB
pkill -f /tmp/.X11-unix/supervise
pkill -f /tmp/.ssh/redis.sh
And that's lots of detection opportunities! For example:
event_type: "processcreatenix"
AND
proc_file_path: "pkill"
AND
cmdline: ("kthreaddw" OR "supportxmr" OR "monero" OR "kthreaddi" OR "srv00")
See you tomorrow!
Comments
Post a Comment