200. Threat Actors Eliminate Competitors from Compromised Systems

Hello everyone!

It's not a secret that in some cases a network can be already compromised. And in some cases by threat actors with the same goal. What are new unwanted guests going to do? Yes, eliminate the competitors!

Today we're going to talk about another very common threat - miners. One may say it's not a real threat, but beleive me, I saw cases where the whole enterprise was disrupted due to such infection.

So, let's look at Kinsing (we track this activity cluster as Resourceful Wolf). It abuses pkill to terminate a list of processes related to other cryptominers, for example:

pkill -f .git/kthreaddw

pkill -f 80.211.206.105

pkill -f 207.38.87.6

pkill -f p8444

pkill -f supportxmr

pkill -f monero

pkill -f kthreaddi

pkill -f srv00

pkill -f /tmp/.javae/javae

pkill -f .javae

pkill -f .syna

pkill -f xmm

pkill -f solr.sh

pkill -f /tmp/.solr/solrd

pkill -f /tmp/javac

pkill -f /tmp/.go.sh

pkill -f /tmp/.x/agetty

pkill -f /tmp/.x/kworker

pkill -f c3pool

pkill -f /tmp/.X11-unix/gitag-ssh

pkill -f /tmp/1

pkill -f /tmp/okk.sh

pkill -f /tmp/gitaly

pkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB

pkill -f /tmp/.X11-unix/supervise

pkill -f /tmp/.ssh/redis.sh

And that's lots of detection opportunities! For example:

event_type: "processcreatenix"

AND

proc_file_path: "pkill"

AND

cmdline: ("kthreaddw" OR "supportxmr" OR "monero" OR "kthreaddi" OR "srv00")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge