Analysis of CoinMiner Attacks Targeting Web Servers
Essential information
- Published
- 24/06/2024 08:16
- Modified
- 24/06/2024 08:56
- Tags
- 2024-06-24 badpotato coinminer cpolar earthworm fscan godpotato netcat printnotifypotato privilege-escalation webshell xmrig
- Related entities
- 1 vulnerabilities (cve), 59 observables, 19 techniques (mitre), 12 malware
Description
The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was collected. The first attack involved the use of Chinese tools like Cpolar and installation of a CoinMiner. The second attack used different tools like EarthWorm and RingQ but had the same ultimate goal of installing a CoinMiner. Based on various indicators, the threat actors in both cases are suspected to be Chinese-speaking users.