{
  "name": "Analysis of CoinMiner Attacks Targeting Web Servers",
  "slug": "analysis-of-coinminer-attacks-targeting-web-servers",
  "description": "The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was collected. The first attack involved the use of Chinese tools like Cpolar and installation of a CoinMiner. The second attack used different tools like EarthWorm and RingQ but had the same ultimate goal of installing a CoinMiner. Based on various indicators, the threat actors in both cases are suspected to be Chinese-speaking users.",
  "published": "2024-06-24T06:16:18+00:00",
  "created_at": "2024-06-24T06:16:18+00:00",
  "modified_at": "2024-06-24T06:56:01+00:00",
  "created_at_opencti": "2024-06-24T06:16:18+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-06-24",
    "badpotato",
    "coinminer",
    "cpolar",
    "earthworm",
    "fscan",
    "godpotato",
    "netcat",
    "printnotifypotato",
    "privilege-escalation",
    "webshell",
    "xmrig"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "45.147.51.78"
      },
      {
        "id": "",
        "name": "192.210.206.76"
      },
      {
        "id": "",
        "name": "141.11.89.42"
      },
      {
        "id": "",
        "name": "14.19.214.36"
      },
      {
        "id": "",
        "name": "1.119.3.28"
      },
      {
        "id": "",
        "name": "45.130.22.219"
      },
      {
        "id": "",
        "name": "http://smtp.wptask.cyou:465"
      },
      {
        "id": "",
        "name": "http://sky.wptask.cyou:9999"
      },
      {
        "id": "",
        "name": "http://sinmaxinter.top:7005"
      },
      {
        "id": "",
        "name": "http://sinmaxinter.top:7001/C3-server25.zip:"
      },
      {
        "id": "",
        "name": "http://sinmaxinter.top:7001/services.zip:"
      },
      {
        "id": "",
        "name": "http://pop3.wptask.cyou:995"
      },
      {
        "id": "",
        "name": "http://info.perflogs.top:995"
      },
      {
        "id": "",
        "name": "http://c3.wptask.cyou:33333"
      },
      {
        "id": "",
        "name": "http://auto.skypool.xyz:9999"
      },
      {
        "id": "",
        "name": "http://auto.c3pool.org:33333"
      },
      {
        "id": "",
        "name": "http://45.147.51.78:995"
      },
      {
        "id": "",
        "name": "http://45.147.51.78:465"
      },
      {
        "id": "",
        "name": "http://45.130.22.219:995"
      },
      {
        "id": "",
        "name": "http://45.130.22.219:465"
      },
      {
        "id": "",
        "name": "http://45.130.22.219/aspx.exe:"
      },
      {
        "id": "",
        "name": "http://192.210.206.76/sRDI.dat:"
      },
      {
        "id": "",
        "name": "http://141.11.89.42:995"
      },
      {
        "id": "",
        "name": "http://141.11.89.42:8443"
      },
      {
        "id": "",
        "name": "http://141.11.89.42:465"
      },
      {
        "id": "",
        "name": "http://14.19.214.36/fscan.exe:"
      },
      {
        "id": "",
        "name": "http://14.19.214.36:6666/pp.exe:"
      },
      {
        "id": "",
        "name": "http://14.19.214.36/ew.exe:"
      },
      {
        "id": "",
        "name": "http://14.19.214.36/aa.aspx:"
      },
      {
        "id": "",
        "name": "http://14.19.214.36/RingQ.exe:"
      },
      {
        "id": "",
        "name": "http://14.19.214.36/11.exe:"
      },
      {
        "id": "",
        "name": "smtp.wptask.cyou"
      },
      {
        "id": "",
        "name": "sky.wptask.cyou"
      },
      {
        "id": "",
        "name": "pop3.wptask.cyou"
      },
      {
        "id": "",
        "name": "info.perflogs.top"
      },
      {
        "id": "",
        "name": "c3.wptask.cyou"
      },
      {
        "id": "",
        "name": "auto.skypool.xyz"
      },
      {
        "id": "",
        "name": "sinmaxinter.top"
      },
      {
        "id": "",
        "name": "e95e59984abcb80ba96b6379f31614995d0c462acd83a2180fead7ff11660eff"
      },
      {
        "id": "",
        "name": "ef91f4c5e4149f88c02ced681dd277593fc69edbcded8b506c3a2d601afda309"
      },
      {
        "id": "",
        "name": "e8fbec25db4f9d95b5e8f41cca51a4b32be8674a4dea7a45b6f7aeb22dbc38db"
      },
      {
        "id": "",
        "name": "c3887213c1fb6721c8fe231fc65e62f1dbf7b2a4e3038900fce64807b66b4820"
      },
      {
        "id": "",
        "name": "c257ba5d2283a288115e026af12b369b38488737408e1e771794ad6e35b6412b"
      },
      {
        "id": "",
        "name": "9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096"
      },
      {
        "id": "",
        "name": "9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28"
      },
      {
        "id": "",
        "name": "95b115038debcff42c6fe6cf1a89e4072b3e03f360ef62460cffcf7f5f4bdda7"
      },
      {
        "id": "",
        "name": "78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029"
      },
      {
        "id": "",
        "name": "4ff8820d088b32f5ade6c9bb7d88f0291e08267c70235297c28c448bd42b9ab7"
      },
      {
        "id": "",
        "name": "4e1469c61a6017c38d840c4751abfdd21fd98a0ff2d5fdba26d227cd448b5f64"
      },
      {
        "id": "",
        "name": "3a6091fd5b5755d0249ef4d6af11c807dbe902c2428f923ad2490e99ebbf06ad"
      },
      {
        "id": "",
        "name": "3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571"
      },
      {
        "id": "",
        "name": "38440cb4263ab8e89751ddaee65912b1ae9604cffda0d6955191e4e669a57c96"
      },
      {
        "id": "",
        "name": "3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858"
      },
      {
        "id": "",
        "name": "2e8c7eacd739ca3f3dc4112b41a024157035096b8d0c26ba79d8b893136391bc"
      },
      {
        "id": "",
        "name": "24d373bab944de6f019e4c4744e56ed8b2f8803a82fb54bbf0882e11a95483c7"
      },
      {
        "id": "",
        "name": "1cd966f10763befded887621ae3a4bf8fdb8f64de06c60e65d69fae19a8aece6"
      },
      {
        "id": "",
        "name": "1bc740dcaaf0e2b07609d7f8e1a8823550fe93bba7503c899e5e5503f881bfdb"
      },
      {
        "id": "",
        "name": "16c82388c73f744d12813a016539c46edeeea379020d158fb2afbc578d28fb31"
      },
      {
        "id": "",
        "name": "f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:49f1b3e378babcd7",
        "name": "PrintNotifyPotato",
        "slug": "printnotifypotato"
      },
      {
        "id": "legacy:malware:8ec45b7271aa9736",
        "name": "NetCat",
        "slug": "netcat"
      },
      {
        "id": "43704c7d-2b8b-409d-850c-c7f42e4a08e6",
        "name": "Fscan",
        "slug": "fscan"
      },
      {
        "id": "8e6bc123-8c9d-40de-a11c-4d0c404e91fe",
        "name": "EarthWorm",
        "slug": "earthworm"
      },
      {
        "id": "f6ec2655-3aee-4d3c-b692-afe633990b38",
        "name": "Lcx",
        "slug": "lcx"
      },
      {
        "id": "055a0b5c-17d4-4191-bd62-125a96d30e7c",
        "name": "Frpc",
        "slug": "frpc"
      },
      {
        "id": "d0f89d35-cf32-43f9-9761-cd1cb6d2e6e2",
        "name": "Cpolar",
        "slug": "cpolar"
      },
      {
        "id": "legacy:malware:e880539d0209deec",
        "name": "Ladon",
        "slug": "ladon"
      },
      {
        "id": "legacy:malware:9de210b6e405b8e6",
        "name": "GodPotato",
        "slug": "godpotato"
      },
      {
        "id": "7637bc58-ea97-4018-8bdd-a5eb46308d2b",
        "name": "BadPotato",
        "slug": "badpotato"
      },
      {
        "id": "legacy:malware:8e4a8ac9d4094a05",
        "name": "RingQ",
        "slug": "ringq"
      },
      {
        "id": "legacy:malware:83adebc6ef4eb478",
        "name": "XMRig",
        "slug": "xmrig"
      }
    ],
    "attack_patterns": [
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5",
        "name": "T1135"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0",
        "name": "T1136"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "33962583-7396-47ef-913d-1db78d6685c9",
        "name": "T1569"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "6a495275-5433-4b64-90e5-18b9f07296da",
        "name": "T1072"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2021-1732"
      }
    ]
  },
  "external_refs": [
    "https://asec.ahnlab.com/en/66994/",
    "https://otx.alienvault.com/pulse/66792b528adc701cbc163166"
  ]
}