DTLMiner

Here is the timeline of DTLMiner, I'm working for Rising Antivirus and monitoring this malware. For more details please refer to links at the end of this blog.


  • 2020.06.03
    • Linux
      • Add code for platform check(x86_64 XMRig only)
      • Add code for remove other miner(process/file/cmdline/network)
      • Try to spread through SSH public key login
    • Windows
      • Update Lateral Movement
        • Add redis unauthorized access check & rce(linux only)
  • 2020.06.02
    • Update 1st-stage script
      • Add code for uninstall specific security product(using wmic)
  • 2020.06.01
    • When SSH Brute success, DTLMiner will send command through plink to let compromised host download and execute specific bash script(mainly for mine cryptocurrency)
  • 2020.05.28
    • Remove related call of SSH Brute module
    • RDP Brute module fully recovered, along with new method to send command into RDP
  • 2020.05.25
    • Add a new domain, switch main domain to t.amynx.com
  • 2020.05.21
    • Add a new domain, switch main domain to t.awcna.com
    • Update Lateral Movement
      • Add SSH Brute module
        • Brute only, not spread
  • 2020.05.11
    • Update Lateral Movement
      • Recover RDP Brute module
        • Brute only, not spread
      • MSSQL Brute module added a new method to execute command 
  • 2020.04.29
    • Revert changes for 3rd-stage script yesterday
  • 2020.04.28
    • Update 3rd-stage script
      • Update domain for downloading other modules
      • Remove code for downloading email spread module
    • Update Lateral Movement
      • Add "-w hidden" for powershell command
      • Remove code for RDP Brute
  • 2020.04.27
    • BypassUAC module now supports Windows 10
  • 2020.04.22
    • Update 3rd-stage script
      • Embedded if_mail.bin download code into 3rd-stage script(Normal Domain Mode only)
    • Update Lateral Movement
      • Add CVE-2020-0796(SMBGhost) Scanner
    • Update email spread module
      • Add default domain
      • Randomize JavaScript obfuscation
  • 2020.04.21
    • Switch main domain from t.awcna.com to t.tr2q.com
  • 2020.04.20
    • Update 3rd-stage script
      • Update domain for downloading other modules
      • No longer using hosts redirection for mining pool's domain
  • 2020.04.18
    • Update domain for downloading other modules
  • 2020.04.16
    • Update 1st & 3rd stage script: Now it will try to disable WD & Security Center & System Restore through registry
    • Update Lateral Movement
      • Write "readme.js" when spread through USB
      • Only drop "run.bat" when spread through SMB
      • Disable RDP Brute
    • Update email spread module
      • Random pick mail subject & content
      • Now attachment contains two files: readme.zip(readme.js inside) & readme.doc
    • Add BypassUAC module(wusa extract+windows tool with "autoelevate" property+malicious DLL)
  • 2020.04.09
    • Update email spread module: Now it will extract email address from "Inbox" and "Sent" folders' mails
  • 2020.04.02
    • Update 1st-stage script: Change embedded domain(new domain does not contain any DNS resolve record)
  • 2020.03.30
    • report.jsp now returns valid data, it will download module for email spread(using RTF document with DDE Execute & CVE-2017-8570)
      • Scheduled tasks which uses normal domain instead of random domain plus hosts redirection will construct a valid RTF file
      • Email spread module will extract email address from address book of Outlook
  • 2020.03.08
    • Update program for spreading through USB
  • 2020.02.26
    • Update domain for downloading other modules
  • 2020.02.24
    • Fix bug in 3rd-stage script
  • 2020.02.22
    • Remove 32-bit miner
    • Use GZip to compress PE embedded in mining script(av_bypass)
    • Update program for spreading through USB(bugfix)
  • 2020.01.25
    • Add DGA with hosts redirection(av_bypass)
    • Create empty scheduled tasks then connect them with COM and fill them with malicious code(av_bypass)
    • Code for attacking Windows XP become invalid
    • Update 64-bit miner
    • Update program for spreading through USB(bug included)
  • 2020.01.06
    • Update Lateral Movement: Add code for killing security software's process & service
  • 2019.12.30
    • Update 3rd-stage script: Try to modify DNS settings
  • 2019.12.28
    • Fix abnormal domain
    • Add script for modify created scheduled tasks with abnormal domain
  • 2019.12.25
    • Add hash check for Nvidia Graphic Card mining module, wfreerdp and mimikatz
    • Update miner
    • Optimize codes
    • Remove registry changes of RDP
    • Enlarge weak password dict
  • 2019.12.23
    • Try to disable real-time protection of Windows Defender once lateral movement successfully on target computer
    • RDP Brute module rollback to old version which uses wfreerdp to brute and execute command
  • 2019.12.17
    • Update 3rd-stage script: Download special version of XMRig Miner when AMD or Nvidia Graphic Card found
  • 2019.12.15
    • Update domain for downloading other modules
  • 2019.12.13
    • Stop downloading OpenCL module and miner for Nvidia Graphic Card with 64-bit system, and try to rename them if already downloaded
  • 2019.12.11
    • Update domain for downloading other modules
    • Add OpenCL module
    • Now 64-bit system with Nvidia Graphic Card has a special version of XMRig Miner
  • 2019.12.08
    • Update domain for downloading other modules
    • Use a new method to get graphic card info
    • Stop downloading miner for AMD Radeon Graphic Card with 64-bit system
    • Try to disable real-time protection of Windows Defender on Windows 10
  • 2019.12.04
    • Update Lateral Movement: Enable RDP Brute module
  • 2019.12.03
    • Update 64-bit miner
  • 2019.12.02
    • Update 3rd-stage script: Update domain for downloading other modules
  • 2019.12.01
    • Send miner version to server
    • Update miner module
    • Update embedded mining pool inside miner
  • 2019.11.28
    • Add an abnormal domain
    • Use a new method to load 32-bit miner
  • 2019.11.27
    • Update main domain
  • 2019.11.16
    • Update Lateral Movement: Disable RDP Brute module, optimize code
  • 2019.11.13
    • Update Lateral Movement: Remove PyInstaller module
    • Update 3rd-stage script: Send memory info to server
  • 2019.11.12
    • Update Lateral Movement: Add PyInstaller module(2019.04.01)
  • 2019.10.30
    • Update Lateral Movement script: Just another optimization of RDP Brute module along with some minor changes
  • 2019.10.25
    • Update Lateral Movement script: Re-enable RDP Brute module with optimization
  • 2019.10.23
    • Update Lateral Movement script: Add module for killing other backdoor and coinminer
  • 2019.10.09
    • Update 3rd-stage script: Rollback its version to 2019.09.07
    • Update Lateral Movement script: Disable RDP Brute module, add CVE-2019-0708(BlueKeep) scanner
  • 2019.09.10
    • Update 3rd-stage script: Rollback its version to 2019.08.27
  • 2019.09.07
    • Add an extra script for handling 64-bit system with AMD Radeon Graphic Card, it will download OpenCL module along with XMRig Miner
  • 2019.08.27
    • Now 64-bit system with AMD Radeon Graphic Card has a special version of XMRig Miner
  • 2019.08.26
    • Enable XMRig Miner Web API, submit hash rate to its server
  • 2019.08.22
    • Update 3rd-stage script: collect more system info, check downloaded modules' MD5 before run
  • 2019.08.21
    • Update Lateral Movement script: Add file-less mode for mimikatz
  • 2019.08.15
    • Update Lateral Movement script: Add RDP Brute module
  • 2019.08.09
    • Update Lateral Movement script: Internet and Intranet uses different initial script
  • 2019.07.18
    • Update Lateral Movement script: Add USB Spread module(using CVE-2017-8464)
  • 2019.06.19
    • Malware's author tries to use stdout redirection to get hash rate and submit them(This version of script only survived for about an hour)
  • 2019.06.05
    • Use new domain for attack
    • Change attack process
    • Add signature verify for 3rd-stage script
  • 2019.04.17
    • Update Lateral Movement script: File-less mode only
  • 2019.04.03
    • Update Miner module: Drop and execute -> powershell reflective loader
  • 2019.04.01
    • Update Lateral Movement module: Add file-less mode
  • 2019.03.28
    • Update Lateral Movement module
  • 2019.03.27
    • Update Miner module: Download Nvidia Graphic Card related module to boost mining speed
  • 2019.02.25
    • Update Lateral Movement module: Add MSSQL Brute module, add more weak passwords
  • 2019.01
    • Update Lateral Movement module: Register scheduled task, add mimikatz module, SMB Brute module and Miner module
  • 2018.12.19
    • Add PowerShell-based backdoor
  • 2018.12.14
    • Initial version, supply-chain attack(Using DriveTheLife's update module), spread with EternalBlue

Useful links(Chinese version only, sorry):
https://mp.weixin.qq.com/s/jPLpAGJDeRXxLcB_dzL5fw
http://it.rising.com.cn/dongtai/19692.html
http://it.rising.com.cn/dongtai/19659.html

For sample request, please contact me through email :-)

Comments

Popular posts from this blog

当宽带运营商恶心人的时候...

一些有趣的自写的行为签名