We detected an on-going cryptomining operation which is likely a minor update of the TeamTNT campaign reported by PaloAlto’s Unit 42 in June, which involves TTPs associated with WatchDog.
Detailed report on the previous campaign in June: https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/
Indicators of Compromise of the currently active operation:
XMR Pools:
xmr-asia1.nanopool.org:14444
xmr.f2pool.com:13531
gulf.moneroocean.stream:10001
XMR Wallet: 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz
Files:
File | Sha256 |
cronb.sh | e20a0566974934e8a8cc44ece0e700963e5542039212117420f7756d89d4e551 |
b.sh | 5ff970d3cda54f610621158dec2aa9e68ac7a11c206cf049b3c028fa0c228d4d |
cronrs.sh | 64beb4ecbecbd427f04dfeb27193be2285ccafbf9f06afbbb4d4739410c52dd9 |
cronis.sh | 549ce260b7c3f72ccb0d57e0ca0798419f9e528f206fa5b3423ff36bca48ea47 |
iss.sh | 27ad23ce394cb815aa1c026d9e3510a1e3a90dd832a5f9ab776549d2ac2120ca |
cf.jpg | eca42c42f0909cf4e6df6bf8de35ab93ef6a3dd10d0d5e556721ec1871a9990c |
mod.jpg | 7695a56e0540a2600d9882cf9e504c1b25cadb2368bee8789afa53b5c4e74809 |
father.jpg | 3f15276876988717846ca687aca6efde12774b09c4eb56cb560054a491230ac3 |
cronscan | 55b78b2945a28557fc52fce476b1517b1b46cc8d9b2d047b8e3dc623dac7363a |
URLs:
h[xx]p://oracle.zzhreceive.top/b2f628/b.sh
h[xx]p://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh
h[xx]p://oracle.zzhreceive.top/b2f628/cronrs.sh
h[xx]p://oracle.zzhreceive.top/b2f628fff19fda999999999/iss.sh
h[xx]p://199.19.226.117/b2f628/cronb.sh
h[xx]p://oracle.zzhreceive.top/b2f628/cronscan
h[xx]p://112.253.11.38/mod.jpg
h[xx]p://oracle.zzhreceive.top/b2f628/father.jpg
h[xx]p://oracle.zzhreceive.top/b2f628/cf.jpg