Cyber Security News

Beware of New Cryptomining Malware Delivered Using TeamViewer Accounts

In May 2023, Huntress ThreatOps Center analysts detected a cryptocurrency miner (XMRig) on an endpoint, identified the miner’s associated site and wallet address by locating the config file, and validated the infection.

The analyst observed activity on numerous infected endpoints, including the one they investigated, by accessing the miner’s website.

Resource consumed

Suspicious Windows Service

The initial detection of the cryptocurrency miner occurred when a suspicious Windows service was found running on the endpoint, triggering an alert shortly after the miner was installed and the service was created to ensure its persistence.

The Huntress team examined EDR telemetry from the affected endpoint to discover abnormal activity before creating the Windows service. 

They then searched through available EDR telemetry across all Huntress customers to find other affected endpoints.

The team discovered one system where similar activity was noticed, but no associated detection or alert was detected. 

While the alerts were triggered four days later for the same Malware/Cryptocurrency Miner detection on additional endpoints from different customer organizations.

The TOC analyst informed the customer about the alerted detection while other Huntress team members investigated additional artifacts related to the incident and the absence of the same alert on the second endpoint.

Cryptocurrency Miner Installation

The Huntress team thoroughly investigated the incident to identify the initial access point for the cryptocurrency miner installation, aiming to uncover detection possibilities for earlier intervention in the infection process.

Using EDR telemetry, the team gathered data from endpoints and developed timelines to investigate the event sequence.

Combining EDR telemetry and endpoint log data offered unique visibility into the endpoint’s activity and its Windows Event Log files and TeamViewer access logs, revealing the effects of these activities.

EDR telemetry revealed extensive use of PowerShell scripts extracted from Event ID 600 records. 

Indicating the use of a clipboard for command transfer and subsequent launch of a batch file with a wallet address, followed by a series of PowerShell scripts in the Windows PowerShell.evtx Event Log file.

Powershell Scripts

Huntress reconstructed the sequence and timing of PowerShell commands executed via a downloaded batch file, validating the activity sequence across multiple endpoints using Event ID 600 records in the log file of Windows PowerShell.evtx.

Multiple RMM tools were detected on the identified endpoints, a common occurrence among Huntress customers. 

One endpoint had ScreenConnect and NinjaRMM installed, while the other had ScreenConnect, SplashTop, and RealVNC. 

However, TeamViewer was the most frequently found remote access tool across multiple endpoints, often installed for a significant duration.

The Huntress team notified affected customers about likely compromised TeamViewer credentials on their endpoints.

Huntress couldn’t determine the credential compromise, but one instance revealed suspicious access in the TeamViewer log file since February 1, 2022.

Common Security Challenges Facing CISOs? – Download Free CISO’s Guide

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Google Claims That Only 1% of Installs From Chrome Store Has Malware

In 2024, Google reported that less than 1% of Chrome Web Store installations contained malware. …

10 hours ago

Levi’s Data Breach: 72,000+ Customers’ Data Exposed

Levi Strauss & Co., a renowned American clothing company, has disclosed a significant data breach…

11 hours ago

Chinese RedJuliett Exploiting Firewalls, VPNs, & Load Balancers

A suspected Chinese state-sponsored cyberespionage group, RedJuliett, targeted the Taiwanese government and academic, technological, and…

11 hours ago

25 Best Intrusion Detection & Prevention Systems (IDS &IPS) In 2024

An Intrusion Detection and Prevention System (IDPS) is a security solution designed to detect and…

12 hours ago

Apple Vision Pro Flaw Let Attackers Fill Your Room with Hundreds of Spiders

Cybersecurity experts have discovered a critical flaw in Apple's latest augmented reality (AR) headset, the…

13 hours ago

New Android Rafel RAT Takes Complete Control Of Your Android Device

Android has many features and access to apps but is prone to security risks due…

13 hours ago