NRS Miner Malware

Original Issue Date:- January 04, 2019
Virus Type:- Trojan
Severity:- Medium

There are reports about active update of NRS Miner activity. The Mode of propagation of this malware is through two ways. One through update module which attacker send to the victim which were earlier infected with NRS Miner and second through exploiting the unpatched (MS17-010) machine in intranet network in which system was already infected.

  • If the victim is already infected with NRS Miner Malware, it starts to build the connection with C2 controlled by attacker to download updated module in form of binary, which after that run and perform many malicious activity like Delete older version, download new miner, send system and process information to C2, Check an an updated module of malware, mining the cryptocurrency.
  • If an attacker found system vulnerable, they install Double Pulsar backdoor and eternal blue exploit kit in victim machine. The attacker used eternal blue to discover more vulnerable system in the network and backdoor for installing the NRS miner malware on the victim machine.
  • In whole attack strategy, the attacker used Process injection technique through which they used a legitimate process of the system for performing their malicious activity so that they remain undetected for a long time. The IOC of attack strategy is listed for your action.


Indicators of Compromise:

C2 IP/URLS

  • c[.]lombriz[.]tk
  • state[.]codidled[.]com
  • null[.]exhauest[.]com
  • take[.]exhauest[.]com
  • junk[.]soquare[.]com
  • loop[.]sawmilliner[.]com
  • fox[.]weilders[.]com
  • asthma[.]weilders[.]com
  • reader[.]pamphler[.]com
  • jump[.]taucepan[.]com
  • pluck[.]moisture[.]tk
  • handle[.]pamphler[.]com
  • 167[.]179.79.234
  • 104[.]248.72.247
  • 172[.]105.229.220
  • 207[.]148.110.212
  • 149[.]28.133.197
  • 167[.]99.172.78
  • 181[.]215.176.23
  • 38[.]132.111.23
  • 216[.]250.99.33
  • 103[.]103.128.151

Hashes

  • 32ffc268b7db4e43d661c8b8e14005b3d9abd306 - MarsTraceDiagnostics.xml
  • 07fab65174a54df87c4bc6090594d17be6609a5e - snmpstorsrv.dll
  • abd64831ad85345962d1e0525de75a12c91c9e55 - AppDiagnostics folder (zip)
  • 4971e6eb72c3738e19c6491a473b6c420dde2b57 - Wininit.exe
  • e43c51aea1fefb3a05e63ba6e452ef0249e71dd9 - tmpxx.exe
  • 327d908430f27515df96c3dcd180bda14ff47fda - tmpxx.exe
  • 37e51ac73b2205785c24045bc46b69f776586421 - WUDHos tUpgradexx.exe
  • da673eda0757650fdd6ab35dbf9789ba8128f460 - WUDHostUpgradexx.exe
  • ace69a35fea67d32348fc07e491080fa635cc859 - WUDHostUpgradexx.exe
  • 890377356f1d41d2816372e094b4e4687659a96f - WUDHostUpgradexx.ex e
  • 7f1f63feaf79c5f0a4caa5bbc1b9d76b8641181a - WUDHostUpgradexx.exe
  • 9d4d574a01aaab5688b3b9eb4f3df2bd98e9790c - WUDHostUpgradexx.ex e
  • 9d7d20e834b2651036fb44774c5f645363d4e051 - x64.dll
  • 641603020238a059739ab4cd50199b76b70304e1 - x86.d ll

Best Practise and Recommendations:

References: