← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
MikroTik mayhem - Cryptomining campaign abusing routers
WHITE AlienVault 2018-11-19 Modified: 2018-11-19
24
IOCs
MEDIUM VOLUME
Since MikroTik issued a patch in April for the later disclosed CVE-2018-14847, hackers have been quick to exploit this vulnerability to execute attacks ranging from cryptomining to eavesdropping. From September 19th to October 15th, Avast blocked malicious cryptomining URLs related to infected networks with MikroTik gateways, also known as the WinBox vulnerability, over 22.4M times – blocking it for more than 362,616 users on 292,456 networks in the Avast network alone.
mikrotik
Indicators of Compromise (24)
All domain FileHash-SHA256 URL FileHash-MD5 hostname
TYPEINDICATORDESCRIPTIONCREATED
domain gazanew.com 2018-11-19
domain srcu.pw 2018-11-19
FileHash-SHA256 32ea9afa545c07b29d11c1f0a6926dab3fa8dc524cd4cdb53f013bfb27aa85da 2018-11-19
FileHash-SHA256 5b77e9fa30f2f51042c63b482d9a77528304dc1b925039592fed98300f0c1d58 2018-11-19
FileHash-SHA256 6a992967a4e9da78e3671393154923f17775bd5e9d86f11bce6d30bc6309244a 2018-11-19
FileHash-SHA256 7188d1ceb3d7ff4640e77068c69ef463d1b89c366af5a6ca340b119c1f9a2234 2018-11-19
FileHash-SHA256 beac980bc9c17713d62eb78129b4865be86d5f51c2ff94726b968d3a09ca50f6 2018-11-19
FileHash-SHA256 c80563ee9006e284fa1dc412d76ea305a43bc050f4677c3881bef084a28b09bf 2018-11-19
URL http://91.134.24.238/src.js 2018-11-19
URL http://gazanew.com/src.js 2018-11-19
URL http://151.234.252.11:7443/umfiles/src.js 2018-11-19
URL http://194.67.205.43/: 2018-11-19
URL http://91.134.24.238/update/src.js 2018-11-19
URL http://91.134.24.238/wait.php 2018-11-19
URL http://mining711.com/src.js 2018-11-19
URL https://censys.io/ipv4?q=%28%22webmining.co%2Flib%2Fwm.js%22%29 2018-11-19
URL https://srcip.com/src.js 2018-11-19
FileHash-MD5 96faa41e78b24ad891058d7567e2a3b7 2018-11-19
domain hostingcloud.science 2018-11-19
domain mining711.com 2018-11-19
domain src-ips.com 2018-11-19
domain srcip.com 2018-11-19
domain srcips.com 2018-11-19
hostname meaghan.pythonanywhere.com 2018-11-19
References (4)
↗ https://blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast ↗ https://badpackets.net/200000-mikrotik-routers-worldwide-have-been-compromised-to-inject-cryptojacking-malware/ ↗ https://twitter.com/vrieshd/status/1040288152592830465?lang=en ↗ https://docs.google.com/spreadsheets/d/1RdT_r4fi4wPx5rY306FftVKaXiAZeQeb5fx78DmbVx0/edit#gid=0