Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebyte detected Trojan.BitCoinMiner. Malware appear again after removal


  • This topic is locked This topic is locked
13 replies to this topic

#1 hostetsg

hostetsg

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 25 January 2018 - 08:12 AM

Hi,

 

I have recently installed Malwarebytes Enterprise Edition to my server running Windows Server 2012 R2.  It has detected and quarantine the following malware

 

1. PUP.Optional.RAAmmyy

2. RiskWare.BitCoinMiner

3. Trojan.BitCoinMiner

 

 

However after 1 week or 2 weeks later. the malware appear to be active again and is once again being detected by malwarebytes.  The malware beside slow down my server, it is causing problem to my Task manager.  Selecting the Task manager from the menus of Ctrl + Alt + Del no longer bring up the Task manager window.  I tried to run "taskmgr" In command prompt as well as physically going into windows\system32 to click on taskmgr.exe does not start the Task manager as well.  I have checked the taskbar and Task manager is not running in the background.  I have enclosed the FRST log and Malwarebyte log.  Thank you and please advise.

Attached Files


Edited by hostetsg, 26 January 2018 - 02:18 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 25 January 2018 - 09:05 AM

Hi hostetsg :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Can you attach the Malwarebytes log showing what was detected and deleted, so I can review it?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 hostetsg

hostetsg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 25 January 2018 - 08:20 PM

Hi Aura,

 

I am more than happy to have your assistance in getting the Trojan off.  You can find enclosed the log file requested.  Thank you and please advise,

 

 

Attached Files


Edited by hostetsg, 26 January 2018 - 02:20 AM.


#4 hostetsg

hostetsg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 26 January 2018 - 02:24 AM

Hi Aura,
 
Kindly ignore the files uploaded earlier as they are from Server 2 that is too being infected.  I have 2 servers in place.  Server 1 and Server 2.  Server 2 was new and apparent gotta infected by Server 1.   You can find enclosed the log file for the Server 1 where the source of trojan originated from.  Thank you and sorry for the error.  

Attached Files


Edited by hostetsg, 26 January 2018 - 04:04 AM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 26 January 2018 - 08:32 AM

Alright, follow the instructions below. After running the fix, a file called date-time.zip should be on your desktop. Attach it in your next reply.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 hostetsg

hostetsg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 26 January 2018 - 01:57 PM

Hi Aura,

 

As the file is too huge to be uploaded to the forum, I have it upload to box.com.  Here is the link to the zip file.  Thank you.


Edited by hostetsg, 26 January 2018 - 10:22 PM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 26 January 2018 - 01:59 PM

Alright thanks. Can you also attach the fixlog.txt that should be on your desktop?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 hostetsg

hostetsg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 26 January 2018 - 02:13 PM

Hi Aura,

 

Sorry for missing out the fixlog.  Here you are 

Attached Files



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 26 January 2018 - 07:02 PM

These servers are beyond saving. They need to be nuked and rebuilt from scratch. Not only were they infected with a backdoor (Ammyy Admin), mimikatz was also dropped and ran on the servers. At this point, you can consider your whole network compromised sadly (depending on how it is set up).

https://www.offensive-security.com/metasploit-unleashed/mimikatz/

I suggest that you take down that Box link as soon as you can, since it contains personal information from your server.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 hostetsg

hostetsg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 26 January 2018 - 10:21 PM

Hi Aura,

 

I've taken down the file upon your advise.  Thank you.  Base on your experience, how did the server gotta compromised ?  Was it infected via installation or is it being hack?   What can be done to prevent the occurrence of similar attack?   Once again, Thank you and please advise.


Edited by hostetsg, 26 January 2018 - 10:27 PM.


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 27 January 2018 - 10:34 AM

From my experience, that hack was done manually and what the hackers did was probably bruteforce your RDP connection as it had weak and/or default credentials. You shouldn't allow your servers to receive RDP connections from over the Internet, only over your network (locally), and also, you should have a strong username/password for it.

If RDP wasn't enabled on your servers, it's possible that they were missing updates for security flaws that were exploited by the hackers, and that's how they got in. Always patching your servers is another important thing to do to keep them secure.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 hostetsg

hostetsg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 27 January 2018 - 03:03 PM

Hi Aura,

 

Thank you for your advise.  I'm sincerely appreciate your time in looking into the issue.  Once again thank you and wish you a great weekend..  



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 27 January 2018 - 03:05 PM

No problem hostetsg, you're welcome!

You can take this as a good occasion to learn about server hardening as well. There's lots of tutorials on the subject on Google :)

Good luck!

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 27 January 2018 - 03:06 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users