""ET CURRENT_EVENTS CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit""

SID: 2025186

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2018_01_04, cve CVE_2017_10271, deployment Perimeter, deployment Datacenter, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2018_01_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_server

Contents:

  • Value: "{|22|id|22 3A|" Depth: 6

  • Value: "|22|method|22 3a 20 22|mining.authorize|22 2c|"

  • Value: "|22|params|22|"

  • Value: "|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"

Within: 50

PCRE:

Special Options:

source