Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
Tags
country: Belarus Kazakhstan Latvia Ukraine
attack-pattern: Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Regsvr32 - T1218.010 Server - T1583.004 Server - T1584.004 Vnc - T1021.005 Regsvr32 - T1117
Show in Graph
Common Information
Type Value
UUID faa7d16e-ab83-4e4d-aba2-ca7ad9317444
Fingerprint a5a5181b0d37aecb
Analysis status DONE
Considered CTI value 0
Text language
Published Oct. 24, 2021, midnight
Added to db Sept. 26, 2022, 9:33 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
Title Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
Detected Hints/Tags/Attributes 66/2/19
Source URLs
Redirection Url
Details Source https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor
URL Provider
Details Provider Source level domain
Details sophos.com news.sophos.com
Attributes
Details Type #Events CTI Value
Details Domain 3 
preinstall.sh
Details Domain 11 
freegeoip.app
Details Domain 21 
pool.minexmr.com
Details Domain 3 
citationsherbe.at
Details File 674 
node.js
Details File 9 
uaparser.js
Details File 12 
preinstall.js
Details File 4 
preinstall.bat
Details File 2126 
cmd.exe
Details File 4 
jsextension.exe
Details File 226 
certutil.exe
Details File 459 
regsvr32.exe
Details File 3 
create.dll
Details File 8 
sdd.dll
Details IPv4 3 
159.148.186.228
Details Url 1 
http://159.148.186.228/download/jsextension
Details Url 1 
https://freegeoip.app/xml
Details Url 1 
http://159.148.186.228/download/jsextension.exe
Details Url 2 
https://citationsherbe.at/sdd.dll