A Monero miner-malware is leveraging RADMIN and MIMKATZ for propagation while exploiting critical vulnerabilities to spread in a worm-like behavior to covertly target specific systems in industries in China, Taiwan, Italy, and Hong Kong.
Researchers noted an uptick in activities between the last week of January and February 2019 which coincidentally coincided with regional holiday celebrations and events with researchers noting attacks didn’t decrease after the Lunar New Year holidays, according to a Feb. 20 Trend Micro blog post.
MIMIKATZ has been used with other hacking tools and cryptominers while RADMIN tools are used to gain admin rights and other malware into targeted systems.
“This combination of RADMIN and MIMIKATZ becomes a concern for data exfiltration of enterprise assets and information because of the randomly named and seemingly-valid Windows functions that may go undetected.” researchers said. “Also, we found it interesting that the sample itself does not download the coinminer.”
Researchers said the technique displays some level of sophistication and that users are advised to regularly download patches from legitimate vendors as soon as they are released.