Description of Campaign
Threat actors were seen targeting VMWare infrastructure to deploy XMRig miner and a commodity rootkit. Using malicious shell scripts, the threat actors ran the malicious code to obtain additional malicious files, modify security settings, and create startup processes, which allowed them to take advantage of the processing power of the VMWare infrastructure.

Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Uptycs Threat Research and shared publicly.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
 
Campaign IOC 

Type	Value
SHA256	ACBB4F3F9A13845DE0C1C23F06DCB554817E610318E57718E63CE6A57AF4911C
SHA256	791CE0A733CCF19DDCCDA8FA4C748D804460C5F5C61D8A3CDC41A0620F469991
SHA256	44CB9C1E139A06A86442C92B596A653659132FBC92986A2F5338630C90200AF1
SHA256	B46764C046E0DB26E6F43F46364AC0ACAD173541E7134611CB64E091DB7B7CED
IP-DST	93.95.227.64
HOSTNAME	gulf.moneroocean.stream

Minimum Content Versions

Content Type	Version
V2 DAT (VirusScan Enterprise)	10239
V3 DAT (Endpoint Security)	4691

  
Detection Summary

IOC	Scanner	Detection
ACBB4F3F9A13845DE0C1C23F06DCB554817E610318E57718E63CE6A57AF4911C	AVEngine V2	PUP-XNT-TG
	AVEngine V3	PUP-XNT-TG
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
791CE0A733CCF19DDCCDA8FA4C748D804460C5F5C61D8A3CDC41A0620F469991	AVEngine V2	GenericRXRJ-XL!B1BB432ADD36
	AVEngine V3	GenericRXRJ-XL!B1BB432ADD36
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
44CB9C1E139A06A86442C92B596A653659132FBC92986A2F5338630C90200AF1	AVEngine V2	Coinminer.au
	AVEngine V3	Coinminer.au
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
B46764C046E0DB26E6F43F46364AC0ACAD173541E7134611CB64E091DB7B7CED	AVEngine V2	LINUX/Coinminer.aw
	AVEngine V3	LINUX/Coinminer.aw
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

Aggressive set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

VirusScan Enterprise - Access Protection Rules:
Host Intrusion Prevention: