FBI and CISA had released a joint advisory stating that Federal Civilian Executive Branch (FCEB) organization was compromised by Iranian linked APT group using well-known log4shell vulnerability and installed the cryptomining malware.

The government has conducted the investigation and identified that the attackers installed XMRig crypto miner and conducted lateral movement across the network. On further investigation agencies identified that the attackers have reached domain controllers , Compromised multiple credentials and installed NGROK tool on multiple compromised machines to maintain persistence on machine.

“CISA obtained four malicious files for analysis during an on-site incident response engagement at a Federal Civilian Executive Branch
(FCEB) organization compromised by Iranian government sponsored advanced persistent threat (APT) actors.


“These files have been identified as variants of the XMRIG cryptocurrency mining software. The files include a kernel driver, two Windows
executables, and a configuration file to control one of the executable’s behavior on the network and infected host.
” reads the malware analysis report

The agencies had released the set of best practices to be followed:

*Maintain up-to-date antivirus signatures and engines.

*Keep operating system patches up-to-date.


*Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.


*Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.


*Enforce a strong password policy and implement regular password changes.


*Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.


*Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.

*Disable unnecessary services on agency workstations and servers.

*Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).


*Monitor users’ web browsing habits; restrict access to sites with unfavorable content.


*Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).


*Scan all software downloaded from the Internet prior to executing.


*Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Indicator of Compromise:

11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 (WinRing0x64.sys)


2ffe6509d965413d20ae859a4b4878246119159c368c945a7b466435b4e6e6df (RuntimeBroker.exe)


673ebada19e044b1ddb88155ad99188ba403cbb413868877b3ce0af11617bcfb (wuaucltservice.exe)


b511c0f45d2a1def0985fa631d1a6df5f754bc7c5f53105cc97c247b97ff0f56 (config.json)

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s