This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with Permanent Event Subscription for malware persistence. It describes an attack case attributed to BondNet, where malicious BMOFs are created and executed through mofcomp.exe after compromising SQL servers. The process involves deleting the hosts file, creating guest accounts, downloading VBE files, configuring RDP connections, and executing XMRig CoinMiner. The malware is detectable by AhnLab MDS under specific signatures in sandbox environments. Author: AlienVault
Related Tags:
bmof
W32.Stuxnet
Stuxnet – S0603
XMRig CoinMiner
T1059.005
T1059.007
T1070.004
XMRig
T1547.001
Associated Indicators:
914857733785F39647F6081C3C5D2048
2407C4EF1588FA67DD5BD7C64F419ABD