Below is another case of use of the same company EvilCorp, this time related to the dangers of surfing the Internet without being sufficiently protected, in which, although cautiously, situations of certain risk can occur.
Going back to the user of the financial department and the Desktop136 computer, despite having Windows 10 and the corporate antivirus (AV) both updated, browse websites that may be compromised, one of which using the java applet (CoinHive) uses the resource of CPU to mine also cryptocurrencies, in a transparent way for the user at first, since later in this case the user will complain about the slowness of the equipment. Normally closing the affected website is enough to stop mining but there are cases with persistence of session, for this case there are browser add-ons that block most of these attacks.
Viewing in redBorder Platform
It is identified within Intrusion by the signatures:
- PUA-OTHER Authedmine TLS client hello attempt
- PUA-OTHER Authedmine TLS server hello attempt
- PUA-OTHER Coinhive TLS client hello attempt
At the same time as in the previous case, we can see that he has made the rules of Snort jump by entering the RAW mode and clicking on the right button of each rule and then on the information button that he creates to see the event and the captured traffic .