Adversaries may use a Monero miner installer that connects to a NK domain to exfiltrate data or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential cryptocurrency mining operations and mitigate associated risks.
YARA Rule
rule nkminer_monero {
meta:
description = "Detects installer of Monero miner that points to a NK domain"
author = "[email protected]"
reference = "https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner"
tlp = "white"
license = "MIT License"
strings:
$a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" nocase wide ascii
$b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" nocase wide ascii
$c = "barjuok.ryongnamsan.edu.kp" nocase wide ascii
$d = "C:\\SoftwaresInstall\\soft" nocase wide ascii
$e = "C:\\Windows\\Sys64\\intelservice.exe" nocase wide ascii
$f = "C:\\Windows\\Sys64\\updater.exe" nocase wide ascii
$g = "C:\\Users\\Jawhar\\documents\\" nocase wide ascii
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A system administrator is manually installing a legitimate software package that includes a dependency on a NK domain for licensing or telemetry purposes.
Filter/Exclusion: Exclude processes initiated by known admin accounts (e.g., Administrator, SysAdmin) or those running from a trusted software repository (e.g., C:\Program Files\).
Scenario: A scheduled job is configured to download and install a legitimate update or patch from a NK domain as part of a patch management process.
Filter/Exclusion: Exclude processes associated with known patch management tools (e.g., Microsoft Update, WSUS, Altiris) or those running at scheduled times (e.g., Task Scheduler jobs during off-hours).
Scenario: A developer is using a legitimate code signing tool that communicates with a NK domain for certificate validation or key exchange.
Filter/Exclusion: Exclude processes related to code signing tools (e.g., SignTool, Signtool.exe) or those running from a trusted development directory (e.g., C:\DevTools\).
Scenario: A system is running a legitimate remote management tool that connects to a NK domain for secure communication or remote access.
Filter/Exclusion: Exclude processes associated with known remote management tools (e.g., Remote Desktop, TeamViewer, AnyDesk) or those using secure protocols (e.g., TLS, SSH).
Scenario: A user is downloading a legitimate open-source tool that uses a NK domain for its backend services (e.g., API calls, authentication).
Filter/Exclusion: Exclude processes initiated by user accounts with standard privileges or those downloading from known safe repositories (e.g., GitHub, GitLab, SourceForge).