Posted inMalware Analysis
The comeback of DTLMiner
Summary
DTLMiner
makes a comeback and adds exploitation ofCVE-2024-23692
vulnerability.DTLMiner
replaces the primary domain withd.0000o[.]xyz
, andt.0000o[.]xyz
as the domain for downloading scripts and other components.DTLMiner
now has fewer modules on both Windows and Linux platforms and obfuscates scripts at most once.- The
DTLMiner
lateral movement module removesElastic Search
,Solr
,Docker
propagation methods, actual code ofSSH Brute Force Module
has also been removed and only retains the commands that are executed after a successful exploit. DTLMiner
again introduces a backdoor module, but like the mining module are executable file, not a fileless module.