The comeback of DTLMiner

Summary

  • DTLMiner makes a comeback and adds exploitation of CVE-2024-23692 vulnerability.
  • DTLMiner replaces the primary domain with d.0000o[.]xyz, and t.0000o[.]xyz as the domain for downloading scripts and other components.
  • DTLMiner now has fewer modules on both Windows and Linux platforms and obfuscates scripts at most once.
  • The DTLMiner lateral movement module removes Elastic Search, Solr, Docker propagation methods, actual code of SSH Brute Force Module has also been removed and only retains the commands that are executed after a successful exploit.
  • DTLMiner again introduces a backdoor module, but like the mining module are executable file, not a fileless module.