MadoMiner Cryptocurrency Worm

MadoMiner is a newly observed cryptocurrency mining worm that uses large portions of the ZombieBoy remote access trojan’s code.

MadoMiner uses the EternalBlue and DoublePulsar exploits, along with known RDP exploits, to compromise a device. The modules used for this are identical to those in ZombieBoy, even down to the comments within the exploits. Once access to a vulnerable device has been gained, a Dynamic-link Library (DLL) file is delivered which, when executed, will download two Ultimate Packer for eXecutables(UPX) modules referred to as Install.exe and Mask.exe.

Once installed, MadoMiner will contact a command and control server, which will provide it with a list of mining pool URLs and IP addresses to scan. It will then connect to one of these URLs and begin mining (at less than 50% CPU utilisation). Install.exe is then used to scan the IP ranges using the WinEggDrop tool, and will deploy the exploit modules against any vulnerable systems it identifies.

During the execution of the Install module, MadoMiner makes use of several exploits:

Further technical details can be found here

Indicators of Compromise


  • 3322[.]net
  • alibuf[.]com
  • alibuf[.]info
  • frebuf[.]info
  • freebuf[.]info
  • hobuff[.]info
  • ip138[.]com
  • posthash[.]org

MD5 File Hashes

  • 2df2d6d9db08558e88f1636ed2acc146
  • 3c720a55b043564313000a4efb1d85c0
  • 4a14e7fb274462e844b5595210350400
  • 4ae31911c1ef2ca4eded1fdbaa2c7a49
  • 69833a3ecc52f57a02656d46e1799dcc
  • ce606d80b44ea2aae81056b9088ba1e4
  • d09f2340818511d396f6aaf844c7e325
  • d8470f5c12f5a5fee89de4d4c425d614
  • e9c6bf0de42aa2449f1ed4bbb50ddcd6

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: