MINEBRIDGE

Description

(FireEye) MINEBRIDGE is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking. The backdoor hooks Windows APIs to prevent the victim from seeing the TeamViewer application. By default, MINEBRIDGE conducts command and control (C2) communication via HTTPS POST requests to hard-coded C2 domains. The POST requests contain a GUID derived from the system’s volume serial number, a TeamViewer unique id and password, username, computer name, operating system version, and beacon interval. MINEBRIDGE can also communicate with a C2 server by sending TeamViewer chat messages using a custom window procedure hook. Collectively, the two C2 methods support commands for downloading and executing payloads, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone, and gathering system UAC information.

MINEBRIDGE’s default method of communication is sending HTTPS POST requests over TCP port 443. This method of communication is always active; however, the beacon-interval time may be changed via a command. Before sending any C2 beacons, the sample waits to collect the TeamViewer generated unique id (<tv_id>) and password (<tv_pass>) via SetWindowsTextW hooks.

Names

Name
MINEBRIDGE
MINEBRIDGE RAT
GazGolder

Type

Reconnaissance
Backdoor
Info stealer

Information

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:MINEBRIDGE

Other Information

Uuid

a84d3839-83ef-427c-b914-f46018515096

Last Card Change

2021-04-24

Threat Intelligence Garden

Explorer

MINEBRIDGE

MINEBRIDGE

Description

Names

Category

Type

Information

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks