It has been barely a month after vulnerability researchers at Cyberoam Threat Research Labs revealed an extensive investigation on BitCoin mining malware. The CTRL team has yet again found a new malware sample [MD5: fac01db6348df89757c8c5172538bbed] with BitCoin mining attributes being propagated over Facebook this time. Latest findings from CTRL team reveal new attack methods being adopted by the cyber criminals behind BitCoin mining malware. Vulnerability researchers at CTRL believe the perpetrators behind this malware attack have become defter after a successful attempt in using Skype as a ‘threat vector’. It appears they are now targeting popular social media sites to maximize the impact of this threat and victimize more Internet users.
Although the modus operandi used by the attackers resembles to the previous attacks to an extent, but this time around they have employed changes like the malware link uses a padding (e.g.; photo-03760.bmp) in an attempt to look more legitimate to users. Also the attackers have used a technique in which the malware is injected into ‘explorer.exe’-a legitimate windows process, to avoid any suspicious activity in the log. The malware is also found using SSL protocol to communicate, which avoids its detection by traditional filtering devices. Although we have information of this malware, the modular approach used in its functioning makes it difficult to predict its future activities, making it even more dangerous. Currently the malware shows BitCoin mining activities, but CTRL researches predict its possibility of being used for other attacks.
Malware abuses CPUs and GPUs of infected computers to generate BitCoins
The new malware sample uses victim’s infected machine for BitCoin mining which might lead to hardware failure if attacker runs miner at top speed, full load. (https://bitcointalk.org/index.php?topic=25889.0)
Contacts remote host
The malware connects to an IRC server, joins a channel and waits for commands. It retrieves further data or infection parameters from this IRC channel and accepts commands from the IRC server to perform following action on the infected system:
- Download and execute file from specified URL. e.g. ransomware
- Collect username and passwords from FTP, POP3, Internet Explorer and Firefox cache
- Block/Redirect certain domains and websites
- Launch and stop DoS (SYN or UDP flood)
Although these two emerge as primary impacts, the malware holds the capability of performing every activity a user does on their system. The modular approach used by attackers in this malware, ensures low levels of detections and also enables the attacker to change malware attributes whenever needed. Currently the primary activity identified is BitCoin mining, but using the same malware the attackers can cause a different havoc also. This very attribute of malware to receive commands and execute becomes the major cause of concern.
The new malware sample was found propagating through Facebook chat messages. As mentioned before, the malware arrives as link and it actually uses a padding (e.g.; photo-03760.bmp) in an attempt to look more legitimate to users.
On clicking the URL, it asks the users to download an .exe file. (In windows systems, the original .exe extension often remains hidden due to default settings, making it difficult to notice that an .exe file is being downloaded.)
As per the initial virus scan on virscan.org for the malware, it was not detected by any major anti-virus solutions.
But recent scanning shows a 21.62% detection rate, which means 8 out of 37 antivirus solutions detect it.
Once the victim user opens the file ‘Photo-648648648.png’, the malware creates two processes.
1) rundll32.exe: This process has been used to show an image attached with the malware, so that user sees an image and finds nothing suspicious.
2) x1.exe: This process was created in %APPDATA% directory and later used to inject in to the windows legitimate process “explorer.exe”.
The attackers also ensure that after successful injection x1.exe to explorer.exe, the process removed itself from the directory, ensuring spotting of nothing suspicious in the Task Manager.
Immediately after injection, explorer.exe starts communicating with malware servers.
Firstly it connects to wipmania.com to get the geo location of the victim.
Reply reveals the location.
Once it gets the location of victim it connects to the C&C (Command & Country) servers on TCP port 80. This gives an additional advantage to the malware as almost every network has default access to HTTP port from LAN to WAN.
Interestingly malware is found using SSL protocol to communicate, which disables detection by traditional filtering devices to inspect the content traversing over wire.
Dissecting the encrypted tunnel, the CTRL team found that malware used ‘666666’ as the password to login in to the secured channel. It generates an IRC ‘nickname’ by combining the country code, operating system and a random string. (Example ‘nickname’: NICK n[USA|XPa]uqqqhrq)
Once the malware joins the channel, it was ordered to download some .gif files from ‘sitepalace.com’ and ‘sunrise.ug’.
‘Explorer.exe’ soon started downloading a ‘.gif file’ from sitepalace.com
Immediately a question rose among us, as to why an attacker would use his precious channel to download a mere gif file?
But soon we got our answer just a second later when we investigated the packet as given below,
You are right, how come gif file has ‘MZ’ as a file signature?
Once downloaded the explorer.exe created a binary namely ‘36.exe’ in ‘%APPDATA%’ directory.
‘Explorer.exe’ later started a process ‘36.exe’
Looking into the strings in the memory revealed that this particular process was involved in propagating malware. Below image shows some messages like “I can’t believe I still have this picture”
It also revealed that malware is using Facebook as propagation media. You can see Facebook URLs associated with listing friend lists and sending Facebook chat message.
Next explorer.exe downloaded one more .gif file from sunrise.ug, which was nothing but a binary file named with gif extension. This was downloaded in the ‘%APPDATA%’ directory with the name as ‘37.exe’. (The point to be noticed is the fact that here it’s the ‘explorer.exe’ that is executing most of the processes, delaying the detection and making it difficult.)
As soon as explorer.exe started the ‘37.exe’ process, it added a registry entry at ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure its presence after rebooting the system’.
It then copied itself to the ‘%TMP%’ directory with the name ‘minerd.exe’.
‘37.exe’ then started a process named ‘minerd.exe’.
Analyzing ‘minerd.exe’ revealed that it is communicating with ‘www2.x3x4.su’ on ‘port 666’.
Looking into the packet capture associated with this, confirmed our doubts that the process is using ‘cpuminer 2.2.3’ to abuse the CPUs and GPUs of infected computers to generate BitCoins.
There four servers found to be used by this malware variant. They are:
- 22.214.171.124 – MediaFire server where malware dropper is hosted
- x.e1b2.org – IRC server listening on port 80
- sitepalace.com – Malware sample hosted as a gif file
- sunrise.ug – Malware sample hosted as a gif file
Considering the detailed part of the malware, we found 4 different malwares clubbed to achieve the complete attack process. Each malware had its separate and defined role in the attack. Find below the four we found.
- Photo-648648648.png.exe – fac01db6348df89757c8c5172538bbed (Acts as the Dropper)
- x1.exe – 8e9debb81d6bdec54bce835aaf5b6b35 (Used to process injection)
- 36.exe – f198488bd5b6884dda8f85f569b2811d, 28bcb78c05133b4e7ae1bfcda1b8a6e7 (Used for Propagation)
- 37.exe, minerd.exe – 35517bae454e3f6f2c6a93cf3975fb19 (Used for BitCoin mining)
As user, you can check and ensure whether you are infected or not, using the following infection evidences.
1) Experience high CPU usage on computer
2) Presence of the following file indicates malware infection
3) Presence of 37.exe, minerd.exe, 3A.exe or 3B.exe in task manager
4) Registry entry like HKCU\Software\Microsoft\Windows\CurrentVersion\Run\0×000101
Follow the below steps to prevent the menace:
- Cyberoam customers are requested to apply Cyberoam IPS policy on LAN-WAN firewall rule and enable ‘spyware’ category
- Scan your network for malicious activities
- Ensure all installed softwares are up to date
- Keep your Anti-Virus solution updated
- Be cautious while accepting/opening attachments, file transfers
- Stay alert to social engineering attacks
Stay updated to such attacks and recent news in the threat landscape by subscribing to Cyberoam Blogs. Visit www.cyberoam.com for further details on other solutions being offered by Cyberoam.
NOTE: CYBEROAM THREAT RESEARCH TEAM WILL CONTINUE RESEARCH ON THE SAME MALWARE