by RSS Lilia Elena Gonzalez Medina  |  Jun 14, 2016  |  Filed in: Security Research

Although bitcoin miners have been used by cybercriminals before as a way to monetize their malicious activities, this recent sample (MD5: 522f8ba8b2dec299cc64c0ccf5a68000) caught our attention because it is unusually heavy, persistent, and obfuscated. Fortinet detects this threat as W32/Miner. (3)

Threat Description

This malicious bitcoin miner is, in fact, a container of multiple files. Since NSIS (Nullsoft Scriptable Install System) was used to create the malware sample, the files that it contains can be seen using a file archiver such as 7-Zip. The internal structure of the analyzed Bitcoin miner sample, called IMG001.exe, is as follows:

-$R9
------$PLUGINSDIR
------------intec.dll
------NsCpuCNMiner32.exe
------NsCpuCNMiner64.exe
------pools.txt
------makensis.exe
-$TEMP
------info.zip
------tftp.exe
-$_OUTDIR
------$PLUGINSDIR
------------ExecDos.dll
------Plugins
------------info.zip
------------tftp.exe
------------inetc.dll
------------ExecDos.dll
------Stubs
------------bzip2
------------bzip2_solid
------------folder.ico
------------icon.ico
------------lzma
------------rar.ico
------------uninst
------------zlib

After its execution, the sample drops these files in %AppData% and copies itself in %AppData%\Roaming\NsMiner and C:\.


Figure 1. Files and Folders Dropped or Created by the Malware

Additionally, the sample obtains information about the version of Windows and the operating system platform using the GetVersion API call. 

It also changes the computer’s power schemes to the following (5):

  • - 381b4222-f694-41f0-9685-ff5bb260df2e\4f971e89-eebd-4455-a8de-9e59040e7347\5ca83367-6e45-459f-a27b-476b1d01c936: Do nothing when closing the lid, instead of sleeping, hibernating, or shutting down.
  • - 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da: Sets the minutes of inactivity to 0 before the computer changes to sleep mode. 
  • - 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c\238c9fa8-0aad-41ed-83f4-97be242c8f20\9d7815a6-7ee4-497e-8888-515a05f02364: Sets the minutes of inactivity to 0 before the computer hibernates. 


Figure 2. Registry Changes to Modify the Power Schemes

Below is a description of the files contained in IMG001.exe:

  • - info.zip

The file info.zip contains the executable IMG001.scr (MD5: fbbcf1e9501234d6661a0c9ae6dc01c9 (4)), which is also an NSIS container with a similar structure as the original file, except for the info.zip file. This is the file that the sample copies to FTP servers using common passwords.


Figure 3. Content of the File info.zip

  • - inetc.dll

The plain text strings found in nsh9F3D.tmp\inetc.dll show this file is actually the x86-ansi version of the Inetc plug-in to download and upload files. (1) According to its website, this plugin supports HTTP, HTTPS and FTP protocols and makes use of the MS WinInet API. 


Figure 4. Strings in inetc.dll 

  • - rooXXXX.tmp and capXXXX.tmp

The files rooEEDC.tmp and capEEEC.tmp seem to be log files that update periodically; the first one contains information about HTTP requests and responses, and the second one contains data related to network adapters. The last four characters are random, and the sample creates more than one rooXXXX.tmp file.


Figure 5. Part of the Temporary Files Created by the Malware to Record Network Related Data

  • - tftp.exe

The file tftp.exe contains a list of common passwords in various languages, as noted by the inclusion of “azerty” and “qwerty”, which are the first adjacent keys in the French and English keyboards respectively, and strings like “DIOSESFIEL” which means “God is faithful” in Spanish. This set of passwords is used to attempt to log in to FTP servers to upload the file info.zip.

  • - NsMiner

Inside the NsMiner folder created in %AppData%, the following files and folders were found:

  • - A text file called pools.txt, that contains a list with the URLs and the ports of the Bitcoin mining pools used by the sample
  • - Another copy of the original executed sample called IMG001.exe
  • - A 32 bit version of a bitcoin miner called NsCpuCNMiner32.exe
  • - A 64 bit version of a bitcoin miner called NsCpuCNMiner64.exe

An interesting string in NsCpuCNMiner32.exe is “Richz3”, which could be a username. The file called NsCpuCNMiner64.exe has a string that provides information about the bitcoin miner used: “E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb”. 

CryptoNight (2) is an algorithm designed to mine bitcoins on ordinary PCs, and Bitmonero is a cryptocurrency that uses the CryptoNote protocol to provide privacy and anonymity to the transactions made with digital currencies.


Figure 6. The Malware Uses the CryptoNight Algorithm to Mine Bitcoins


Figure 7. Content of the File pools.txt

Persistence

As mentioned, this bitcoin miner implements various methods to continue executing on the infected system:

  • - Creates a task called UAC that executes the file C:\Users\\AppData\Roaming\NsMiner\IMG001.exe every time a user logs in, using the SYSTEM account to run the malware with the highest privileges.


Figure 8. Task Created to Execute the Malware on Startup

  • - Creates a shortcut in C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. 


Figure 9. Shortcut of the Malware in the Folder “Start Menu”

  • - Adds the value %AppData%\Roaming\NsMiner\IMG001.exe to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
  • - And also adds that value to the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.

Network Activity

First, the sample repeatedly downloads the files test.html, stat.html, and text.html from the following domains: hrtests.ru, stafftest.ru, profetest.ru, testpsy.ru, pstests.ru, qptest.ru, prtests.ru, jobtests.ru and iqtesti.ru. The user-agent in these requests is “NSIS_Inetc (Mozilla)”. The content of these files is obfuscated, as shown below:


Figure 10. Obfuscated File test.html

To obfuscate the file, the malware writer simply arranged the characters in the order shown in the picture below and then substituted the characters from the middle to the outer parts of the strings, each with its equivalent in the same position but on the opposite side.  


Figure 11. Obfuscation Algorithm


Figure 12. The Obfuscated stat.html vs. the De-obfuscated stat.html

After the HTML files are decoded, the contents are shown to be NSIS installer scripts. The files are detailed below:

  • - test.html: Has the ports and wallet addresses of the bitcoin pool “mine.moneropool.com”.
  • - stat.html: Has an NSIS script with the commands used to create registry keys, create shortcuts, copy files, execute cmd commands, delete files, etc. 
  • - text.html: Contains a list of usernames, passwords, and paths. This information is used by the script in stat.html to copy the sample to other computers in the same network using the commands “net use” and “xcopy”, as shown on Figure 12. This file in particular might give some clues regarding the origin of the sample, as it contains strings that look like this: "èìÿ-ïîëüçîâàòåëÿ". By changing the encoding we obtain a Russian word, in this case имя-пользователя, which can be translated as “username”. And the string “sergey oleg egor anton misha anna lena elena irina marina natasha dasha maria alex olga anna vika eva ivan”, which are names that are common in Russian speaking countries.


Figure 13. Part of the File text.html with strings in Russian

To continue propagating, the malicious bitcoin miner makes FTP requests to multiple IP addresses using the password dictionary embedded in tftp.exe.


Figure 14: FTP Requests Without Internet Access

Once the malware has access, it attempts to upload the file info.zip using the STOR command. The sample is also able to obtain information about a file or a directory using the LIST command. 


Figure 15. Access Granted to FTP Server After Using a Common Password

Finally, the file NsCpuCNMiner32.exe is executed locally. The command line used by the malware to execute this program is shown on Figure 15, below, although in that case the command was executed manually for research purposes. The explanation of the command line options is as follows (16):

  • - dbg -1: no log file or debug messages
  • - o: pool address, which in this case is using the Stratum protocol, used for lightweight bitcoin mining instead of HTTP
  • - t 1: number of threads used
  • - u: wallet address
  • - p x: this is the password, which in this case is “x”.


Figure 16. Claymore CryptoNote CPU Miner Used by the Malware

This sample uses port 3333 for all the bitcoin related requests.


Figure 17. Network Traffic of the Bitcoin Miner

References

  1. http://nsis.sourceforge.net/Inetc_plug-in
  2. https://en.bitcoin.it/wiki/CryptoNight
  3. https://www.virustotal.com/en/file/a9a349d2aacd7d9c1d0f149a9e2c0a908584e607719cbed37a26f6e8dee1e718/analysis/
  4. https://www.virustotal.com/en/file/d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c/analysis/1451986874/
  5. http://www.symantec.com/connect/articles/tweaking-windows-7-power-plans-using-powercfg-command-line-options
  6. https://bitcointalk.org/index.php?topic=647251.0
by RSS Lilia Elena Gonzalez Medina  |  Jun 14, 2016  |  Filed in: Security Research