Pierluigi Paganini
July 23, 2019
In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting file named “Lucio Dalla Discografia Completa”: this file pretends to be a collection of the discography of a famous
For this reason, Cybaze-Yoroi ZLAB dissected this malware threat revealing its hidden virulent nature.
As anticipated, the file downloaded from the BitTorrent network is an executable. A quick recon revealed it actually is an SFX archive containing several other files.
| Hash | f9b2e61200addf760d7bd157c73201e97257b12d5177837a1bffb98f4064e76a |
| Threat | Miner-Dropper |
| Brief Description | Coin-miner dropper (SFX archive) |
| Ssdeep | 98304:BbEwGxyUOn/JaYYaeY+dM6YydmOQ1zYuuUBb53+munE0dMp1oHnXZetvRfuODYN |
Table 1: Static Information about the miner dropper
The usage of an archive like SFX allows the attacker to hide the content of the malicious PE and significantly reduce the detection rate. Opening the sample with a common archive manager like WinRAR or 7z, unveil its content.
The archive contains more than a dozen of files. In detail it embeds:
On the right of Figure 1 it is possible to see the SFX configuration file. After the auto-extraction, the first file run is “run.vbs”. Its content is minimal and quickly redirect the execution to a small batch file, “installer.bat” contained in the same folder. Then it runs installer.bat (the filename) with the parameter “0″ (WindowStyle hidden, to avoid hidden windows because it may trigger AntiViruses heuristics) and “true” (WaitOnReturn).
The content of “installer.bat” file is also minimal and points to a more complex text file “007.tmp”, later renamed as “007.bat”. That file weighs over 59 KB and contains more interesting functionalities.
Unlike the previous script, the “007” file performs many operations. The first one is to copy of all files contained in the extraction path directory into “#” subdirectory and to rename some of the just extracted files, suggesting some of the files are dependencies of a more complex chain.
Code Snippet 1: Copy of the files in a subfolder
After that, it generates three different files named “001.tmp”, “32.tmp” and “64.tmp”, later renamed with “.exe” suffix. They are created by mixing up the original files. In particular: “001.tmp” is created combining file “008.tmp”, “009.tmp” and “010.tmp”. The resulting executable have been split in those files, evading AV signatures.
But this composed executable hides another interesting detail. Before merging the file slices, the script replaces part of the PE header: it overrides the “This program cannot be run in DOS mode” string with random chars, generating different files hashes at every infection. This polymorphic techniques implemented directly in bash stage is applied to all the other files chunked and embedded into the original SFX archive.
After that, the script tries to use the just created “Rar.exe” and “7z.exe” files to create new SFX file in other directories belonging to the P2P platforms. This trick is used to spread the attack across the file-sharing communities, to compromise much more victims and to keep the infection alive. An example of this routine is the following:
Code Snippet 2: Example of propagation routine
All these actions are performed for each system drive letter, such as C:, D:, X: and so on. After that, the script looks for the Microsoft Windows OS version from “5.x” to “15.x” and finally executes several specific routines according to the target machine. These routines perform a few basic operations:
Code Snippet 3: Choose of the files to copy whether the target architecture is x86 or x64
At this point, the malicious control passes to the 001.exe file located in the Startup folder.
The 001.exe is actually packed with a known version of the UPX compressor. So, the extraction of the payload is quite straight forward.
| Hash | b6080b2786d2e4ac30207fb2f177046cfd40fa6578c56f3dfd13abab7d62e2ea |
| Threat | Miner Launcher |
| Brief Description | Coin-miner Payload (001.exe) packed with UPX |
| Ssdeep | 3072:A3VD85gJFV8QncMujKCv0jqAi0hIazLEHYxWVfhn+zM45uUyvHBsV2svkgfODQ2C |
Table 2: Generic info about the Miner Loader
| Hash | 7bd25bd3c0f003ffea67c846b4fefd8fb8b4f72d836544d0ef786c5c6c63b422 |
| Threat | Miner Launcher Decompressed |
| Brief Description | Coin-miner Payload (001.exe) unpacked |
| Ssdeep | 12288:7EyxWjS8ZZVajy6YWgHQ+oHxlJz4UE0UsZ+GmYNuuv:oyxWjS8ZZVUYWgw1Hh |
Table 3: Generic info about the Miner Loader unpacked
Analyzing the decompressed binary, we noticed the malware firstly tries to run the “svchost.exe” binary contained in “%systemdrive%\AppCache\x86”, which likely is the real payload.
| Hash | 73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263 |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (32.exe) packed with UPX (minerd) |
| Ssdeep | 73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263 |
Table 4: Generic Information of the Coininer compiled in 32 bit (UPX packed)
| Hash | a3574e73234e18be8d233c9e3fa3819600fc40341d8be8fc4449e4e73632ad6d |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (64.exe) packed with UPX (minerd) |
| Ssdeep | 49152:sb5CY+muocuUwlCdMsQd1pSHn/5JKIezmMNkG7403EIlnDysnue759ByzPIYNUN |
Table 5: Generic Information of the Coininer compiled in 32 bit (UPX unpacked)
The “svchost.exe” placed in the file “%systemdrive%\AppCache\x86” folder actually is one of the two files “32.exe” and “64.exe” previously created. After unpacking routines, the results are the following.
| Hash | 746d17e8d0b961f0c7733f155152fa54d2610fc6d117217d24f32d3ad370075e |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (32.exe) unpacked (minerd) |
| Ssdeep | 196608:aN8/juE4Be73AeWNEwVGuhcf7eVhbjYV:tuwUbK |
Table 6: Generic Information of the Coininer compiled in 64 bit (UPX packed)
| Hash | 552a4cbd2628d16d1fc910c9fc24bc426cafdf0f755f7b4013484adbc0393ca7 |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (64.exe) unpacked(minerd) |
| Ssdeep | 393216:6ovgtbTTTpT1TITHThTtTwTaTtTVTFTZTlTNTbTwTuTzT1T0TtTlT1ToTlTzTVTz:6 |
Table 7: Generic Information of the Coininer compiled in 64 bit (UPX packed)
Obviously, these hashes changes at every infection due to the polymorphic technique implemented in the bash stage previously described. The unique purpose of “001.exe” is the execution of “32.exe” or “64.exe” contained in “%systemdrive%\AppCache\x86”, a stratum-based coinminer. Stratum is the de-facto standard protocol used by crypto-miners to connect to mining pools.
Exploring the sample we notice that it actually is “MinerD”, an open-source cryptomining software publicly available on GitHub.
This malware threat reminds us of the hidden risks of downloading material through p2p networks, along with the tricks adopted by the crooks to keep the campaign running in the wild. Indeed, this sample is able to survive across multiple p2p network by propagating to p2p shared folders configured into the victim machine, ensuring a good level of resilience from the attacker point of view. Also, the attackers implemented polymorphic trick directly in batch language, replacing of part of the PE file header to create unique samples on each infection .
A naive or a distracted user can be lured to download infected media contents with the promise to ear his favorite musician, but this action can be compromise the machine of the victim and feed the cyber-criminals behind this campaign. This time, the consequences of such lack of awareness are quite contained, the final payload is actually a crypto-miner and the user may only experience delays or crashes, but what if the payload contains a bot a RAT, or even a ransomware? The consequences could be more serious.
Technical details, including IoCs and Yara Rules, are available in the analysis published
https://blog.yoroi.company/research/p2p-worm-spreads-crypto-miners-in-the-wild/
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]
APT / November 18, 2024
