{"id":86752,"date":"2018-09-03T15:57:58","date_gmt":"2018-09-03T10:27:58","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86752"},"modified":"2018-09-03T16:44:41","modified_gmt":"2018-09-03T11:14:41","slug":"invisible-monero-xmr-miner","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/invisible-monero-xmr-miner\/","title":{"rendered":"I am invisible – Monero (XMR) Miner"},"content":{"rendered":"

From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. Nowadays malware authors are using mining as a replacement for Ransomware to make money.<\/p>\n

Recently Quick Heal Security Labs came across a malware which mines Monero(XMR). This miner has many different components in it. The infection vector of this mining malware is still unconfirmed, but based on attribution this miner arrives on the system via spear phishing, malvertising etc.<\/p>\n

\u00a0<\/b><\/strong>Technical <\/b><\/strong>Analysis<\/b><\/strong>:<\/p>\n

Analyzed Miner is a self-extracting executable (SFX<\/u><\/a>). It extracts components at \u201cC:\\Program Files\\Windriverhost<\/i><\/b><\/em><\/strong>\u201d as listed below:<\/p>\n

    \n
  1. vbs (VBScript)<\/li>\n
  2. exe (Extraction utility)<\/li>\n
  3. rar (Password Protected Archive)<\/li>\n
  4. bat (Batch File)<\/li>\n<\/ol>\n
    \"\"
    Fig 1 : Extracted components of the malware<\/figcaption><\/figure>\n

    After extraction of components, it starts VBScript(jsnel.vbs) as shown in Fig 2.<\/p>\n

    \"\"
    Fig 2 : Starting jsnel.vbs<\/figcaption><\/figure>\n

    jsnel.vbs<\/b><\/strong>\u00a0contains a simple piece of code to launch chax.bat<\/b><\/strong>.<\/b><\/strong><\/p>\n

    \"\"
    Fig 3 : Content of jsnel.vbs<\/figcaption><\/figure>\n

    rar.exe<\/b><\/strong>\u00a0is command line utility to unpack archives. Here it is used to unpack password protected db.rar<\/b><\/strong>.<\/p>\n

    chax.bat<\/b><\/strong>\u00a0file\u00a0contains commands to delete old version components of Password Protected Archive\u00a0and malware as shown in Fig 4.<\/p>\n

    \"\"
    Fig 4 : Content of chax.bat<\/figcaption><\/figure>\n

    Important\u00a0task of chax.bat is to extract below mentioned components of db.rar<\/b><\/strong>\u00a0at the current location and launch ouyk.vbs.<\/p>\n

      \n
    1. vbs(VBScript)<\/li>\n
    2. bat(Batch file)<\/li>\n
    3. json(Configuration file)<\/li>\n
    4. driverhost.exe\u00a0(Mining tool)<\/li>\n<\/ol>\n
      \"\"
      Fig 5 : Extracted components of db.rar<\/figcaption><\/figure>\n

      Similar to previous VBScript(jsnel.vbs),\u00a0this script(ouyk.vbs)\u00a0too just launches batch file(xvvq.bat).<\/p>\n

      \"\"
      Fig 6 : Content of ouyk.vbs<\/figcaption><\/figure>\n

      xvvq.bat <\/b><\/strong>has two main purposes:<\/p>\n

        \n
      1. To keep the system always ON using P<\/b><\/u><\/strong>ower<\/b><\/u><\/strong>CFG<\/b><\/u><\/strong><\/a> command, so that mining is not interrupted.<\/li>\n<\/ol>\n

        \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u201c<\/i><\/em>powercfg -change -standby-timeout-ac 0<\/i><\/b><\/em><\/strong>\u201d<\/i><\/em>\u00a0<\/i><\/em><\/p>\n

          \n
        1. To hide driverhost.exe from analysis tools:<\/li>\n<\/ol>\n

          \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/i><\/em>It enumerates processes using tasklist <\/b><\/strong>command\u00a0to check if any of below-listed\u00a0process is\u00a0running, and if it finds any of these processes\u00a0are running, it kills driverhost.exe.<\/p>\n

          \u00a0 \u00a0 \u00a0\u201c<\/i><\/em>taskmgr.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          \u00a0 \u00a0 \u00a0\u201c<\/i><\/em>perfmon.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          \u00a0 \u00a0 \u201c<\/i><\/em>ProcessHacker.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          \u00a0 \u00a0 \u201c<\/i><\/em>procexp.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          \u00a0 \u00a0 \u201c<\/i><\/em>procexp64.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          \u00a0 \u00a0 \u201c<\/i><\/em>dumpcap.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          \u00a0 \u00a0 \u201c<\/i><\/em>Wireshark.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          \u00a0 \u00a0 \u201c<\/i><\/em>anvir.exe<\/i><\/em>\u201d<\/i><\/em><\/p>\n

          But there is a bug in xvvq.bat,\u00a0it checks\u00a0only for taskmgr.exe and kills\u00a0dirverhost.exe as shown in Fig 7. And if any other process like procexp.exe is running it does not kill driverhost.exe.<\/p>\n

          \"\"
          Fig 7 : Content of xvvq.bat<\/figcaption><\/figure>\n

          And if none of the above mentioned processes are\u00a0running, then\u00a0it starts driverhost.exe<\/b><\/strong>\u00a0which is\u00a0a\u00a0core mining tool.\u00a0It keeps on checking for all these processes continuously using an infinite loop in xvvq.bat and act accordingly.<\/p>\n

          config.json<\/b><\/strong>\u00a0is\u00a0a configuration\u00a0file,\u00a0which stores data such as username, password, max CPU usage, etc. as shown in Fig 8.<\/p>\n

          \"\"
          Fig 8 : Content of config.json<\/figcaption><\/figure>\n

          On execution, driverhost.exe<\/b><\/strong>\u00a0reads miner configurations from config.json and connects to \u201cxmr[.]pool[.]minergate[.]com<\/i><\/b><\/em><\/strong>\u201d, <\/i><\/em>and sends username and password from config.json to server and starts mining with port 45560<\/i><\/b><\/em><\/strong>\u00a0<\/b><\/strong>(port used for mining). as shown in Fig 9 and Fig 10.<\/p>\n

          \"\"
          Fig 9 : Network Analysis<\/figcaption><\/figure>\n
          \"\"
          Fig 10 : Sends username and password to the server<\/figcaption><\/figure>\n

          It limits CPU usage to 35% for mining as shown in Fig 11.<\/p>\n

          \"\"
          Fig 11 : CPU Usage by driverhost.exe<\/figcaption><\/figure>\n

          For persistence, malware adds a shortcut\u00a0in\u00a0the startup\u00a0folder for ouyk<\/b><\/strong>.vbs<\/b><\/strong>\u00a0with name driverhost.lnk.<\/p>\n

          \"\"
          Fig 12 : Creating a shortcut for ouyk.vbs<\/figcaption><\/figure>\n
          \"\"
          Fig 13 : Shortcut to ouyk.vbs in the startup folder<\/figcaption><\/figure>\n

          Execution Flow of miner:<\/strong><\/p>\n

          \"\"<\/p>\n

          I<\/b><\/strong>OC<\/b><\/strong>:<\/p>\n

          SHA256: b4ea81958403f717c1a20f18731ef05b648465c7e20cbc6f45bd2f5166c7c940<\/p>\n

          URL: hxxp:\/\/xmr[.]pool[.]minergate[.]com:45560<\/p>\n

          Quick Heal<\/u><\/a>\u00a0detects this Miner\u00a0as \u201cTrojan.Occamy<\/b><\/strong>\u201d.<\/p>\n

          Conclusion<\/b><\/strong>:<\/p>\n

          As the price and appreciation of digital currencies has grown exponentially, mining malware too have increased over the last year. In fact, miners are so common that thousands of computers are already infected. The number of mining malware has increased and they have also become complex as discussed in the above blog post.<\/p>\n

          Subject Matter Expert<\/strong><\/p>\n

          Ravi Gidwani,\u00a0 Pratik Pachpor | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

          From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. Nowadays malware authors are using mining as a replacement for Ransomware to make money. Recently Quick Heal Security Labs came across a malware which mines Monero(XMR). This miner has many different components in it. The […]<\/p>\n","protected":false},"author":51,"featured_media":86781,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1613,289,24,5],"tags":[1620,1619,1607,1533,1618],"class_list":["post-86752","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptojacking","category-cyber-safety","category-malware","category-security","tag-archive","tag-dropper","tag-mining","tag-monero","tag-multi-component"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86752"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86752"}],"version-history":[{"count":6,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86752\/revisions"}],"predecessor-version":[{"id":86799,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86752\/revisions\/86799"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86781"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86752"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86752"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}