FortiGuard Labs Threat Research
Although bitcoin miners have been used by cybercriminals before as a way to monetize their malicious activities, this recent sample (MD5: 522f8ba8b2dec299cc64c0ccf5a68000) caught our attention because it is unusually heavy, persistent, and obfuscated. Fortinet detects this threat as W32/Miner. (3)
This malicious bitcoin miner is, in fact, a container of multiple files. Since NSIS (Nullsoft Scriptable Install System) was used to create the malware sample, the files that it contains can be seen using a file archiver such as 7-Zip. The internal structure of the analyzed Bitcoin miner sample, called IMG001.exe, is as follows:
After its execution, the sample drops these files in %AppData% and copies itself in %AppData%\Roaming\NsMiner and C:\.
Figure 1. Files and Folders Dropped or Created by the Malware
Additionally, the sample obtains information about the version of Windows and the operating system platform using the GetVersion API call.
It also changes the computer’s power schemes to the following (5):
Figure 2. Registry Changes to Modify the Power Schemes
Below is a description of the files contained in IMG001.exe:
The file info.zip contains the executable IMG001.scr (MD5: fbbcf1e9501234d6661a0c9ae6dc01c9 (4)), which is also an NSIS container with a similar structure as the original file, except for the info.zip file. This is the file that the sample copies to FTP servers using common passwords.
Figure 3. Content of the File info.zip
The plain text strings found in nsh9F3D.tmp\inetc.dll show this file is actually the x86-ansi version of the Inetc plug-in to download and upload files. (1) According to its website, this plugin supports HTTP, HTTPS and FTP protocols and makes use of the MS WinInet API.
Figure 4. Strings in inetc.dll
The files rooEEDC.tmp and capEEEC.tmp seem to be log files that update periodically; the first one contains information about HTTP requests and responses, and the second one contains data related to network adapters. The last four characters are random, and the sample creates more than one rooXXXX.tmp file.
Figure 5. Part of the Temporary Files Created by the Malware to Record Network Related Data
The file tftp.exe contains a list of common passwords in various languages, as noted by the inclusion of “azerty” and “qwerty”, which are the first adjacent keys in the French and English keyboards respectively, and strings like “DIOSESFIEL” which means “God is faithful” in Spanish. This set of passwords is used to attempt to log in to FTP servers to upload the file info.zip.
Inside the NsMiner folder created in %AppData%, the following files and folders were found:
An interesting string in NsCpuCNMiner32.exe is “Richz3”, which could be a username. The file called NsCpuCNMiner64.exe has a string that provides information about the bitcoin miner used: “E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb”.
CryptoNight (2) is an algorithm designed to mine bitcoins on ordinary PCs, and Bitmonero is a cryptocurrency that uses the CryptoNote protocol to provide privacy and anonymity to the transactions made with digital currencies.
Figure 6. The Malware Uses the CryptoNight Algorithm to Mine Bitcoins
Figure 7. Content of the File pools.txt
As mentioned, this bitcoin miner implements various methods to continue executing on the infected system:
Figure 8. Task Created to Execute the Malware on Startup
Figure 9. Shortcut of the Malware in the Folder “Start Menu”
First, the sample repeatedly downloads the files test.html, stat.html, and text.html from the following domains: hrtests.ru, stafftest.ru, profetest.ru, testpsy.ru, pstests.ru, qptest.ru, prtests.ru, jobtests.ru and iqtesti.ru. The user-agent in these requests is “NSIS_Inetc (Mozilla)”. The content of these files is obfuscated, as shown below:
Figure 10. Obfuscated File test.html
To obfuscate the file, the malware writer simply arranged the characters in the order shown in the picture below and then substituted the characters from the middle to the outer parts of the strings, each with its equivalent in the same position but on the opposite side.
Figure 11. Obfuscation Algorithm
Figure 12. The Obfuscated stat.html vs. the De-obfuscated stat.html
After the HTML files are decoded, the contents are shown to be NSIS installer scripts. The files are detailed below:
Figure 13. Part of the File text.html with strings in Russian
To continue propagating, the malicious bitcoin miner makes FTP requests to multiple IP addresses using the password dictionary embedded in tftp.exe.
Figure 14: FTP Requests Without Internet Access
Once the malware has access, it attempts to upload the file info.zip using the STOR command. The sample is also able to obtain information about a file or a directory using the LIST command.
Figure 15. Access Granted to FTP Server After Using a Common Password
Finally, the file NsCpuCNMiner32.exe is executed locally. The command line used by the malware to execute this program is shown on Figure 15, below, although in that case the command was executed manually for research purposes. The explanation of the command line options is as follows (16):
Figure 16. Claymore CryptoNote CPU Miner Used by the Malware
This sample uses port 3333 for all the bitcoin related requests.
Figure 17. Network Traffic of the Bitcoin Miner