New Bitcoin miner Trojan spotted in the wild

May 18, 2012

The Sonicwall UTM research team received reports of a new Bitcoin Miner Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. This kind of malware has been covered in a previous sonicalert but has recently become more and more prevalent as attackers recognise it as an easy and effective way to generate and transfer currency without being caught.

The Trojan [Detected as GAV: CoinMiner.I_3 (Trojan)] uses the following icon:

The Trojan makes the following DNS request:

The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun adobeupdate ""%AppData%8 8l3.lnk""
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun adobeupdater ""%AppData%8 8rundll32.exe""

The Trojan adds the following files to the filesystem:

  • %AppData%8 8API.class
  • %AppData%8
  • %AppData%8 8bat.bat
  • %AppData%8 8bt.lnk [points to bat.bat]
  • %AppData%8
  • %AppData%8
  • %AppData%8 8l3.lnk [points to svchost.exe]
  • %AppData%8 8libcurl-4.dll
  • %AppData%8 8libpdcurses.dll
  • %AppData%8 8libusb-1.0.dll
  • %AppData%8 8miner.php
  • %AppData%8 8OpenCL.dll [for GPU features]
  • %AppData%8
  • %AppData%8
  • %AppData%8 8pthreadGC2.dll
  • %AppData%8 8rundll32.exe [An application called StealthRunner]
  • %AppData%8 8settings.txt [Used by rundll32.exe (StealthRunner)]
  • %AppData%8 8svchost.exe [Detected as GAV: Ainslot.AA_12 (Trojan)]
  • %AppData%8 8svchost2.exe [Detected as GAV: Ainslot.AA_12 (Trojan)]

rundll32.exe is an application called StealthRunner that is written by a user on the forum. It uses the following icon:

svchost.exe and svchost2.exe use the following icons:

bat.bat contains the following text:

      @echo off
      %windir%system32taskkill.exe /im svchost.exe
      %windir%system32taskkill.exe /im rundll32.exe
      %windir%system32taskkill.exe /im svchost2.exe
      %windir%system32reg.exe add HKCUsoftwaremicrosoftwindowscurrentversionrun /v adobeupdate /d ""%appdata%3 4l3.lnk"" /f
      %windir%system32reg.exe add HKCUsoftwaremicrosoftwindowscurrentversionrun /v adobeupdater /d ""%appdata%3 4rundll32.exe"" /f

settings.txt contains the bitcoin mining account data of the attacker:

      svchost2.exe -o -u klazim2000_3 -p 7747 [commandline for miner]

The Trojan was observed communicating with the mining server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CoinMiner.I_3 (Trojan)
  • GAV: Ainslot.AA_12 (Trojan)