Trojan uses EternalBlue to install cryptominer
Interest in cryptocurrencies has not wavered despite a period of sinking market values. Cybercriminals are still ramping up efforts to obtain Blockchain assets in the hopes that their values could spike back up again in the future. While ransomware is still around, we have observed that cryptocurrency mining is increasingly being favored by cybercriminals as a method of choice in obtaining these cryptocurrencies. The premise is fairly simple- a machine gets infected by malware which stealthily uses its processing power to mine cryptocurrencies.
This week, the SonicWall Capture Labs Threat Research team has come across another Trojan that uses the leaked NSA exploit, EternalBlue, to install a cryptominer. This cryptominer even kills other known cryptomining processes that might be running on the victim’s machine to ensure exclusivity of the mining resource.
The main installer uses the following icon pretending to be a Chinese Security product from 360.cn.
Upon execution, it creates a directory named “IIS” within the %Windir% folder and drops several files including a suite of the NSA exploit based hack tools:
CPUInfo.exe uses the following icon. This file is used to determine if the machine is vulnerable and use the appropriate hacktool to then install either x86.dll or x64.dll depending on the type of processor of the file system.
To ensure persistence, Demo.bat is executed to add scheduled tasks on the Task Scheduler adding CPUInfo.exe as a scheduled task named "GooglePinginConfigs.
Demc.bat is then executed which terminates known (possibly rival) cryptominers and performs a slew of other malicious procedures as a way of taking over the machine which includes the following:
- Denying access to ftp.exe using access controls and taking ownership of it
- Deleting the hosts file
- Clearing the DNS cache
- Stop and deleting services
- Deleting all EXE files in the %ProgramFiles% directory
Free.bat is then executed as a final cleanup of the install process.
The loaded x64.dll and x86.dll are then responsible for downloading two more component files which are the Install.exe and mado.exe. Install.exe just reinstalls CPUInfo.exe and whole cycle of CPUInfo.exe execution just restarts and persistence is warranted.
Mado.exe goes to bmw.hobuff.info and downloads another file which is the main cryptominer file. This cryptominer disguises itself as another 360.cn component and uses the same icon as the main installer above. Upon careful examination we find that this mines Monero cryptocurrency and is based off the open-sourced XMRig CPU miner.
SonicWall Capture Labs provides protection against this threat via the following signatures:
- GAV: Downloader.AL_5 (Trojan)
- GAV: Reconyc.DDA_5 (Trojan)
- GAV: Madominer.D (Trojan)
- GAV: Madominer.D_2 (Trojan)
- GAV: Equation.A (Trojan)
- GAV: XMRig.XMR_3 (Trojan)