February 26, 2018 / by / 4 Comments

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...

COIN-MINER INVESTIGATION: WHEN, WHY, WHAT FOR

Article guide


1. Mining malware gains its popularity

Due to rising cost of cryptocurrency recently, Bitcoin particularly (BTC) to 20000 USD, our Analysts Team noticed an increased amount of malicious programs, especially those who focused on the secret mining of cryptocurrency. GridinSoft programs detect them as Trojan.CoinMiner/Risk.CoinMiner.

For few recent months CoinMiner is one of the top 20 the most popular threats among with Adware, that were super popular once.

Most popular malware families for the last 30 days

Most popular malware families for the last 30 days

Analyzing the dynamics of detection such type of threats, we predict that coinminers will at least keep its positions in the near future, and even get more distribution.

CoinMiner malware family distribution

CoinMiner malware family distribution

2. CoinMiner wanna be WannaCry

Cyber-criminals create lots of complicated ways to infect users’ systems. The most popular method of infection is called Bundled Software.

While unsuspecting user installs legitimate software one or several (usually malicious) programs are silently installed alongside. The same method is now actively used by the authors of CoinMiner.

Very often installed mining programs are copies of utilities for mining xmrig, gplyra, or slightly modified versions of them. This method of distribution is very simple, but you can only infect one computer per installation. The authors of Trojan.CoinMiner began to look for other ways of infection.

The unprecedented success of the WannaCry (WannaCrypt) ransomware family showed the authors of malicious software an easy way to infect computers over the network. Moreover, they discovered that most of computer users don’t work on the latest version of Windows OS, which makes them easy money in the hands of skillful cybercriminals.

Of course, the authors of CoinMiner took advantage of this opportunity. After all, it is enough to infect somehow one computer in the network to distribute the miner to all the others. And this is a noticeable increase in the mining bot-net.

And that is exactly what happened. Some time ago, all the major anti-virus vendors reported about using the exploit EnernalBlue in conjunction with the miners. We also noticed the presence of exploits from the hacker group ShadowBrokers in conjunction with CoinMiner on users’ systems. GridinSoft detects such utilities as Virtool.ShadowBrokers.

System infected with Trojan.CoinMiner (SecUpdateHost.exe) along with EternalBlue exploit (spoolsv.exe)

System infected with Trojan.CoinMiner (SecUpdateHost.exe) along with EternalBlue exploit (spoolsv.exe)


SecUpdateHost.exe detections on virustotal.com

SecUpdateHost.exe detections on virustotal.com


Link for the full report
spoolsv.exe detections on virustotal.com

spoolsv.exe detections on virustotal.com


Link for the full report

Let’s remind , the exploit EnernalBlue allows you to remotely execute code in kernel mode on a networked computer using vulnerabilities in the SMB v1 protocol. Together with the latest Windows updates, Microsoft forcibly turns off this protocol.

Microsoft disables SMBv1

Microsoft disables SMBv1

3. Mining software bundled with your browser. Really?

Our analysts analyze the state of users’ systems daily to identify new threats. This time, during the research, a suspicious file was found in the browser WebFreer. We made further analysis that you can find below.

Suspicious file found along with WebFreer browser

Suspicious file found along with WebFreer browser

The browser has its official website (hXXps: //www.webfreer.com), where WebFreer is advertised as a safe, convenient and fast browser.

Official WebFreer web site

Official WebFreer web site

Let’s look on the site in details. Specifically – at the home page code.

Oops! We got Monero miner

Oops! We got Monero miner

Indeed, the code of the page is worth a look. On the main page of the WebFreer web site, malicious script is built-in that executes the cryptocurrency mining when your browser is just open. The latest versions of popular browsers block content that is sent from unsafe HTTP protocol, so in our case the script was blocked by the Chrome browser. If you are using an older version of the browser, you may be at risk.

By clicking on the download button, the WebFreer installer starts downloading. The file named WebFreer_Setup_1.3.2.0 is an NSIS installer with 53.7 MB size. What is interesting, the file is not signed by any digital signature, which makes it impossible to verify its authenticity. So, anyone who has access to WebFreer servers can modify the browser without users notice.

Setup file is not digitally signed

Setup file is not digitally signed


Downloaded version 1.3.2.0 is the latest one at the moment. The installation process is standard.

  • creates directory % ProgramFiles% \ WebFreer. This is the main browser directory;
  • creates directory %LocalAppData%\Web Freer. It stores user data;
  • creates file %SystemDir%\WebClientService.exe. This file is malicious;
  • creates file %SystemDir%\webproxy.exe. This file is malicious;
  • to autostart the browser while system startup it creates a registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Web Freer, that refers to file %ProgramFiles%\WebFreer\webfreer.exe;
  • for work of malicious process creates service WebClientService, that refers to file %System%\WebClientService.exe;
  • to provide network access, it creates Windows Firewall rules that allow incoming TCP and UDP connections for %ProgramFiles%\WebFreer\webfreer.exe;
  • creates registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebFreer and HKCU\Software\WebFreer, that aren’t malicious.
Firewall rules added by WebFreer installer

Firewall rules added by WebFreer installer

3.1 Digging deeper

Let’s analyze in details these files.

WebClientService.exe

As was mentioned before, the launch of this executable file occurs via the WebClientService service created during the installation of the browser. It is obvious that authors of malware tried to hide using similar name with a legitimate WebClient service. A usual user won’t notice a dirty trick, even if he decides to see the list of processes manually.

Static analysis leads us to conclude that the file was written by C ++. Obviously, the application does not have a graphical interface.

WebClientService.exe written in C++

WebClientService.exe written in C++

It is worth paying attention to the import of functions. In addition to the standard ones, the use of the curl library is obvious. Obviously, in the future we will see the interaction of service with the Internet.

Service uses curllib

Service uses curllib

In the further analysis, some variables and functions have been renamed for easier perception. They, as well as comments, are listed in the screenshots below.

Further analysis shows that file has standard main function, in which the internal function is associated with the WebClientService service by WinAPI’s StartServiceCtrlDispatcher function.

Service’s start function is standard

Service’s start function is standard

Let’s take a closer look at the function that is executed in conjunction with the service. We immediately see the registration of the control handler function (via RegisterServiceCtrlHandler), as it should be.

Service’s main function

Service’s main function

Let’s not rush things and analyze the function of processing control code. The control codes processing function itself is of no interest and can only accept SERVICE_CONTROL_STOP code. Accordingly, service can’t be suspended.

An interesting point is that in the case of receiving the SERVICE_CONTROL_STOP code, the processing function returns in response to SERVICE_STOP_PENDING, and the service execution does not stop immediately (but the service will be forcibly terminated by SCM after the expiration of the time limit). Malware authors don’t specify the parameter dwWaitHint, which should be passed in case of the return of code SERVICE_STOP_PENDING. Though it doesn’t affect the main functionality of the malicious service.

Service’s control handler function

Service’s control handler function

After registering the handler of the control codes, we see the standard preparation for the launch of service. After creating the service completion event, you can notice an interesting function that for convenience of analysis was called by us GetHedgeCoinData. It runs twice: if the first start was unsuccessful, the malicious one waits for 60 seconds (Sleep (60000)), then makes a second attempt.

Let’s look at the function itself to understand what functions it is doing.

GetHedgeCoinData function is small yet interesting

GetHedgeCoinData function is small yet interesting


Nested CheckAvailability function uses curl library

Nested CheckAvailability function uses curl library

Malware uses the curl library to connect to the URL hXXps: //sites.google.com/site/hedgecoin. After the request was made, the response code and return data are checked. The GetHedgeCoinData function succeeds if the query was executed.

As you can see, the site is disabled by Google right now, so it is not possible to retrieve the data that was on this domain.

Google disables malicious site. Nice job!

Google disables malicious site. Nice job!


However, as we didn’t get information from the specified web address, malware uses the predefined (hardcoded) parameters:
-a cryptonight -o stratum+tcp://mine.anybt.com:1111 -u 478WNYwHN4SQs8j89P8QJY4DKm2c6JhCQizi5ucjooKuFQirbtEsafJinSXLwZcysnN1L98r2vocKjGjKoXRrEiRGpmyErc -p x -t 1

Obviously, these parameters are used for the crypto currency mining. Specifically, the algorithm cryptonight and the domain mine.anybt.com, located on the hosting GoDaddy.com (based on whois information) is in use.

WhoIs information about anybt.com domain

WhoIs information about anybt.com domain

Remember these settings, they will be used below. The next function we named CheckWebProxyFiles , that processed files used by malware.

Checking files and copying them

Checking files and copying them

As you can see from the code, there can be 3 identical malicious files on the user’s system:

  1. %commonappdata%\_iocache_.dat
  2. %system%\webproxy.exe
  3. %programfiles%\WebFreer\webproxy.exe

If any of the last two files will be removed, service will restore from a copy in %commonappdata%\_iocache_.dat.

Let’s return to the main function. After the above operations with files, the following function is executed, that is intended for launching webproxy.exe.

Finally launching webproxy.exe with needed parameters

Finally launching webproxy.exe with needed parameters

The service checks the presence of %system%\webproxy.exe or %programfiles%\WebFreer\webproxy.exe file (it’s enough at least one of them), and then generates the startup parameters (the ones we saw above). After that it creates the process, saving its ProcessID. The constant bCreateProtectedProcess, hidden into the application code, attracts attention. If its value is 76 (0x4C), then the process is started as a protected one. In the sample analyzed by us this value was equal to 76.

The further behavior of the service depends on the success of launching the webproxy.exe process. If the process couldn’t be started, the service is shut down.

Further behavior depends on process start’s result

Further behavior depends on process start’s result

If the webproxy.exe process is successfully launched, the service is marked as started and it creates an endless stream, in which the integrity of the files (CheckWebProxyFiles) is checked and the process of webproxy.exe is restarted, if necessary.

Every 5 seconds service keeps an eye on webproxy process

Every 5 seconds service keeps an eye on webproxy process

So, it’s time to sum up.

Service WebClientService:

  1. refers to a file %system%\WebClientService.exe;
  2. starts automatically when the system starts up;
  3. executes a request to the URL hXXps://sites.google.com/site/hedgecoin;
  4. has built-in parameters for mining (but does not do mining itself);
  5. It starts a protected process at startup %system%\webproxy.exe or %programfiles%\WebFreer\webproxy.exe;
  6. performs file copying operations %commonappdata%\_iocache_.dat, %system%\webproxy.exe and %programfiles%\WebFreer\webproxy.exe;
  7. after startup it monitors every 5 seconds the status of the webproxy.exe process and, if necessary, starts it again;
  8. after startup it monitors every 5 seconds the presence of %commonappdata%\_iocache_.dat, %system%\webproxy.exe and %programfiles%\WebFreer\webproxy.exe. If necessary, restores them from copies.

webproxy.exe

When parsing the WebClientService service, we repeatedly encountered the mention of another malicious file – webproxy.exe. Due to information already received, we can safely assume that this file is a crypto-currency miner. Let’s check this hypothesis.

PE Header tells us it is a 64-bit EXE

PE Header tells us it is a 64-bit EXE

Information from the PE header tells us that this file is executed on 64-bit systems. It is very strange for a malware, because this can potentially reduce the number of infected systems, although most computers in the world work on modern OS with 64-bit width. At least Windows x86 users can sleep peacefully, this miner won’t even launch on their systems.

Packed with UPX. Boring

Packed with UPX. Boring

Data about the sections in the PE header tells us that we face a packed UPX file in front of us.

After the routine unpacking procedure, we get the usual executable console file written in C.

We got non-packed 64-bit executable

We got non-packed 64-bit executable

Let’s check the string constants in the file and, perhaps, we will find something interesting.

Yep. CPUMiner-Multi is used

Yep. CPUMiner-Multi is used

Indeed, we have found an interesting fact. Let’s allow the proposition that we are dealing with the original cpuminer-multu. The authors of the malware did not remove the string constants from the file, so we even got the github of the miner’s author (not a malicious program, but the legitimate utility for mining – cpuminer-multi). We found cpuminer-multi version 1.3.1 on github without problems. The only thing left to do is just to compare our file with those found.

So, webproxy.exe is actually cpuminer-gw64-core2.exe

So, webproxy.exe is actually cpuminer-gw64-core2.exe

Now it is clear why webproxy.exe is a 64-bit application, regardless of the OS bitness on which WebFreer is installed: cpuminer-multi version 1.3.1 exists only in 64-bit version.

Mining process is in progress…

Mining process is in progress…

In total, webproxy.exe is not of much interest for analysis, since it is a copy of the common utility for mining cpuminer-gw64-core2.exe.

3.2Was WebFreer always be so?

We decided to check whether users of the previous version of the WebFreer browser are at risk. To do this, we downloaded the previous version of the browser – 1.3.1.0, and compared the contents of the installers.

Not webproxy.exe neither webclientserver.exe are present

Not webproxy.exe neither webclientserver.exe are present

As it turned out, the previous version of the browser WebFreer did not contain any malicious elements, namely – hidden cryptocurrency miners.

4.Conclusion

Together with you, we have found and analyzed the WebFreer browser, which is installed in a system along with malicious elements. They carry out crypto-currency mining causing harm to your system and computer. Your computer is busy solving the mining tasks, as a result its performance, speed are reducing, there may be a problem of high noise level of cooling systems, overheating and even breakdown of the computer.

Whether the malicious minor was included in the WebFreer browser purposefully by its authors, or whether a cyber attack was performed on their server, it is impossible to say for sure, because there is no digital signature.

In the end of our analysis we would like to give you some tips on how to protect yourself and your loved ones.

  • Use only the latest versions of the software.
  • Install operating system updates in a timely manner. Most infections can be avoided simply by installing OS updates.
  • Use only trusted browsers.
  • Do not install unknown software from suspicious sources.
  • Check the presence of a digital signature in the programs that you use. This will not be the 100% solution against infection, but it will significantly reduce it.
  • If you notice a slowdown or worsening of your PC performance, scan your system.
Coin miners gain its popularity, so dozens of new viruses appear every hour and usual antiviruses can’t be effective to fight with it. GridinSoft Anti-Malware updates virus database hourly, so you can be sure that you have the strongest protection.
Download the latest version of GridinSoft Anti-Malware and scan the system to find any virus in the system.

How to remove coinminer from the system


On the main window of GridinSoft Anti-Malware choose prefered type of scan. I recommend to do a full scan to check the whole system.

Additional step to clean the system


To clean your device completely from any kind of threats I suggest you to do a reset browser settings with GridinSoft Anti-Malware to remove all nasty ads and browser redirects in one click.

Stay secure!

Related Post

Why Free Browser Extensions Can Be Dangerous On a daily basis we make use of different browsers to surf the internet using our PCs and these browsers develop adds up new features especially exten...
Is your computer mining cryptocurrency behind your... Do you know your computer could be mining Cryptocurrencies - Bitcoin/Ethereum/Litecoin/Dogecoin etc. to be precise without you knowing? This process m...
Coin Miners – What is it? How to know that ... Cryptocurrencies are fast becoming popular after the launch of the first of its kind in 2009. The new era mode of payment that is organized by a block...
What is Trojan.CoinMiner csrss.exe Trojan.CoinMiner uses the computing resources of the infected computer to receive crypto currency, most often in BitCoin.The owner of such infecte...

has been working as a Chief Virus Analyst for 4 years. He is passioned about learning new virus schemes.

Vlad loves cooking all kinds of meat and his banana cupcakes with fruit filling made a splash in our office!

4 comments on “COIN-MINER INVESTIGATION: WHEN, WHY, WHAT FOR”

  1. Riley says:

    Thanks, it’s very informative

  2. Jennifer Goolkasian says:

    I’ve made some amout with BTCPeek but I found on google that bitcoin inside info

  3. robert says:

    Great article, very useful !!

  4. Wendy says:

    It works very well for me

Leave a Reply

Your email address will not be published. Required fields are marked *

Gridinsoft Products mini-guide

Categories

Recent Posts

Top Tips

Be mindful and keep your PC healthy -- GridinSoft.com

Follow Us

GridinSoft Official Offers, Coupons and FREE proposals

Related Post