Insights and Research

Multicomponent Malware Targeting Cryptocurrency

Examining a downloader variant that launches a stealer and coinminer

Cryptocurrency continues to soar in popularity among investors and traders, which also makes it a frequent target for cybercriminals. According to a CNBC report, hackers stole $1.7 billion worth of cryptocurrency in 2018 alone. The same report noted that the number of crypto-coins stolen each year is rising—the volume of coins stolen in 2018 was 3.6 times higher than it was in 2017 and seven times higher than in 2016.

Recently, the Zscaler ThreatLabZ team came across a malware variant known as a downloader. Typically, downloaders are the first stage of infection from an exploit kit or a malicious email attachment. Downloaders are usually small and pre-programmed to download and launch other malicious files.

The variation we saw uses a different infection chain to download a stealer and a coin-miner. It is attempting to mine cryptocurrencies on a victim's system while stealing the user’s credentials. 

Let’s take a look at how it works.
 

Installation

The malware creates an “Adobe” directory under the “Appdata/Roaming” folder. 

It checks to see if the current process is running from the dropped location or not, then it writes the file on the dropped location. If the file is already there, it overwrites it.

It then creates a registry key of “Adobe” under the run key, executes the malware from the dropped location, and terminates the process from the current location.

After installation, it checks for a connection to the internet by pinging “google[.]com.” If the internet connection is working, it starts downloading other malware.

The downloader takes the integer value from the date format ddMMyyyy” or “dd”,“MM” then generates a random number by performing the operation as shown in Figure 1. It then converts the number with the domain (https://crackpoint[.]xyz/22112995).

Figure 1: Downloader operation

Next, the downloader fetches another domain (https://leletorrents[.]info) by visiting the above URL. It also checks to see if the operating system is 64-bit or 32-bit, then downloads the malware (stealer and coin-miner) and executes them: (https://leletorrents[.]info/22112995/x64/ or https://leletorrents[.]info/22112995/x86/).
 

Password Stealer

Installation 

The malware appends the physical address of the system along with the \\AppData\\Roaming\\ folder as the filename and checks if it exists in the \\AppData\\Roaming\\ folder. It checks to see if a directory called \\AppData\\Roaming\\bR3Adobe exists and if a directory called \\AppData\\Local\\Google\\Chrome\\User Data exists. Only then will it perform its functionality.

The password stealer also checks the directory of \\AppData\\Local\\Temp\\<username>\\ and deletes all its files and subdirectories. It creates a “Logins” directory under the \\temp\\<Username>\\ directory path. After that, it copies all files and subdirectories from the “ApplicationData” and “LocalApplicationData” directory to the \\temp\\Username\\Logins\\ directory. Finally, it creates a new list of files under the “Logins” directory.

Stealing Module 

It reads data from each file by query and stores it into a file named “ch.txt” and copies data from the “ch.txt” file to “ch <username> - <filename>.txt.” It sends this stolen data through an email attachment, with the stolen data written in the following format:

  • Link - Login URL
  • Login - Email/Username
  • Password - Password

Figure 2: Stealing credentials from Chrome

Figure 3: Sending stolen information via email


Coinminer

The coinminer payload is embedded in the resource section. After performing certain checks, it drops the malware payload using these steps:

Installation

  • Checks whether a process “explorer.exe” with the argument “--donate-level=” is running. If running, the process is terminated.  
  • It also checks if an NVIDIA toolkit is installed. 

It reads data from the resource section, decrypts it, and injects it into the “explorer.exe.” After that, it performs its mining functionality.

Figure 4: Injecting coin-miner into the Explorer process

It mines for Monero and Aeon cryptocurrencies. We have found the following information related to the mining process.

  • "url": "159.89.88[.]49:14254"
  • "user": "41vbULeqYmY4pMHtSQiQhncdKzSV5aAnHCQ17qSic8gyikuC8GR5xXFWFKTcCK4"
  • cryptonightv7.nicehash[.]com
  • cryptonightheavy.nicehash[.]com
  • Xmr.pool.minergate[.]com
  • Aeon.pool.minergate[.]com
  • donate.v2.xmrig[.]com


Conclusion

Cryptocurrency values continue to rise, as does its popularity amongst consumers and investors around the world. As such, it is going to remain a popular target for cybercriminals, and those who use, trade, and invest in cryptocurrency will continue to find themselves under the threat of attack. The Zscaler ThreatLabZ team continuously monitors and blocks coinminers and other types of malware to ensure the protection of our customers.


IOCs:

URLs

  • https://leletorrents[.]info/22112995/x86/
  • https://leletorrents[.]info/22112995/x64/
  • https://crackpoint[.]xyz/22112995

Stay up to date with the latest digital transformation tips and news.

By clicking the submit button, you are agreeing to our privacy policy.