Fake Flash Updates Mine Monero Under the Hood
The recent surge in cryptomining is providing cyber criminals with more vectors to attack, at the expense of legitimate users. This year has seen a huge increase in the deployment of numerous malwares, with cryptominers as primary or secondary payloads. Cryptominers are becoming easy targets, that allow attackers to go a step further to disguise themselves as the miner in the form of a flash update. Palo Alto Networks reported a list of collected samples, some dating back to August 2018. The author further adds that installers from the Adobe website were legitimate, and the malicious ones were mostly Windows binaries. There were many previous attempts to pass off malware as Flash updates, but in this current scenario, some of the samples perform a legitimate flash update, along with dropping the Monero miner executable, executing it without user knowledge.
On running the flash update executable a22b50d4f18b2fc92bdcffc01281c40cd4ed1d2bd9364fce91ea484a37bf3725, it shows a typical warning, “Do you want to allow the following program from an unknown publisher to make changes to this computer?”, which is dismissed by most. When we accept to continue, it executes and drops two files in the path %appdata%\Roaming\xbooster\Manager.exe and %appdata%\Roaming\xbooster\xmrig.exe, and also runs the xmrig.exe. The task manager shows the process xmrig.exe running with CPU utilization at above 90%
Fig 1: CPU usage and executable dropped
Looking at the processes created at the execution xmrig.exe, the process is created from the execution of the command “C:\Users\<USER>\AppData\Roaming\xbooster\xmrig.exe -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRzL9pCSYqvM4EaC4kh/2 -p x –donate-level=1 -B –max-cpu-usage=90 -t 1”.
The executable extracts resources into the temp folder and writes that to xmrig.exe and Manager.exe. Then xmrig.exe establishes a connection with the mining pool and executes in the background.
On analysis of the packet capture showing execution, the executable does a DNS query for “ztracker.xyz”, as well as “xmr-eu1.nanopool.org”. The domain name is resolved to a number of IP addresses of which the system establishes a TCP connection with 18.104.22.168 over port 14444. All further communication recorded by the xmrig.exe is only to port 14444.
Fig 2: DNS query and response
Following the TCP stream of the connection shows it trying to connect with the XMRig with the login parameters “4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRzL9pCSYqvM4EaC4kh”, that indicates the cryptowallet in which the mined coins will be collected. As per the definitions of the json format for xmrig executable, we understand the first exchange is a login request to a mining pool, the second json exchange represents the success reply to the login process. The last exchange contains ”method : job”, which indicate the new jobs to send the miner. The executable also contains placeholder strings for the submit request, as well as the reply to the keepalive requests. The submit request will probably be sent once the miner solves the challenge to get the hash to be communicated for verification, and for collecting the mined coins.
Fig 3: Communication of xmrig.exe with mining pool
Fig 4: Placeholder strings for keepalive and submit
Cryptominers, if installed without the knowledge of user in a system, might usually be detected by slow systems performance. Many end users might not be able to immediately pinpoint the issue. Campaigns such as this, that inject miners alongside legitimate updates, need to be monitored and prevented. Though it might not be openly malicious, it will still degrade the system performance. Versa VOS™ (formerly FlexVNF) antivirus module detects malicious executables and prevents them from being downloaded onto the system.