AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining.
Figure 1. Execution of command from threat actor
Figure 1 shows that the threat actor used the same command consistently on the infiltrated system. It shows a PowerShell script was detected being executed by a PowerShell command through the CMD process. Instead of downloading files directly, only a script is received as a string and executed.
Figure 2. Malicious PowerShell behavior
The executed PowerShell script decodes data encoded in Base64 and creates a file named “nodejssetup-js.exe” in the TEMP directory, which it then executes.
Figure 3. Key behavior of the malware
The executed malware can be observed in Figures 3 and 4. Its main features include receiving data files encrypted in DES from a distribution site, decrypting them, and injecting (Process Hollowing) them into the normal process MSBuild.exe.
Figure 4. Malware feature
Figure 5. Memory of msbuild after being injected
The injected (Process Hollowed) MSBuild.exe performs malicious behaviors. These malicious behaviors can be seen in Figures 5, 6, 7, and 8. Figure 5 shows the memory value of MSBuild.exe after it has been injected. These values can be found in the AhnLab EDR detection screens shown in Figures 6, 7, and 8. It receives additional malware (Figure 6), injects it into the normal process AddInProcess.exe, and executes it (Figure 7). By examining the command line during the execution in Figure 8, it can be confirmed that this is the method used for executing the CoinMiner.
Figure 6. Malicious behavior from MSBuild 1
Figure 7. Malicious behavior from MSBuild 2
Figure 8. Malicious behavior from MSBuild 3
Figure 9. Miner behavior from AddInProcess.exe
Finally, CPU usage that exceeds a certain threshold can be observed from the injected (Process Hollowed) AddInProcess.exe.
The process of installing a cryptocurrency CoinMiner that utilizes system resources on an infiltrated system involves multiple processes. However, the malware used is only one: “nodejssetup-js.exe”. All other scripts and malicious PE files used in the injection (Process Hollowing) process exist only in the memory. To detect this distribution method, enabling behavior detection in V3, an endpoint anti-malware solution, is necessary. In case of infection, further actions can be taken through detailed analysis using EDR.
[Behavior Detection]
Execution/MDP.Powershell.M2514
Connection/EDR.Behavior.M2650
Execution/EDR.Malware.M10459
Execution/MDP.Powershell.M1185
Injection/MDP.Hollowing.M10428
Execution/EDR.Powershell.M11170
[IOC]
1c5d05def6e3baabe8da94a3d275c5e5 Dropper/PowerShell.Generic
6efe15382531ae994f2f220046421b1d CoinMiner/Win.XMRig(2023.04.16.01)
hxxp://79.137.196[.]27/bypass.ps1
hxxps://files.catbox[.]moe/kwfxr7.dll
hxxps://files.catbox[.]moe/k541xr.dll
hxxp://185.174.136[.]91/name.dll
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR) appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/57222/