CoinMiner’s Attempt to Bypass AMSI by V3 Memory Scan

Malware Analysis
1

The ASEC analysis team confirmed the distribution of CoinMiner that can disable the AMSI detection feature. Added in Windows 10, AMSI is a feature supported by Microsoft that allows applications and services to be linked with anti-malware software to detect malware. Currently, V3 Lite 4.0 and V3 365 Clinic 4.0 are utilizing the AMSI feature to respond to various types of malware including BlueCrab ransomware.

The CoinMiner that can disable AMSI is being distributed in the fileless form utilizing the powershell script. Before the malware attempts to run the CoinMiner process, it first edits AmsiScanBuffer’s function start byte in amsi.dll and attempts to disable AMSI.

1024×671
Figure 1. Stages of powershell CoinMiner script operation

[Powershell Script Operation Stage 1]

  • Obtain LoadLibrary, VirtualProtect, and GetProcAddress API information
1024×835
Figure 2. Obtaining relevant API to disable AMSI detection
  • Edit AmsiScanBuffer’s initial 6 bytes in amsi.dll (0xB8, 0x57, 0x00, 0x07, 0x80, and 0xC3)
1024×367
Figure 3. AmsiScanBuffer function disabled by powershell script

[Powershell Script Operation Stage 2]

998×447
Figure 4. A part of powershell script code related to Miner
  • Perform CoinMiner injection to normal msiexec.exe process
  • Terminate Miner process (msiexec.exe) when user runs task manager program (taskmgr.exe)
  • Restart Miner process (msiexec.exe) when task manager process is terminated

Powershell-type CoinMiner is not the only malware that utilizes this method of disabling AMSI. It was found that .NET -type malware such as AgentTesla and MassLogger also uses this method.

V3 products can detect and block the AMSI disabling technique through the real-time memory scan. Therefore, users need to update the V3 product engine to its latest version to prevent malware infection in advance.

[File Detection]

  • CoinMiner/PS.Agent (2021.05.18.00)

[Memory Detection]

  • Trojan/Win.AmsiBypass.XM108 (2021.05.18.00)

[IOC]

  • hxxp://beautyiconltd.cn/rigged.txt
  • hxxp://beautyiconltd.cn/cnf.txt
  • hxxp://beautyiconltd.cn/hsh.txt
  • hxxp://beautyiconltd.cn/ethged.txt
  • hxxp://beautyiconltd.cn/ethcnf.txt
  • hxxp://beautyiconltd.cn/ethhsh.txt

The post CoinMiner’s Attempt to Bypass AMSI by V3 Memory Scan appeared first on ASEC BLOG.

Article Link: CoinMiner's Attempt to Bypass AMSI by V3 Memory Scan - ASEC BLOG