AhnLab SEcurity intelligence Center (ASEC) recently discovered that a CoinMiner targeting Zephyr is being distributed. The file is created with Autoit, and it is being spread in the form of a compressed file that contains the CoinMiner.
The compressed file is being distributed as “WINDOWS_PY_M3U_EXPLOIT_2024.7z,” and upon decompressing the file, several scripts and executables are created. Among them, “ComboIptvExploit.exe” is a Nullsoft Scriptable Install System (NSIS) installer, and two Javascript files exist within it.
Figure 1. WINDOWS_PY_M3U_EXPLOIT_2024.7z, decompressed
When the file is run, it creates the “Explorer.js” and “internet.js” files in the %temp% directory, and the two Javascript files are executed via wscript.exe.
Figure 2. Scripts created in Temp directory
Figure 3. wscript.exe executed
Among the two Javascript files, “internet.js” decodes the BASE64-encoded strings that are found inside then creates an executable. That executable is created as “x.exe” in the %temp% directory, and it is a program written in Autoit.
The compiled Autoit script file contains “asacpiex.dll,” which is a compressed file, and “CL_Debug_Log.txt,” which is a legitimate “7za.exe” file. Once “JDQJndnqwdnqw2139dn21n3b312idDQDB” is sent as password, the file is decompressed, and the following two compiled Autoit script files are created in the %temp% directory: “64.exe” and “32.exe.” If CPU architecture is x86, “32.exe” is copied, and if the architecture is x64, “64.exe” is copied to the following path: “%USER%\AppData\Roaming\Microsoft\Windows\Helper.exe.”
CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" &"&@TEMPDIR&\CR_Debug_Log.txt&"& -o&"&@TEMPDIR&\The copied Helper.exe is a CoinMiner that mines Zephyr, the crytocurrency, and the extracted script shows the used mining pool and wallet URL. The recent payout records can be found by connecting to the mining pool and looking up the wallet.
GLOBAL $CRYPT= -a rx/0
GLOBAL $STRAT_=ssl
GLOBAL $POOL=zeph.kryptex.network:8888
GLOBAL $WALLET=ZEPHsAgR4UTMCufABEmp7CDehfzontt85VKaQogms5zVc9iwV896o9ZR2XcbuCzwaSGYDmMUTjPJUVoLUE9a5feJKRgjtsvAndw/IPTV
Figure 4. Payouts in mining pool’s wallet URL
The overall execution flow of the malware is shown in the diagram below:
Figure 5. Malware execution flow
Users must be cautious when downloading and running files from unknown sources and make sure to update the current anti-malware solution to the latest version.
V3 detects the malware using the alias below, and the IOC is as follows:
Figure 6. V3 detection information
[File Detection]
- CoinMiner/Win.Agent.R631683 (2024.01.18.00)
- Trojan/Win.Wacatac.C5571541 (2024.01.08.00)
- CoinMiner/Win.Zephyr.C5575600 (2024.01.17.03)
[Behavior Detection]
- Malware/MDP.Inject.M2907
[IOC Info]
MD5
- 1ea56f7d135c6d9394138b91b3b7bed2
- 2b7931a70748c38c8046dea9dc708379
- 6647cd9d0ab63506c230fbce8019d0b8
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Distribution of Zephyr CoinMiner Using Autoit appeared first on ASEC BLOG.
Article Link: Distribution of Zephyr CoinMiner Using Autoit - ASEC BLOG