AhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through game hacks. The process is similar to previously covered cases where file-sharing platforms were used to distribute XMRig CoinMiner [1] [2].
1. Distribution Channel
The CoinMiner’s distribution channel was found to be a website that distributed game hacks for famous games, where multiple compressed files were uploaded disguised as hacks for famous games. In order to prevent the download from being blocked by browsers and anti-malware software, it prompts users to install the malware by detailing how to disable the browser from blocking downloads and how to shut down anti-malware software.
Figure 1. Main page of the game hack distribution site
Figure 2. Download page of the game hack distribution siteIf you search for the programs in an actual gaming community, there are multiple comments from users who are aware that these programs contain malware.
Figure 3. Game community2. Bypassing Detection
The uploaded compressed file has a downloader that installs the CoinMiner and malware that shuts down anti-malware software. The threat actor guides the users to shut down the anti-malware software with the manual that is included in the compressed file, making it much harder for users to be aware of the damage caused by malicious activities.
Figure 4. Inside the uploaded compressed file
Figure 5. ManualThe program used to shut down the anti-malware software is the Windows Defender management program dControl.exe, which disabled Windows Defender.
Figure 6. Executed dControl.exe3. CoinMiner Installed via Downloader
When the preparation to execute the CoinMiner is complete, the CoinMiner is downloaded through loader.exe. The initial downloader is a program made with AutoHotkey, and it installs and executes the CoinMiner in the ‘%t’emp%\’ folder path.
Figure 7. Downloader scriptThe executed CoinMiner uses PowerShell to disable Windows Defender from scanning .exe extensions in the ‘ProgramData’ path and removes Windows Malicious Software Removal Tool (MSRT) update, Windows Update, and other similar services. It also attempts to bypass detection by editing the hosts file.
At the same time, it replicates itself in the %ProgramData%\Google\Chrome path with the file name updater.exe and maintains persistence by registering with the service name GoogleUpdateFile.
- Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension ‘.exe’ -Force
- cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
- sc.exe stop UsoSvc
- sc.exe stop WaaSMedicSvc
- sc.exe stop wuauserv
- sc.exe stop bits
- sc.exe stop dosvc
- sc.exe create “GoogleUpdateFile” binpath=”C:\ProgramData\Google\Chrome\Updater.exe” start=”auto”
Figure 8. Modified hosts file- id : zajpavgygytczlbw
- wallet : 4824qBU4jPi1LKMjUrkC6qLyWJmnrFRqXU42yZ3tUT67iYgrFTsXbMmiupfC2EXTqDCjHrjtUR8oHVEsdSF2DErrCipV55Z
- Mining pool : xmr.2miners[.]com:12222
- cinit-stealth-targets : Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe
4. Conclusion
As malware is being distributed actively via games or game hacks, users need to take caution. For game hacks, there is a potential risk of getting infected by other malware strains apart from the CoinMiner introduced in this blog post, as the user needs to periodically execute a downloader like loader.exe. As such, caution is advised when running executables downloaded from unreliable file-sharing websites. It is recommended that users download programs from the official websites of developers. This type of malware is diagnosed by AhnLab as follows.
[File Detection]
Downloader/Win.Agent.C5574989 (2024.01.16.03)
CoinMiner/Win.Agent.C5574932 (2024.01.16.02)
HackTool/Win.DefenderControl.R443408 (2021.10.07.03)
[Behavior Detection]
Execution/MDP.Cmd.M4789
[IOC]
MD5
7698fe6bd502a5824ca65b6b40cf6d65 (Loader.exe)
db98d8d6c08965e586103b307f4392fb (Update.exe)
58008524A6473BDF86C1040A9A9E39C3 (dControl.exe)
C&C
hxxps://cdn.discordapp[.]com/attachments/1195976176963948674/1195992986664829008/dupdate.exe?ex=65b60244&is=65a38d44&hm=66ae5a48329d7c237b8bd6d0506d4feb9c1e14281e918d8f2057bd0694a06ad2&
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post XMRig CoinMiner Installed via Game Hacks appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/60845/