• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Malware • Security  /  I am invisible – Monero (XMR) Miner
03 September 2018

I am invisible – Monero (XMR) Miner

Written by Ghanshyam More
Ghanshyam More
Malware, Security
Estimated reading time: 4 minutes

From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. Nowadays malware authors are using mining as a replacement for Ransomware to make money.

Recently Quick Heal Security Labs came across a malware which mines Monero(XMR). This miner has many different components in it. The infection vector of this mining malware is still unconfirmed, but based on attribution this miner arrives on the system via spear phishing, malvertising etc.

 Technical Analysis:

Analyzed Miner is a self-extracting executable (SFX). It extracts components at “C:\Program Files\Windriverhost” as listed below:

  1. vbs (VBScript)
  2. exe (Extraction utility)
  3. rar (Password Protected Archive)
  4. bat (Batch File)
Fig 1 : Extracted components of the malware

After extraction of components, it starts VBScript(jsnel.vbs) as shown in Fig 2.

Fig 2 : Starting jsnel.vbs

jsnel.vbs contains a simple piece of code to launch chax.bat.

Fig 3 : Content of jsnel.vbs

rar.exe is command line utility to unpack archives. Here it is used to unpack password protected db.rar.

chax.bat file contains commands to delete old version components of Password Protected Archive and malware as shown in Fig 4.

Fig 4 : Content of chax.bat

Important task of chax.bat is to extract below mentioned components of db.rar at the current location and launch ouyk.vbs.

  1. vbs(VBScript)
  2. bat(Batch file)
  3. json(Configuration file)
  4. driverhost.exe (Mining tool)
Fig 5 : Extracted components of db.rar

Similar to previous VBScript(jsnel.vbs), this script(ouyk.vbs) too just launches batch file(xvvq.bat).

Fig 6 : Content of ouyk.vbs

xvvq.bat has two main purposes:

  1. To keep the system always ON using PowerCFG command, so that mining is not interrupted.

          “powercfg -change -standby-timeout-ac 0” 

  1. To hide driverhost.exe from analysis tools:

          It enumerates processes using tasklist command to check if any of below-listed process is running, and if it finds any of these processes are running, it kills driverhost.exe.

     “taskmgr.exe”

     “perfmon.exe”

    “ProcessHacker.exe”

    “procexp.exe”

    “procexp64.exe”

    “dumpcap.exe”

    “Wireshark.exe”

    “anvir.exe”

But there is a bug in xvvq.bat, it checks only for taskmgr.exe and kills dirverhost.exe as shown in Fig 7. And if any other process like procexp.exe is running it does not kill driverhost.exe.

Fig 7 : Content of xvvq.bat

And if none of the above mentioned processes are running, then it starts driverhost.exe which is a core mining tool. It keeps on checking for all these processes continuously using an infinite loop in xvvq.bat and act accordingly.

config.json is a configuration file, which stores data such as username, password, max CPU usage, etc. as shown in Fig 8.

Fig 8 : Content of config.json

On execution, driverhost.exe reads miner configurations from config.json and connects to “xmr[.]pool[.]minergate[.]com”, and sends username and password from config.json to server and starts mining with port 45560 (port used for mining). as shown in Fig 9 and Fig 10.

Fig 9 : Network Analysis
Fig 10 : Sends username and password to the server

It limits CPU usage to 35% for mining as shown in Fig 11.

Fig 11 : CPU Usage by driverhost.exe

For persistence, malware adds a shortcut in the startup folder for ouyk.vbs with name driverhost.lnk.

Fig 12 : Creating a shortcut for ouyk.vbs
Fig 13 : Shortcut to ouyk.vbs in the startup folder

Execution Flow of miner:

IOC:

SHA256: b4ea81958403f717c1a20f18731ef05b648465c7e20cbc6f45bd2f5166c7c940

URL: hxxp://xmr[.]pool[.]minergate[.]com:45560

Quick Heal detects this Miner as “Trojan.Occamy”.

Conclusion:

As the price and appreciation of digital currencies has grown exponentially, mining malware too have increased over the last year. In fact, miners are so common that thousands of computers are already infected. The number of mining malware has increased and they have also become complex as discussed in the above blog post.

Subject Matter Expert

Ravi Gidwani,  Pratik Pachpor | Quick Heal Security Labs

 Previous PostIs your bank really safe from cyber threats? Conduct Red Team Ass...
Next Post  Why trust Seqrite? Don’t take our word for it. Hear it from our...
Ghanshyam More
About Ghanshyam More

Ghanshyam is a security researcher at Quick Heal Security Labs. He is interested in reverse engineering and analyzing security vulnerabilities and...

Articles by Ghanshyam More »

Related Posts

  • Malware-as-a-service: Cybercrime’s nine-to-five

    Anyone, even you, can carry out cyberattacks with the Malware-as-a-Service model

    October 30, 2020
  • Masslogger’s malice imposes spying and keylogging in businesses.

    MassLogger: An Emerging Spyware and Keylogger

    July 31, 2020
  • Is your Router exposed to cyber threats

    Is your router exposed to cyber threats? Here is how to safeguard it.

    July 30, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021
  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.