Security News

Increase in Bitcoin mining malware as price soars (Nov 11, 2013)

By

With the cost of a Bitcoin surging past $300 USD over the last week the Dell Sonicwall Threats Research team have observed a significant increase in Bitcoin mining malware. Bearing the ever increasing mining difficulty (computation required to generate a bitcoin) mining botnets are a way of gathering enough computing power to generate bitcoins with zero hardware and energy expenses to the operators. The Trojan we analysed will even utilize GPU’s for mining computational power if present.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %APPDATA%MozillaUpdaterjupdate.exe [Detected as GAV: BitCoinMiner.A_5 (Trojan)]
  • %APPDATA%MozillaUpdatermozillaupdater.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%BHEcsE.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%hnoeylZB.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%KLVlgeHa.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%MQBtxMHH.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%vGpUGvWU.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%YlGjKrFF.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%IRzNdm.exe [Detected as GAV: Ircbrute_39 (Trojan)]

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun MozillaUpdater “%APPDATA%MozillaUpdatermozillaupdater.exe”

The Trojan makes the following DNS queries:

The Trojan joins the channel #ship on a remote IRC server and awaits further instructions. Other bots that are connected are hidden:

In the background the Trojan updates itself by downloading and running mozillaupdater.exe [Detected as GAV: Ircbrute_39 (Trojan)]:

The Trojan runs a Bitcoin miner in the background and instructs it to join the EMC Bitcoin Mining Pool (eclipsemc.com). As a result of mining it uses up all of the CPU resources on the system. It also attempts to locate GPU libraries for mining using graphics cards:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Ircbrute_39 (Trojan)
  • GAV: BitCoinMiner.A_5 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Badlock: Windows SAM and LSAD Downgrade Vulnerability
Bosnian Ransomware spreading in the wild (September 23, 2016)
Red Hat JBoss Data Grid Insecure Deserialization Vulnerability
VMware AsyncTelemetryController Arbitrary File Write Vulnerability
Tyupkin: Malware which is designed for ATM infrastructure.
Buffer Overflow vulnerability in PHP (June 19,2015)
GigaCLR Trojan - Quad Layer GigaRun Custom Loader
IWS Remote Agent Module Design Weakness (Jan 5, 2012)