Coinminer employing LOLBins and distributed with multiple unstained components

SonicWall Capture Labs Threat Research team has observed a Coin Miner using multi-component approach.

Infection Cycle

Malware is delivered to victims as a self-extracting archive file which drops following two files:

• • nur.bat
  • wmine.exe (GNU wget tool)

nur.bat starts initially and makes provision for additional malware download and execution besides removing infection footprints. It uses wmine.exe to download OS specific additional malware file from remote location:

• noloadXP.exe (Windows XP)
• noloadnof.cab (OSes above XP)

noloadnof.cab contains a Base64 encoded executable file named “noloadn.crt” which is decrypted onto local storage as noloadn.exe, then executed.

Following command used to decrypt noloadn.exe :

• certutil.exe -decode noloadn.crt noloadn.exe

Here noloadn.exe is an archive file packed using UPX 3.95. This noloadn.exe contains files such as, grim20.ime, grim40.ime, inst.bat, intl.bat, intlu.exe, mnzk12.dat, msletni.ime, nirco.exe, Resmin.exe, restr.exe, Ring, vget.exe.

Additional file information:

• Resmin.exe and restr.exe are archive files, while grim20.ime, grim40.ime , msletni.ime are encoded cab files which later will be decoded by certutil tool and spawns executable out of it.
• Vget.exe is a non-interactive network retriever Wget tool same as wmine.exe , malware author simply renamed Wget tool as wmine.exe and Vget.exe.
• Nirco.exe is nothing but nircmd tool.
  By running NirCmd with simple command-line option, you can write and delete values and keys in the Registry, write values into INI file, dial to your internet account or connect to a VPN network, restart windows or shut down the computer, create shortcut to a file, change the created/modified date of a file, change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more.
• Ring is a .sys file which is later moved to system32 folder by renaming it as “WinRing0x64.sys”

                                            Fig1: commands present in nur.bat

                Fig2: Relationship between coin miner’s multiple components

System modifications

Following modifications are observed on the system after execution:

Files added:
<br /> • C:\Windows\inf\mstoble.inf <br /> • C:\Windows\SoftwareDistribution\grim.ime <br /> • C:\Windows\SoftwareDistribution\intl.bat <br /> • C:\Windows\SoftwareDistribution\intl.exe <br /> • C:\Windows\SoftwareDistribution\msletni.ime <br /> • C:\Windows\SoftwareDistribution\mstoble.cab <br /> • C:\Windows\SoftwareDistribution\mstoble.cop <br /> • C:\Windows\System32\dskdgnostbat.key <br /> • C:\Windows\System32\dwdiag.cat <br /> • C:\Windows\System32\nirc.exe <br /> • C:\Windows\System32\renim.exe <br /> • C:\Windows\System32\vget.exe <br /> • C:\Windows\System32\WinRing0x64.sys <br /> • C:\Windows\Temp\gentee00\pauto.dll <br /> • C:\Windows\Temp\gentee00\russian.lng <br /> • C:\Windows\Temp\gentee00.tmp <br /> • C:\Windows\instsrv.exe <br /> • C:\Windows\nirc.exe <br /> • C:\Windows\raid\intelrp.exe <br /> • C:\Windows\raid\mnzk12.dat <br /> • C:\Windows\shdd\hddsmart.bat <br /> • C:\Windows\shdd\hddsvc.exe <br /> • C:\Windows\smarthdd.exe <br /> • C:\Windows\subinacl.exe <br /> • C:\ProgramData\majorsv.pol <br /> • C:\Users\All Users\majorsv.pol <br />
 

Registries added:
<br /> • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Defender.exe\debugger: “fixmapi.exe” <br /> • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hostdl.exe\debugger: “fixmapi.exe” <br /> • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgmnt\debugger: “fixmapi.exe” <br /> • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgmnt.exe\debugger: “fixmapi.exe” <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\Type: 0x00000010 <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\Start: 0x00000002 <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\ErrorControl: 0x00000001 <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\ImagePath: “C:\Windows\shdd\hddsvc.exe” <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\DisplayName: “Smart HDD” <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\ObjectName: “LocalSystem” <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\Description: “Service for determining the performance of hard disks and defragmenting the file system. SMARTHDD allows you to change the characteristics of hard and solid-state drives, changing the speed of the positioning of magnetic heads (AAM) and fine-tuning the level of energy-saving drives (APM). The system of dynamic read-write load allows to increase by 50-60.” <br /> • HKLM\SYSTEM\ControlSet001\services\HddSmart\Parameters\Application: “C:\Windows\shdd\hddsmart.bat” <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\Type: 0x00000010 <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\Start: 0x00000002 <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\ErrorControl: 0x00000001 <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\ImagePath: “C:\Windows\SoftwareDistribution\intl.exe” <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\DisplayName: “Intel Turbo Boost Technology” <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\ObjectName: “LocalSystem” <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\Description: “Intel Turbo Boost Technology 2.01 accelerates processor and graphics performance for peak loads, automatically allowing processor cores to run faster than the rated operating frequency if theyÆre operating below power, current, and temperature specification limits. Whether the processor enters into Intel« Turbo Boost Technology 2.0 and the amount of time the processor spends in that state depends on the workload and operating environment.” <br /> • HKLM\SYSTEM\ControlSet001\services\intelrp\Parameters\Application: “C:\Windows\SoftwareDistribution\intl.bat” <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\Type: 0x00000010 <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\Start: 0x00000002 <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\ErrorControl: 0x00000001 <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\ImagePath: “C:\Windows\shdd\hddsvc.exe” <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\DisplayName: “Smart HDD” <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\ObjectName: “LocalSystem” <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\Description: “Service for determining the performance of hard disks and defragmenting the file system. SMARTHDD allows you to change the characteristics of hard and solid-state drives, changing the speed of the positioning of magnetic heads (AAM) and fine-tuning the level of energy-saving drives (APM). The system of dynamic read-write load allows to increase by 50-60.” <br /> • HKLM\SYSTEM\CurrentControlSet\services\HddSmart\Parameters\Application: “C:\Windows\shdd\hddsmart.bat” <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\Type: 0x00000010 <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\Start: 0x00000002 <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\ErrorControl: 0x00000001 <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\ImagePath: “C:\Windows\SoftwareDistribution\intl.exe” <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\DisplayName: “Intel Turbo Boost Technology” <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\ObjectName: “LocalSystem” <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\Description: “Intel Turbo Boost Technology 2.01 accelerates processor and graphics performance for peak loads, automatically allowing processor cores to run faster than the rated operating frequency if theyÆre operating below power, current, and temperature specification limits. Whether the processor enters into Intel« Turbo Boost Technology 2.0 and the amount of time the processor spends in that state depends on the workload and operating environment.” <br /> • HKLM\SYSTEM\CurrentControlSet\services\intelrp\Parameters\Application: “C:\Windows\SoftwareDistribution\intl.bat” <br /> <br />
 

SonicWall Capture Labs provides protection against this threat with the following signature:

• GAV: Cheetah.MNR

Indicators of Compromise (IOC):  

• MD5: 12154f30058cbdf167ed9d7eb1438ebe
• SHA256: 4845254ed0e2d162d0e3bb95323ef106bd75bf24dc6d7b2371bab6704ae1c13c

Following are multiple components dropped by malware:

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.