Fake Windows Explorer Installs a Crypto Miner



This week the SonicWall Capture Labs threat research team came across a sample purporting to be Windows Explorer. At a glance, everything checks out – it uses the legitimate Windows Explorer icon and the file properties say Microsoft – but, once executed, it installs and runs a crypto miner.

Infection Cycle

The sample arrives as a Windows executable file using the following icon and bearing these file properties:

Figure 1: Malware installer’s file properties showing Windows Explorer from Microsoft

Upon execution, it drops malicious files in the /Windows/Fonts/ directory, including the main crypto miner file, a batch file containing malicious commands to start the mining process, and two registry files whose registry subkeys and values will later be inserted into the system registry using regedit.exe.

  • svchost.exe
  • 1.bat
  • server.reg
  • restart.reg

It then spawns the Windows command interpreter to execute the batch file.

Figure 2: Cmd is used to run 1.bat

Simultaneoulsy, it also runs the attrib command to set attributes of the entire %fonts% directory as a read-only (+r) and archive (+a).

Figure 3: The malicious Explorer.exe will run the attrib command to change attributes of the Fonts directory

Meanwhile, the 1.bat file contains the following commands:

Figure 3A: Commands

The command installs and runs a crypto miner using the specified mining pool address, port and xmr wallet. It then installs the contents of the two .reg files using regedit.exe. Next, it deletes these registry files and proceeds to change the attributes of several component files.

Figures 4 and 5 show the contents of the reg files which were imported into the system registry.

Figure 4: Contents of server.reg

Figure 5: Contents of restart.reg

Our static analysis revealed another mining configuration that uses a different mining pool address, port and xmr wallet which we did not observe being used during runtime.

Figure 6: Alternate mining pool address and xmr wallet that may be used by this malware

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Miner.XMR_1 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.