Fake Windows Explorer Installs a Crypto Miner
Overview
This week the SonicWall Capture Labs threat research team came across a sample purporting to be Windows Explorer. At a glance, everything checks out – it uses the legitimate Windows Explorer icon and the file properties say Microsoft – but, once executed, it installs and runs a crypto miner.
Infection Cycle
The sample arrives as a Windows executable file using the following icon and bearing these file properties:
Figure 1: Malware installer’s file properties showing Windows Explorer from Microsoft
Upon execution, it drops malicious files in the /Windows/Fonts/ directory, including the main crypto miner file, a batch file containing malicious commands to start the mining process, and two registry files whose registry subkeys and values will later be inserted into the system registry using regedit.exe.
- svchost.exe
- 1.bat
- server.reg
- restart.reg
It then spawns the Windows command interpreter to execute the batch file.
Figure 2: Cmd is used to run 1.bat
Simultaneoulsy, it also runs the attrib command to set attributes of the entire %fonts% directory as a read-only (+r) and archive (+a).
Figure 3: The malicious Explorer.exe will run the attrib command to change attributes of the Fonts directory
Meanwhile, the 1.bat file contains the following commands:
Figure 3A: Commands
The command installs and runs a crypto miner using the specified mining pool address, port and xmr wallet. It then installs the contents of the two .reg files using regedit.exe. Next, it deletes these registry files and proceeds to change the attributes of several component files.
Figures 4 and 5 show the contents of the reg files which were imported into the system registry.
Figure 4: Contents of server.reg
Figure 5: Contents of restart.reg
Our static analysis revealed another mining configuration that uses a different mining pool address, port and xmr wallet which we did not observe being used during runtime.
Figure 6: Alternate mining pool address and xmr wallet that may be used by this malware
SonicWall Protections
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Miner.XMR_1 (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.