We have seen a substantial growth in crypto-currency
miners this year
Crypto-currency mining is not illegal. However, there are
groups of people who trick unwitting people into installing mining software on
their computers, or exploit software vulnerabilities to do so. The criminals
obtain crypto-currency, while the computers of their victims slow down. We have
recently detected several large botnets designed to profit from concealed crypto
mining. We have also seen growing numbers of attempts to install miners on
servers owned by organizations. When these attempts are successful, the
business processes of the target organisations suffer because data processing
speeds fall substantially.
The main method used to install miners is adware
installers spread using social engineering. There are also more sophisticated
propagation methods – one is using the EternalBlue exploit published in April
2017 by the Shadow Brokers group. In this case, the cybercriminals tend to
target servers – these provide them with a more powerful asset.
We recently detected a network made up of an estimated
5,000 plus computers on which Minergate, a legal console miner, had been
installed without the knowledge or consent of the victims. The victims had
downloaded the installer from a file-hosting service, under the guise of a
freeware program or keys to activate licensed products. This installer
downloader the miner’s dropper file to their computer. This installed the Minergate
software to the computer, ensuring that it is loaded each time the computer
boots and re-installing it if it is deleted.
Often, crypto-miners come with extra services to maintain
their presence in the system, launch automatically every time the computer
boots and conceal their operation. Such services could, for example try to turn
off security software, monitor system activities or ensure that the mining
software is always present by restoring it if the files are deleted.
Concealed miners are very difficult to detect because of
their specific nature and operating principles. Anyone can choose to install
this kind of software and legally use it to mine a crypto-currency.
Monero (XMR) and Zcash are the two currencies most often
used in concealed mining. They both ensure the anonymity of transactions – this
is clearly very useful for cybercriminals. Even according to conservative
estimates, a mining network can generate up to $30,000 per month for its
owners.
The above image shows a wallet coded into the miner’s
configuration data. At the time of writing, 2,289 XMR had been transferred from
this wallet, which at the current exchange rate is equivalent to $208,299.
The authors of malware use various techniques to
circumvent defensive mechanisms and conceal harmful activity. One of them is
the practice of hiding malicious code in the context of a trusted process.
Typically, malware that uses concealment techniques injects its code into a
system process, e.g. explorer.exe. But some samples employ other interesting
methods. We’re going to discuss one such type of malware.
 
Our eye was caught by various samples for .NET that use
the trusted application InstallUtil.exe from the Microsoft .NET Framework
(information from Microsoft’s website: “The Installer tool is a command-line
utility that allows you to install and uninstall server resources by executing
the installer components in specified assemblies. This tool works in conjunction
with classes in the System.Configuration.Install namespace”).
Briefly, the console utility InstallUtil.exe runs a
malicious .NET assembly, bypassing the entry point of the assembly; all
malicious activity is then hidden in the context of the trusted process.
 
The spreading of malicious samples follows a standard
pattern: they basically reach the user in a password-protected archive, and the
executable file icons in most cases are chosen specially so that the victim
perceives the file as a normal document or photo. We also encountered
executable files masquerading as a key generator for common software. To begin
with, the malicious content of the generator got inside the %TEMP% folder,
where it was run later in the described manner.
InstallUtil.exe allows file execution to start not from
the .NET assembly entry point: execution begins from a class inherited from
System.Configuration.Install.Installer. To facilitate manual analysis, this
class was renamed InstallUtilEntryClass in the sample under investigation. The
code in static class constructors is known to execute first when the assembly
is loaded into memory, a feature utilized by the authors of this piece of
malware.
 
