Cyble-Coin Miner

Dual Malware Infection Targets Cryptocurrency Users

Coinminer Pushes Clipper For Rapid Monetary Gain

Threat Actors (TAs) constantly look for different approaches to generate income to further their goals. The growth of cryptocurrency as an acceptable medium of exchange creates an opportunity for TAs to compromise an organization/individual and discreetly carry out cryptocurrency mining activities through malware such as Coinminer.

Cryptocurrency is a form of digital money (an alternative to traditional money) that exists only online, with no actual physical form and it works based on blockchain technology. Unlike conventional currency, cryptocurrency is encrypted and decentralized, which means it cannot be modified, and no central authority manages it.

Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins, and earning cryptocurrency through mining typically involves a huge amount of processing power and requires significant computing resources and energy.

Coinminer is a cryptocurrency-mining malware that steals CPU cycles and RAM resources to perform mining calculations for various cryptocurrencies. It is designed to be very stealthy because it does not cause any obvious harm and runs in the background for as long as possible to carry out mining on the victim’s device.

Cyble Research and Intelligence Labs (CRIL) found an interesting malware that performs coin-mining and also downloads a clipper. The Threat Actor, in this case, intends to utilize a victim’s machine for coin mining and hijacking cryptocurrency transactions using a customized clipper.

The initial infection usually starts via spam email that contains a malicious attachment or when a victim downloads any mining software application from untrusted websites.

Technical Details

We have taken the below sample (“WindowsFormsApp3.exe”) hash for our analysis: (SHA256), ca43548571c559a85f937635951c1ebd2a26d2ad84a8cc96f669d6b48fd2b9b7, which is a 64-bit GUI-based .NET executable binary.

Figure 1 –  Static file details of the Coinminer file

Upon execution of “WindowsFormsApp3.exe”, it drops a copy of itself named “MIDNAUHE.exe” into the “C:\ProgramData\Microsoft\” location. It launches the following PowerShell command to add the “ProgramData” path into Windows Defender’s exclusion list. By adding itself to the exclusion list, the malware can easily evade detection by Windows Defender.

  • “powershell”  -Command Add-MpPreference -ExclusionPath ‘C:\ProgramData’

After that, the malware drops the “tmp6082.tmp.bat” batch file into the %temp% directory and runs it. The batch file starts the “MIDNAUHE.exe” process and deletes itself.

Then, “MIDNAUHE.exe” creates a mutex named “MIDNAUHE” to ensure that only one instance of malware is running on the victim’s system and adds a task schedular entry for itself by using the following command line:

  • “C:\Windows\System32\cmd.exe” /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn “MIDNAUHE” /tr “C:\ProgramData\Microsoft\MIDNAUHE.exe”
Figure 2 – Task scheduler entry of Coinminer

Using this persistence, the malware executes every 5 minutes indefinitely. Next, the “WindowsFormsApp3.exe” file downloads a clipper malware named “Build.exe” from the following URL into the %AppData% directory and executes it.

  • hxxp[:]//s457516.ha003.t.justns[.]ru/clipper/Build[.]exe

Additionally, the malware takes a screenshot of the victim machine using the BitBlt() API function and converts it into base64-encoded & URL encode format. Additionally, it collects system information using the following WMI queries.

  • SELECT Name FROM Win32_Processor -> CPU information
  • SELECT * FROM Win32_VideoController -> GPU information
  • SELECT TotalPhysicalMemory FROM Win32_ComputerSystem -> RAM size
  • SELECT * FROM AntivirusProduct -> Installed Antivirus software information

After collecting the required information, the miner sends these stolen details to the C&C (Command and Control) server, as shown below.

Figure 3 – Exfiltration to C&C server

Finally, it injects code into “vbc.exe” (Visual Basic Command line compiler) and connects to the mining pool URL using below command line:

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp[:]//na.luckpool[.]net:3956 -u RXXAfc[Redacted]HLkp[.]work -p x -t 5

The TA uses Luckpool for mining, which is a multi-cryptocurrency mining pool. It is a reliable and well-systemized mining pool for cryptocurrencies such as Zcash, Zclassic, BitcoinZ, Hush, Zen, VoteCoin, and Komodo, which runs using the Equihash algorithm. The table below shows the command line arguments used by the malware.

-aSets the mining algorithm (use verus)
-oSets the pool URL and PORT (stratum+tcp[:]//na.luckpool[.]net:3956, na – North America server)
-uUser wallet ID
-pSets the password for pool authorization (use ‘x’ as password)
-tTime rolling offset (use 5 seconds)

Now, the malware starts mining using the TA’s wallet address on the victim’s machine, generating revenue for the TA. The below figure shows the TA’s Luckpool dashboard, which displays the stats such as total money paid, balance, etc., indicating the possibility of financial gain using this Coinminer.

Figure 4 – TA’s wallet information

The below image shows the process tree of the Coinminer malware.

Figure 5 – Process tree of Coinminer

Clipper Malware:

Clipper malware is a family of malicious programs that appears to be targeting cryptocurrency users. It is used to hijack the clipboards of any infected systems; the clipboard is the buffer where the copied data is stored for copy-paste operations in Windows.

When the victim copies the cryptocurrency wallet address, the clipper malware replaces the address in the clipboard with the wallet address provided by the TA, resulting in financial loss to the victim.

The Clipper (“Build.exe”) malware executes simultaneously while Coinminer is performing the mining process. Upon execution, the clipper creates a mutex to ensure that only one instance of malware is running on the victim’s system at any given time. The below figure shows the created mutex name.

Figure 6  – Mutex creation

Then, the clipper copies itself into the %Appdata% directory with the name “zxcfcf.exe” using CopyFileA() API function, as shown below.

Figure 7 – Copies itself into Appdata

After that, the clipper adds the path of the dropped copy into the Run entry for persistence, which automatically executes the malware when the user logs in.

Figure 8 – Run entry for persistence

Next, the malware gets the clipboard value using the GetClipBoardData() API function, as shown in the below figure.

Figure 9 – GetClipBoardData() function

The malware now checks if clipboard data contains any cryptocurrency wallet address by validating them using conditions such as length and starting character of the string, as shown below.

Figure 10 – Validating Clipboard Data

If the clipper identifies any wallet address in the clipboard, then it replaces the actual wallet address with TAs address using the OpenClipBoard(), EmptyClipBoard(), and SetClipBoard() APIs, as shown below.

Figure 11 – Replacing Clipboard value with TA’s wallet address

The below table shows the name of the cryptocurrencies targeted by the clipper malware, conditions to identify the respective wallet addresses, and the TAs wallet address details for the clipper to perform the replacement operation.

Crypto CurrenciesCondition to Identify Wallet AddressTAs Wallet Address
BTCStrLen should be (>= 0x1a and <= 0x26) and first char starts with “1” or “3”“bc1qqx3mt05z6zh7ucn5egejcxckl7fk6edaq6uzp0”
BTCStrLen should be (equal to 0x2A or 0x3E) and string starts with “bc1”“bc1qqx3mt05z6zh7ucn5egejcxckl7fk6edaq6uzp0”
ETHStrLen should be (equal to 0x 2A), and the string starts with “0x”“0x5B28638188D7D9be3cAfE4EB72D978a909a70466”
XMRStrLen should be (equal to 0x5E or 0x5F), and the first char starts with “4” or “8.”“43M2qEUHMmoZdyUhxzHZLGNpLzF9KFzEXdR388EaGFgUKwRpQnfT8ueaaCnJF27KqC7qYkPWZyFPX2GAqygBZkmpUboULAZ”
ZcashStrLen should be (equal to 0x23), and the first char starts with “t.”“t1LhqVruXCwo4jdo8kdUTR3hDwGUikxsCxr”
DashStrLen should be (equal to 0x22), and the first char starts with “X” or “7.”“Xovkn8Hvb5xguW9jHd7ieJHTU3g5Ju3xYt”
DogeStrLen should be (equal to 0x22), and the first char starts with “D” or “9” or “A.”“D8d2QVCXTT2XkkuYJQECsZLniMVNGHzZ1K”
xrpStrLen should be (equal to 0x22), and the first char starts with “r.”“rHLevkBMjVgfywHVi93jgCbj24zik86oLy”
TRON (TRX)StrLen should be (equal to 0x22), and the first char starts with “T.”“TXSqW63v89RdoenCYYsfEuZH3KM6aCmExp”
BNBStrLen should be (equal to 0x2A), and the string starts with “bnb”“bnb15nqs5gfrp3e5sr54hcpvw3w0r3z6dlu5tcr5f0”
CosmosStrLen should be (equal to 0x2D), and the string starts with “cosm”“cosmos1k6qjwh2d8jhf0kcxwkyz77avegqx76wvgzgh72”
RoninStrLen should be (equal to 0x2E), and the string starts with “ronin:”“ronin:5B28638188D7D9be3cAfE4EB72D978a909a70466”
LTCStrLen should be (equal to 0x2B), and the string starts with “ltc”“ltc1q4u0c7q473yzw03vkrtcl0465sn73utf6sg4qu2”
LTCStrLen should be (equal to 0x22), and the first char starts with “L” or “M.”“ltc1q4u0c7q473yzw03vkrtcl0465sn73utf6sg4qu2”
Polkadot (DOT)StrLen should be (equal to 0x30), and the first char starts with “1.”“1656LHoL297jW1PTYqGgPXKaBetF6TaLED3KyjejSo2iKPM8”
BCHStrLen should be (equal to 0x2A), and the first char starts with “q.”“qpwxpc4asvawn32dx5q6ua4uewvf2hvymsykm58t8r”
TezosStrLen should be (equal to 0x24), and the string starts with “tz”“tz1f8twz44yA73xLubJEf1udcPDxnqYzRCSp”
Cardano (ADA)StrLen should be (equal to 0x67), and the string starts with “addr”“addr1qyte8n6y3sry5a3wt86qv5fp0l74elxt2kfpahh2h6xj4lj5efljv0paqyq4ccfdrvavzlz2jwperxfm04yeseq7fhpqge4q4g”

The clipper actively monitors the victim’s clipboard activity and replaces the wallet address when it identifies if the victim tries to copy wallet addresses for performing cryptocurrency transactions. This results in redirecting the transaction to TAs wallet address. The below figure shows the transaction details of one of the TA’s wallet addresses.

Figure 12 – Transaction Details of the Wallet Address provided by the TA

Conclusion 

In this case, the TAs appear to be using two different malware families for financial gain. The Coinminer silently misuses the system resources (CPU and RAM mostly) to generate revenue without users’ consent, considerably reducing the victim’s overall system performance.

Using the victim’s computing power to mine cryptocurrency exhausts its resources and drastically impacts the productivity of the user/organization. The TA also delivers clipper malware which redirects the cryptocurrency transactions to the TA’s wallet address.

Coinminer and Clipper malware families are mostly spread and dropped onto a victim’s system via phishing campaigns. Organizations and individuals should thus continue to follow industry best cybersecurity practices to secure themselves and their firms.

Our Recommendations

  • Enterprises should prevent users from downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
  • Organizational information security policies/acceptable usage policies should be updated to explicitly prohibit downloading and installing crypto mining software on end-user systems.
  • Users should turn on the automatic software update feature on their computer, mobile, and other connected devices.
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PC, laptops, and mobile.
  • As part of ongoing security awareness and training, users should be educated to refrain from opening untrusted links and Email attachments without first verifying their authenticity.
  • Educate employees on protecting themselves from threats like phishing attacks and untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Endpoints and Servers should be monitored for unexpected spikes in CPU and RAM utilization that could point to a potential malware infection

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204
T1064
T1059
T1047
User Execution
Scripting
PowerShell
Windows Management Instrumentation
PersistenceT1053
T1547
Scheduled Task/Job
Registry Run Keys / Startup Folder
Privilege EscalationT1055Process Injection
Defense EvasionT1562
T1497
T1036
Disable or Modify Tools
Virtualization/Sandbox Evasion
Masquerading
DiscoveryT1057
T1082
T1518
Process Discovery
System Information Discovery
Security Software Discovery
Command and ControlT1071
T1105
Application Layer Protocol
Ingress Tool Transfer

Indicators of Compromise (IOCs)

IndicatorsIndicator
Type
Description
c96d5487277ca5bf6f24520f8e391822
4280f1ada0111c007639df85803374f83467c3ff
ca43548571c559a85f937635951c1ebd2a26d2ad84a8cc96f669d6b48fd2b9b7
MD5
SHA1
Sha256
Coinminer
5da8e6eb7cb52158a74984fd7654c358
8d018493bbd7fea91f593449f18451c21f60074d
7aed09594ae9c7a3d71b30ef800ca6c81cdf5619f39cbcf8b7f9ca8b7e0eb1ef
MD5
SHA1
Sha256
Clipper
hxxp://s457516.ha003.t.justns[.]ru/clipper/
Build[.]exe
URLMalware distribution URL
Scroll to Top