Coinminer Pushes Clipper For Rapid Monetary Gain
Threat Actors (TAs) constantly look for different approaches to generate income to further their goals. The growth of cryptocurrency as an acceptable medium of exchange creates an opportunity for TAs to compromise an organization/individual and discreetly carry out cryptocurrency mining activities through malware such as Coinminer.
Cryptocurrency is a form of digital money (an alternative to traditional money) that exists only online, with no actual physical form and it works based on blockchain technology. Unlike conventional currency, cryptocurrency is encrypted and decentralized, which means it cannot be modified, and no central authority manages it.
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins, and earning cryptocurrency through mining typically involves a huge amount of processing power and requires significant computing resources and energy.
Coinminer is a cryptocurrency-mining malware that steals CPU cycles and RAM resources to perform mining calculations for various cryptocurrencies. It is designed to be very stealthy because it does not cause any obvious harm and runs in the background for as long as possible to carry out mining on the victim’s device.
Cyble Research and Intelligence Labs (CRIL) found an interesting malware that performs coin-mining and also downloads a clipper. The Threat Actor, in this case, intends to utilize a victim’s machine for coin mining and hijacking cryptocurrency transactions using a customized clipper.
The initial infection usually starts via spam email that contains a malicious attachment or when a victim downloads any mining software application from untrusted websites.
We have taken the below sample (“WindowsFormsApp3.exe”) hash for our analysis: (SHA256), ca43548571c559a85f937635951c1ebd2a26d2ad84a8cc96f669d6b48fd2b9b7, which is a 64-bit GUI-based .NET executable binary.
Upon execution of “WindowsFormsApp3.exe”, it drops a copy of itself named “MIDNAUHE.exe” into the “C:\ProgramData\Microsoft\” location. It launches the following PowerShell command to add the “ProgramData” path into Windows Defender’s exclusion list. By adding itself to the exclusion list, the malware can easily evade detection by Windows Defender.
- “powershell” -Command Add-MpPreference -ExclusionPath ‘C:\ProgramData’
After that, the malware drops the “tmp6082.tmp.bat” batch file into the %temp% directory and runs it. The batch file starts the “MIDNAUHE.exe” process and deletes itself.
Then, “MIDNAUHE.exe” creates a mutex named “MIDNAUHE” to ensure that only one instance of malware is running on the victim’s system and adds a task schedular entry for itself by using the following command line:
- “C:\Windows\System32\cmd.exe” /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn “MIDNAUHE” /tr “C:\ProgramData\Microsoft\MIDNAUHE.exe”
Using this persistence, the malware executes every 5 minutes indefinitely. Next, the “WindowsFormsApp3.exe” file downloads a clipper malware named “Build.exe” from the following URL into the %AppData% directory and executes it.
Additionally, the malware takes a screenshot of the victim machine using the BitBlt() API function and converts it into base64-encoded & URL encode format. Additionally, it collects system information using the following WMI queries.
- SELECT Name FROM Win32_Processor -> CPU information
- SELECT * FROM Win32_VideoController -> GPU information
- SELECT TotalPhysicalMemory FROM Win32_ComputerSystem -> RAM size
- SELECT * FROM AntivirusProduct -> Installed Antivirus software information
After collecting the required information, the miner sends these stolen details to the C&C (Command and Control) server, as shown below.
Finally, it injects code into “vbc.exe” (Visual Basic Command line compiler) and connects to the mining pool URL using below command line:
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp[:]//na.luckpool[.]net:3956 -u RXXAfc[Redacted]HLkp[.]work -p x -t 5
The TA uses Luckpool for mining, which is a multi-cryptocurrency mining pool. It is a reliable and well-systemized mining pool for cryptocurrencies such as Zcash, Zclassic, BitcoinZ, Hush, Zen, VoteCoin, and Komodo, which runs using the Equihash algorithm. The table below shows the command line arguments used by the malware.
|-a||Sets the mining algorithm (use verus)|
|-o||Sets the pool URL and PORT (stratum+tcp[:]//na.luckpool[.]net:3956, na – North America server)|
|-u||User wallet ID|
|-p||Sets the password for pool authorization (use ‘x’ as password)|
|-t||Time rolling offset (use 5 seconds)|
Now, the malware starts mining using the TA’s wallet address on the victim’s machine, generating revenue for the TA. The below figure shows the TA’s Luckpool dashboard, which displays the stats such as total money paid, balance, etc., indicating the possibility of financial gain using this Coinminer.
The below image shows the process tree of the Coinminer malware.
Clipper malware is a family of malicious programs that appears to be targeting cryptocurrency users. It is used to hijack the clipboards of any infected systems; the clipboard is the buffer where the copied data is stored for copy-paste operations in Windows.
When the victim copies the cryptocurrency wallet address, the clipper malware replaces the address in the clipboard with the wallet address provided by the TA, resulting in financial loss to the victim.
The Clipper (“Build.exe”) malware executes simultaneously while Coinminer is performing the mining process. Upon execution, the clipper creates a mutex to ensure that only one instance of malware is running on the victim’s system at any given time. The below figure shows the created mutex name.
Then, the clipper copies itself into the %Appdata% directory with the name “zxcfcf.exe” using CopyFileA() API function, as shown below.
After that, the clipper adds the path of the dropped copy into the Run entry for persistence, which automatically executes the malware when the user logs in.
Next, the malware gets the clipboard value using the GetClipBoardData() API function, as shown in the below figure.
The malware now checks if clipboard data contains any cryptocurrency wallet address by validating them using conditions such as length and starting character of the string, as shown below.
If the clipper identifies any wallet address in the clipboard, then it replaces the actual wallet address with TAs address using the OpenClipBoard(), EmptyClipBoard(), and SetClipBoard() APIs, as shown below.
The below table shows the name of the cryptocurrencies targeted by the clipper malware, conditions to identify the respective wallet addresses, and the TAs wallet address details for the clipper to perform the replacement operation.
|Crypto Currencies||Condition to Identify Wallet Address||TAs Wallet Address|
|BTC||StrLen should be (>= 0x1a and <= 0x26) and first char starts with “1” or “3”||“bc1qqx3mt05z6zh7ucn5egejcxckl7fk6edaq6uzp0”|
|BTC||StrLen should be (equal to 0x2A or 0x3E) and string starts with “bc1”||“bc1qqx3mt05z6zh7ucn5egejcxckl7fk6edaq6uzp0”|
|ETH||StrLen should be (equal to 0x 2A), and the string starts with “0x”||“0x5B28638188D7D9be3cAfE4EB72D978a909a70466”|
|XMR||StrLen should be (equal to 0x5E or 0x5F), and the first char starts with “4” or “8.”||“43M2qEUHMmoZdyUhxzHZLGNpLzF9KFzEXdR388EaGFgUKwRpQnfT8ueaaCnJF27KqC7qYkPWZyFPX2GAqygBZkmpUboULAZ”|
|Zcash||StrLen should be (equal to 0x23), and the first char starts with “t.”||“t1LhqVruXCwo4jdo8kdUTR3hDwGUikxsCxr”|
|Dash||StrLen should be (equal to 0x22), and the first char starts with “X” or “7.”||“Xovkn8Hvb5xguW9jHd7ieJHTU3g5Ju3xYt”|
|Doge||StrLen should be (equal to 0x22), and the first char starts with “D” or “9” or “A.”||“D8d2QVCXTT2XkkuYJQECsZLniMVNGHzZ1K”|
|xrp||StrLen should be (equal to 0x22), and the first char starts with “r.”||“rHLevkBMjVgfywHVi93jgCbj24zik86oLy”|
|TRON (TRX)||StrLen should be (equal to 0x22), and the first char starts with “T.”||“TXSqW63v89RdoenCYYsfEuZH3KM6aCmExp”|
|BNB||StrLen should be (equal to 0x2A), and the string starts with “bnb”||“bnb15nqs5gfrp3e5sr54hcpvw3w0r3z6dlu5tcr5f0”|
|Cosmos||StrLen should be (equal to 0x2D), and the string starts with “cosm”||“cosmos1k6qjwh2d8jhf0kcxwkyz77avegqx76wvgzgh72”|
|Ronin||StrLen should be (equal to 0x2E), and the string starts with “ronin:”||“ronin:5B28638188D7D9be3cAfE4EB72D978a909a70466”|
|LTC||StrLen should be (equal to 0x2B), and the string starts with “ltc”||“ltc1q4u0c7q473yzw03vkrtcl0465sn73utf6sg4qu2”|
|LTC||StrLen should be (equal to 0x22), and the first char starts with “L” or “M.”||“ltc1q4u0c7q473yzw03vkrtcl0465sn73utf6sg4qu2”|
|Polkadot (DOT)||StrLen should be (equal to 0x30), and the first char starts with “1.”||“1656LHoL297jW1PTYqGgPXKaBetF6TaLED3KyjejSo2iKPM8”|
|BCH||StrLen should be (equal to 0x2A), and the first char starts with “q.”||“qpwxpc4asvawn32dx5q6ua4uewvf2hvymsykm58t8r”|
|Tezos||StrLen should be (equal to 0x24), and the string starts with “tz”||“tz1f8twz44yA73xLubJEf1udcPDxnqYzRCSp”|
|Cardano (ADA)||StrLen should be (equal to 0x67), and the string starts with “addr”||“addr1qyte8n6y3sry5a3wt86qv5fp0l74elxt2kfpahh2h6xj4lj5efljv0paqyq4ccfdrvavzlz2jwperxfm04yeseq7fhpqge4q4g”|
The clipper actively monitors the victim’s clipboard activity and replaces the wallet address when it identifies if the victim tries to copy wallet addresses for performing cryptocurrency transactions. This results in redirecting the transaction to TAs wallet address. The below figure shows the transaction details of one of the TA’s wallet addresses.
In this case, the TAs appear to be using two different malware families for financial gain. The Coinminer silently misuses the system resources (CPU and RAM mostly) to generate revenue without users’ consent, considerably reducing the victim’s overall system performance.
Using the victim’s computing power to mine cryptocurrency exhausts its resources and drastically impacts the productivity of the user/organization. The TA also delivers clipper malware which redirects the cryptocurrency transactions to the TA’s wallet address.
Coinminer and Clipper malware families are mostly spread and dropped onto a victim’s system via phishing campaigns. Organizations and individuals should thus continue to follow industry best cybersecurity practices to secure themselves and their firms.
- Enterprises should prevent users from downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Organizational information security policies/acceptable usage policies should be updated to explicitly prohibit downloading and installing crypto mining software on end-user systems.
- Users should turn on the automatic software update feature on their computer, mobile, and other connected devices.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PC, laptops, and mobile.
- As part of ongoing security awareness and training, users should be educated to refrain from opening untrusted links and Email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing attacks and untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Endpoints and Servers should be monitored for unexpected spikes in CPU and RAM utilization that could point to a potential malware infection
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
Windows Management Instrumentation
|Scheduled Task/Job |
Registry Run Keys / Startup Folder
|Privilege Escalation||T1055||Process Injection|
|Defense Evasion||T1562 |
|Disable or Modify Tools |
|Process Discovery |
System Information Discovery
Security Software Discovery
|Command and Control||T1071 |
|Application Layer Protocol |
Ingress Tool Transfer
Indicators of Compromise (IOCs)
|URL||Malware distribution URL|