Cyble-Blogs-CoinMiner

Fake MSI Afterburner Sites Delivering Coin-Miner

Stealthy Miner Bypasses Detection Using Shellcode and Process Injection

Gamers and other high-performance computing users use various utility software tools such as MSI Afterburner, which monitors system performance and allows users to modify the hardware settings to enhance the system’s performance. Threat Actors (TAs) generally target these software tools to deliver malware to the user’s machine.

Recently, Cyble Research & Intelligence Labs (CRIL) identified several phishing campaigns targeting MSI Afterburner software to deliver coin-miner malware. The TAs behind these campaigns used sophisticated phishing pages that mimic the legitimate MSI Afterburner site to lure the users into downloading coin-miner malware that performs the crypto-mining process. The TA hosted a phishing site to deliver the payload of coin-miner malware bundled with legitimate MSI Afterburner installers.

Crypto mining is a power and resource-intensive activity that requires dedicated hardware like GPUs. By bundling a coin-miner into the tools such as Afterburner and installing it in the user’s machine, the TAs can hijack the processing power of the victim’s machine to mine the cryptocurrencies without their consent. The figure below shows the phishing website created by TAs.

Figure 1 – Phishing page downloading malicious MSI Afterburner installer

In the last three months, we Identified approximately 50 phishing websites targeting MSI Afterburner to deliver malware on the user’s machine. The figure below shows the timeline of the phishing sites created to target MSI Afterburner.

Figure 2 – Timeline of Phishing websites

Technical Analysis

In this technical analysis, we analyzed a sample named “MSIAfterburnerSetup.msi” with SHA265 as 2279b8cf7a2b1fa13f1832b4dc0331bd9f971240f38b0fbd694ed6aec093bb8d, downloaded from a phishing site hxxps://git[.]git[.]skblxin[.]matrizauto[.]net.

The “MSIAfterburnerSetup.msi” installer file contains four executable files such as “MSIAfterburnerSetup465Beta2.exe”, “install.exe”, “comp.cab”, a cabinet file containing redline stealer, and “browser_assistant.exe” which loads XMR Miner.

The figure below shows the contents of the MSIAfterburnerSetup.msi.

Figure 3 – Contents of the downloaded installer file

When a user runs the MSIAfterburnerSetup.msi file, it further executes “install.exe”, which shows the installation wizard to install the program. The figure below shows the Installation Wizard.

Figure 4 – Afterburner setup window

In the background, the installer drops a file named “browser_assistent.exe” in the %Program files% location and executes it. Upon execution, “the browser_assistent.exe” Injects itself and loads a shellcode which gets the encoded XMR Miner binary from the GitHub repository and further injects it into explore.exe. The below image shows the process tree of the XMR miner.

Figure 5 – Process tree of XMR Miner

The malware installs XMR Miner silently in the background by injecting malicious code into a running process without saving the actual payload in the disk. The below image shows the infection chain of the XMR miner.

Figure 6 – XMR miner infection chain

XMR Miner Analysis

The loader “browser_assistant.exe” is a 64-bit PyInstaller executable with SHA256: 0e154eed00b71c0d11bd2caeb64fa2efcbb10524b797c076895752affa0f46c. Additional information is shown in the figure below.

Figure 7 – Loader File Details

Upon execution of “browser_assistant.exe”, it drops multiple Python-supporting files into the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll” files extracted from the PyInstaller executable.

Figure 8 – Extracted files of PyInstaller executable

The “Binary_Stub_Replacer.pyc”, Python compiled file is responsible for XMR miner activity. During execution, it retrieves and injects the XMR Miner into “explorer.exe” using the following steps:

  • Initially, the “Binary_Stub_Replacer.pyc” decodes the actual data using replace function, converts the stub into binary format first, and then changes it into ASCII format, as shown in Figure 9. 

Figure 9 – Decoded python content (Stage 1)

  • The decoded stub forms a new python code containing an embedded base64 encoded content shown in Figure 10. This python code decodes the base64encoded stub, which creates a shellcode.
  • The Shellcode is further injected into “browser_assistant.exe” using the CreateThread() API function, as shown in Figure 10.

Figure 10 – Decoded python content (Stage 2)

  • After that, the loaded Shellcode retrieves encoded raw data (XMR Miner) from the GitHub repository (hxxps[:]//raw.githubusercontent[.]com:443/CyberSECx/Dimitri_Quaser_LASTSM_B64/main/RawData), decodes it, injects it into explorer.exe and invokes the explorer.exe with the mining parameters shown in the below Figure 11.

Figure 11 – Shellcode retrieves encoded XMR Miner content from GitHub

The injected XMR Miner further launches commands to connect the mining pool for crypto mining operations, as shown in the figure below.

Figure 12 – Injected XMR mining pool details in the memory explorer.exe

The table below shows the arguments used by the XMR miner malware.

–algomining algorithm
–urlURL of mining server
–userusername for the mining server
–passpassword for the mining server
–cpu-max-threads-hintMaximum CPU usage
–cinit-stealth-targetsWhen any programs listed under “Stealth Targets” are running, this option pauses the miner and clears the GPU memory.
–cinit-apiC&C API URL
–cinit-versionVersion
–tlsenable SSL/TLS support
–cinit-idle-waitIdle wait time
–cinit-idle-cpuCan be set to mine when the computer is in use or not, at varying rates, or not at all.
–cinit-idUser ID

The malware simultaneously collects sensitive information such as computer name, username, GPU, CPU, and other details from the victim’s system and sends them to the below C&C (Command and Control) server URL API:

  • hxxp[:]//45[.]87[.]0[.]89/api/endpoint[.]php

The below figure shows exfiltrated sensitive details from the victim’s machine.

Figure 13 – Exfiltrated data

Finally, the malware starts mining using the TA’s wallet address on the victim’s machine to generate revenue. The below figure shows the TA’s XMR mining pool dashboard, which displays the stats such as total money paid, balance, etc., indicating the possibility of financial gain using this XMRminer.

Figure 14 – Transaction Details of TAs Wallet Address

Conclusion

This coin-miner malware campaign uses MSI Afterburner phishing sites targeting gamers and other individuals who require high-performance computing. TAs use phishing emails, online ads, and various other means to propagate links over the internet. TAs could also target other specialized software to spread malware.  

In this case, Afterburner drops the XMR miner for mining which silently abuses the victim’s system resources (CPU and RAM mostly) and produces revenues for attackers. This significantly decreases the victim’s overall system performance and drains their system resources, severely affecting the productivity of the victim user or organization.

Cyble Research and Intelligence Labs will continue monitoring the latest malware strains in the wild and update blogs with actionable intelligence to protect users from such attacks.

Our Recommendations

  • Users are advised to check their system performance and CPU usage periodically.
  • Enterprises should prevent users from downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
  • Organizational information security policies/acceptable usage policies should be updated to explicitly prohibit downloading and installing crypto mining software on end-user systems.
  • Users should turn on the automatic software update feature on their computer, mobile, and other connected devices.
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile devices.
  • As part of ongoing security awareness and training, users should be educated to refrain from opening untrusted links and Email attachments without first verifying their authenticity.
  • Educate employees on protecting themselves from threats like phishing attacks and untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Endpoints and Servers should be monitored for unexpected spikes in CPU and RAM utilization that could point to a potential malware infection.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204
T1064
User Execution Scripting
PersistenceT1547Registry Run Keys / Startup Folder
Privilege EscalationT1055Process Injection
Defense EvasionT1497
T1036
Virtualization/Sandbox Evasion Masquerading
DiscoveryT1057
T1082
T1518
T1120
Process Discovery System Information Discovery Security Software Discovery Peripheral Device Discovery
Command and ControlT1071
T1105
Application Layer Protocol Ingress Tool Transfer

Indicators of Compromise

IndicatorsIndicator
Type
Description
96a3469891a23e0aa49fd009979b668b
a9205e91e5694bb60efe73892bf14652e065bf67
2279b8cf7a2b1fa13f1832b4dc0331bd9f971240f38b0fbd
694ed6aec093bb8d
MD5
SHA1
SHA256
MSIAfterburnerSetup.msi
a9e09703d13de2fd20ca8aab4e02e7c8
a785b651aa699ba651e9fccd94f86fefff88cc6a
00e154eed00b71c0d11bd2caeb64fa2efcbb10524b797c0
76895752affa0f46c
MD5
SHA1
SHA256
browser_assistant.exe
git[.]git[.]skblxin[.]matrizauto[.]net
git[.]git[.]git[.]skblxin[.]matrizauto[.]net
git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net
www[.]matrizauto[.]net
DomainDownload Link
hxxp://45[.]87[.]0[.]89/api/endpoint[.]phpURLContacted URL
104[.]20[.]67[.]143IPContacted IP
Scroll to Top