Stealthy Miner Bypasses Detection Using Shellcode and Process Injection
Gamers and other high-performance computing users use various utility software tools such as MSI Afterburner, which monitors system performance and allows users to modify the hardware settings to enhance the system’s performance. Threat Actors (TAs) generally target these software tools to deliver malware to the user’s machine.
Recently, Cyble Research & Intelligence Labs (CRIL) identified several phishing campaigns targeting MSI Afterburner software to deliver coin-miner malware. The TAs behind these campaigns used sophisticated phishing pages that mimic the legitimate MSI Afterburner site to lure the users into downloading coin-miner malware that performs the crypto-mining process. The TA hosted a phishing site to deliver the payload of coin-miner malware bundled with legitimate MSI Afterburner installers.
Crypto mining is a power and resource-intensive activity that requires dedicated hardware like GPUs. By bundling a coin-miner into the tools such as Afterburner and installing it in the user’s machine, the TAs can hijack the processing power of the victim’s machine to mine the cryptocurrencies without their consent. The figure below shows the phishing website created by TAs.
In the last three months, we Identified approximately 50 phishing websites targeting MSI Afterburner to deliver malware on the user’s machine. The figure below shows the timeline of the phishing sites created to target MSI Afterburner.
In this technical analysis, we analyzed a sample named “MSIAfterburnerSetup.msi” with SHA265 as 2279b8cf7a2b1fa13f1832b4dc0331bd9f971240f38b0fbd694ed6aec093bb8d, downloaded from a phishing site hxxps://git[.]git[.]skblxin[.]matrizauto[.]net.
The “MSIAfterburnerSetup.msi” installer file contains four executable files such as “MSIAfterburnerSetup465Beta2.exe”, “install.exe”, “comp.cab”, a cabinet file containing redline stealer, and “browser_assistant.exe” which loads XMR Miner.
The figure below shows the contents of the MSIAfterburnerSetup.msi.
When a user runs the MSIAfterburnerSetup.msi file, it further executes “install.exe”, which shows the installation wizard to install the program. The figure below shows the Installation Wizard.
In the background, the installer drops a file named “browser_assistent.exe” in the %Program files% location and executes it. Upon execution, “the browser_assistent.exe” Injects itself and loads a shellcode which gets the encoded XMR Miner binary from the GitHub repository and further injects it into explore.exe. The below image shows the process tree of the XMR miner.
The malware installs XMR Miner silently in the background by injecting malicious code into a running process without saving the actual payload in the disk. The below image shows the infection chain of the XMR miner.
XMR Miner Analysis
The loader “browser_assistant.exe” is a 64-bit PyInstaller executable with SHA256: 0e154eed00b71c0d11bd2caeb64fa2efcbb10524b797c076895752affa0f46c. Additional information is shown in the figure below.
Upon execution of “browser_assistant.exe”, it drops multiple Python-supporting files into the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll” files extracted from the PyInstaller executable.
The “Binary_Stub_Replacer.pyc”, Python compiled file is responsible for XMR miner activity. During execution, it retrieves and injects the XMR Miner into “explorer.exe” using the following steps:
- Initially, the “Binary_Stub_Replacer.pyc” decodes the actual data using replace function, converts the stub into binary format first, and then changes it into ASCII format, as shown in Figure 9.
- The decoded stub forms a new python code containing an embedded base64 encoded content shown in Figure 10. This python code decodes the base64encoded stub, which creates a shellcode.
- The Shellcode is further injected into “browser_assistant.exe” using the CreateThread() API function, as shown in Figure 10.
- After that, the loaded Shellcode retrieves encoded raw data (XMR Miner) from the GitHub repository (hxxps[:]//raw.githubusercontent[.]com:443/CyberSECx/Dimitri_Quaser_LASTSM_B64/main/RawData), decodes it, injects it into explorer.exe and invokes the explorer.exe with the mining parameters shown in the below Figure 11.
The injected XMR Miner further launches commands to connect the mining pool for crypto mining operations, as shown in the figure below.
The table below shows the arguments used by the XMR miner malware.
|–url||URL of mining server|
|–user||username for the mining server|
|–pass||password for the mining server|
|–cpu-max-threads-hint||Maximum CPU usage|
|–cinit-stealth-targets||When any programs listed under “Stealth Targets” are running, this option pauses the miner and clears the GPU memory.|
|–cinit-api||C&C API URL|
|–tls||enable SSL/TLS support|
|–cinit-idle-wait||Idle wait time|
|–cinit-idle-cpu||Can be set to mine when the computer is in use or not, at varying rates, or not at all.|
The malware simultaneously collects sensitive information such as computer name, username, GPU, CPU, and other details from the victim’s system and sends them to the below C&C (Command and Control) server URL API:
The below figure shows exfiltrated sensitive details from the victim’s machine.
Finally, the malware starts mining using the TA’s wallet address on the victim’s machine to generate revenue. The below figure shows the TA’s XMR mining pool dashboard, which displays the stats such as total money paid, balance, etc., indicating the possibility of financial gain using this XMRminer.
This coin-miner malware campaign uses MSI Afterburner phishing sites targeting gamers and other individuals who require high-performance computing. TAs use phishing emails, online ads, and various other means to propagate links over the internet. TAs could also target other specialized software to spread malware.
In this case, Afterburner drops the XMR miner for mining which silently abuses the victim’s system resources (CPU and RAM mostly) and produces revenues for attackers. This significantly decreases the victim’s overall system performance and drains their system resources, severely affecting the productivity of the victim user or organization.
Cyble Research and Intelligence Labs will continue monitoring the latest malware strains in the wild and update blogs with actionable intelligence to protect users from such attacks.
- Users are advised to check their system performance and CPU usage periodically.
- Enterprises should prevent users from downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Organizational information security policies/acceptable usage policies should be updated to explicitly prohibit downloading and installing crypto mining software on end-user systems.
- Users should turn on the automatic software update feature on their computer, mobile, and other connected devices.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile devices.
- As part of ongoing security awareness and training, users should be educated to refrain from opening untrusted links and Email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing attacks and untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Endpoints and Servers should be monitored for unexpected spikes in CPU and RAM utilization that could point to a potential malware infection.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution Scripting|
|Persistence||T1547||Registry Run Keys / Startup Folder|
|Privilege Escalation||T1055||Process Injection|
|Virtualization/Sandbox Evasion Masquerading|
|Process Discovery System Information Discovery Security Software Discovery Peripheral Device Discovery|
|Command and Control||T1071|
|Application Layer Protocol Ingress Tool Transfer|
Indicators of Compromise