CoinMiner Infecting MBR is Distributed in Korea (DarkCloud Bootkit)

In February 2019, AhnLab ASEC discovered the spread of CoinMiner malware that disables both domestic & foreign security products and manipulates MBR(Master Boot Record) of the infected system. This type of malware is known as “DarkCloud Bootkit” overseas. Unlike existing CoinMiner malware, it is equipped with features infecting MBR and prevents normal users from checking the infected MBR code by patching the “ZwCreateSection” API. AhnLab ASEC has been performing behavior detection to defend systems against attempts to infect MBR.

According to the company’s data, there has been an exponential growth in the number of detections for MBR infection since March 20, 2019.

Figure 1. AhnLab’s behavior-based detection report

Perhaps, not all attempts to infect MBR are by “DarkCloud Bootkit” malware. However, the fact that it was heavily distributed in Korea during this time makes it reasonable to warn users to take caution. (Approximately 80 cases were found on March 22)

Table 1 enumerates the information of OS targeted for infection, and we can see that it covers most of the existing OS.

OS VersionOperating System
5.1Windows XP
5.2Windows XP Professional x64 Edition  Windows Server 2003 Windows Home Server
6.1Windows Server 2008 R2 Windows 7
6.2Windows Server 2012 Windows 8
6.3Windows 8.1
10.0Windows 10
Table 1. Information on target OS

When malware infects a system, what happens first is a malicious ShellCode being overwritten in the MBR area. As seen in Figure 2 below, the malware copies the normal boot code of sector 0 to sector 1 and overwrites sector 0 and sector 2 – 54 area with ShellCode. The red box indicates the sector overwritten after infection, and the green box is the normal MBR code before it was compromised.

Figure 2. Infected MBR area
Figure 3. Infected MBR code

The overwritten malicious boot code patches the “ZwCreateSection” API of the infected PC upon reboot. Users can only see regular MBR boot code when they check the MBR area due to the code hiding feature.  

Figure 4. Patching of ZwCreateSection

Executed ShellCode downloads and runs a miner file with Monero(XMR) coin mining feature from an external website. Also, it conducts force quit on various AV related processes saved in PC. Since most AV programs become active after MBR boot code is run, we can witness them being shut down by these attacks.

Figure 5. List of force quit processes(1)

avp.exe zhudongfangyu.exe superkiller.exe 360sd.exe 360safe.exe 360rps.exe 360rp.exe sragent.exe QQPCRTP.exe systemaidbox.exe avgnt.exe avengine.exe msmpeng.exe nissrv.exe msseces.exe ccSvcHst.exe ekrn.exe egui.exe nod32krn.exe avgrsa.exe avgui.exe avscan.exe v3svc.exe v3medic.exe Rtvscan.exe avastsvc.exe bdagent.exe mcshield.exe mcsvhost.exe mfefire.exe mfemms.exe dwengine.exe dwarkdaemon.exe vssery.exe avguard.exe K7CrvSvc.exe asdsvc.exe 360tray.exe mbamservice.exe mbamtray.exe mbam.exe qhpisvr.exe quhlpsvc.exe savservice.exe hipsmain.exe hipsdaemon.exe sapissvc.exe scsecsvc.exe avgsvc.exe liveupdate360.exe 360rp qqpctray.exe Mcshield.exe shstat.exe naprdmgr.exe avgui.exe gziface.exe uiSeAgnt.exe dwengine.exe spideragent.exe bdagent.exe smsvchost.exe avastui.exe ksafe.exe
Figure 6. List of force quit processes(2)

The malware attempts to access the address below for updates and persistence. ASEC analysis team identified the address below from the analysis utilizing RAPIT, our own automatic analysis system. Malware “DarkCloud Bootkit” downloads “xpdown.dat” file alongside the following type of files: ver.txt, ok/down.html, ok/64.html, ok/vers.html, downs.txt, kill.txt.

Figure 7. Network access behavior identified by RAPIT

If a user runs AhnLab products in the infected system, it cannot correctly perform as below. Furthermore, it is challenging to recognize infection as a standard MBR appears when checking MBR.  

V3 products perform behavior detection ahead of an infection attempt by the malware against the MBR area. Users must prevent the infection by clicking the “do not run” button when a block pop-up appears due to the file with an unknown source.

AhnLab is continuously monitoring malware of this type and updating detection method to better respond to this threat.

[File detection]

Trojan/Win32.Agent

Malware/Win32.Generic

Trojan/Win32.PowerLocker

[Behavior detection]

Malware/MDP.Manipulate.M196

Malware/MDP.Manipulate.M2200

Categories:Malware Information

0 0 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments