The ASEC analysis team confirmed the distribution of CoinMiner that can disable the AMSI detection feature. Added in Windows 10, AMSI is a feature supported by Microsoft that allows applications and services to be linked with anti-malware software to detect malware. Currently, V3 Lite 4.0 and V3 365 Clinic 4.0 are utilizing the AMSI feature to respond to various types of malware including BlueCrab ransomware.
The CoinMiner that can disable AMSI is being distributed in the fileless form utilizing the powershell script. Before the malware attempts to run the CoinMiner process, it first edits AmsiScanBuffer’s function start byte in amsi.dll and attempts to disable AMSI.
[Powershell Script Operation Stage 1]
- Obtain LoadLibrary, VirtualProtect, and GetProcAddress API information
- Edit AmsiScanBuffer’s initial 6 bytes in amsi.dll (0xB8, 0x57, 0x00, 0x07, 0x80, and 0xC3)
[Powershell Script Operation Stage 2]
- Perform CoinMiner injection to normal msiexec.exe process
- Terminate Miner process (msiexec.exe) when user runs task manager program (taskmgr.exe)
- Restart Miner process (msiexec.exe) when task manager process is terminated
Powershell-type CoinMiner is not the only malware that utilizes this method of disabling AMSI. It was found that .NET -type malware such as AgentTesla and MassLogger also uses this method.
V3 products can detect and block the AMSI disabling technique through the real-time memory scan. Therefore, users need to update the V3 product engine to its latest version to prevent malware infection in advance.
- CoinMiner/PS.Agent (2021.05.18.00)
- Trojan/Win.AmsiBypass.XM108 (2021.05.18.00)