Coinminer Malware Distributed via Discord

While monitoring malware that is being distributed in Korea, the ASEC analysis team confirmed that coinminer malware was being distributed via Discord messenger. The attacker introduces a program that generates Robux, a currency used in a game called Roblox, for free in the following Discord chat room named “Free Robux Generator” and prompts the user to download it.

Upon clicking the “Robux Generator – Download,” the compressed file shown below is downloaded.

Upon decompressing the file, an executable named “robux free tool.exe” is shown to exist inside. When initially running the robux free tool.exe, the error message pops up, which is a result that the attacker intended. Users who see this message will think that the file is not working because they are not connected to the server.

Clicking OK, or closing the message box by clicking X executes the malicious actions. This is an Anti Sandbox technique used to bypass the sandbox environment, and its purpose is to hide behavior in an automatic analysis environment such as a sandbox because malicious behavior cannot be performed unless a message box is clicked.

Closing the message box executes robux free tool.exe, and it developed with AutoHotKey and has the feature of registering %AppData% and %Temp% directory as Windows Defender exception directories to avoid detection and installs additional malware from the following URL.

– hxxps://bitbucket[.]org/wdawfg2sa/1/downloads/roTokenGrabber.exe

roTokenGrabber.exe malware that is installed is packed with VMProtect. This malware was also developed with AutoHotkey and is a downloader as well. A difference, however, is that instead of downloading directly, it connects to the following Tumblr webpage and uses the download URL on the webpage to install install.exe.

– hxxps://chiqao1y18eg1a.tumblr[.]com/post/661746225405722624

– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885084266185228358/install.exe
– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885086081349988362/svchost.exe
– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885085259597754378/lol.exe
– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885084898862456882/dc.exe

After installing install.exe, it uses Apps Script provided by Google to send basic information about the infected system.

– hxxps://script.google[.]com/macros/s/AKfycbyEFoVoRATQK6Q3sjm9PAV23lpfpn_a4d6hvh7424nwv7jLIfu-MsZ71tUYTwq-74rm/exec?
cp=[CPU name]&
gp=[Graphic card name]&
ip=[IP address]&
time=[Time]&
anti=[Name of installed anti-malware]&
what=overwatch&
at=&
url=[install.exe URL]

Install.exe is the last downloader, and it downloads 3 actual malware (svchost.exe, lol.exe, dc.exe) from the Tumblr URL above.

Among the malware that is installed, dc.exe is a utility that is also known as Defender Control, and it can disable the Windows Defender anti-malware. One thing to note is that it can operate via the command line, which disables Windows Defender without the user realizing it.

Lol.exe is a coinminer malware called lolMiner, and it supports the mining of Ethereum coins and is installed under the name of “runtime broker.exe.” Svchost.exe is a malware that gives the argument to the installed lolMiner and executes it to perform the actual mining. The following is the routine for svchost.exe to give the mining pool URL and the account information of the attacker and to execute lolMiner.

The attacker is distributing coinminers disguised as a game hack in a Discord server sharing game hacks. The distributed malware also installs coinminers in the user’s system. Users should refrain from installing illegal programs from unknown sources. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
– Malware/Win.AGEN.C4630810 (2021.09.12.03)
– Trojan/Win.Agent.R443575 (2021.10.01.03)
– Trojan/Win.Agent.C4668442 (2021.10.02.00)
– HackTool/Win.Disabler.R442117 (2021.09.20.03)
– Win-Trojan/Miner3.Exp (2020.01.23.00)

[IOC]
Files

– robux free tool.exe : e11cab90346e0917cb1d8e270565836b
– TokenGrabber.exe : a03103c3a609b55c2b8e50a3e85f0e60
– install.exe : 3ce561ff43324e120f554a04926948e2
– dc.exe : 0a50081a6cd37aea0945c91de91c5d97
– lol.exe : 57d14b0c79cc490a7c5511b6600976dc
– svchost.exe : 340d0f2a160733b307bbe9434dd8b701

URL Where Stolen Info is Sent to
– hxxps://script.google[.]com/macros/s/AKfycbyEFoVoRATQK6Q3sjm9PAV23lpfpn_a4d6hvh7424nwv7jLIfu-MsZ71tUYTwq-74rm/exec

Malware Download URLs
– hxxps://bitbucket[.]org/wdawfg2sa/1/downloads/roTokenGrabber.exe
– hxxps://chiqao1y18eg1a.tumblr[.]com/post/661746225405722624
– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885084266185228358/install.exe
– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885086081349988362/svchost.exe
– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885085259597754378/lol.exe
– hxxps://cdn.discordapp[.]com/attachments/885082747083837474/885084898862456882/dc.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

1 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments