Attack Cases of CoinMiners Mining Ethereum Classic Coins

The ASEC analysis team is monitoring CoinMiners that are targeting Korean and overseas users. We have covered cases of various types of CoinMiner attacks over multiple blog posts in the past. This post aims to introduce the recently discovered malware that mine Ethereum Classic coins.


0. Overview

CoinMiners are installed without user awareness and use the system’s resources to mine cryptocurrency, leading to low system performance. Threat actors that distribute CoinMiners tend to mine coins that guarantee anonymity, such as Monero, to hinder tracking because these activities are illegal in themselves. As such, most CoinMiners in actual attacks are found to be XMRig, a Monero CoinMiner tool.

But of course, other miners that mine a variety of coins can be used in attacks, though not as prevalent as Monero miners. This includes Ethereum, the cryptocurrency with the second highest market capitalization behind Bitcoin. Because it is a major cryptocurrency, there are several mining tools for it: lolMiner, Gminer, NbMiner, Trex, and PhoenixMiner.

For reference, Ethereum was upgraded in September 2022, having its consensus mechanism changed from PoW (Proof of Work) to PoS (Proof of Stake). In the past, mining tools were used to reap coins as rewards for the Proof of Work process that solved complex operations at the expense of system resources including the CPU and GPU. But now, after being changed to the PoS method, the mining process is not needed.

After the DAO hacking incident in the past, Ethereum hard forked into two versions in July 2016: the new version (current Ethereum) and the old version (Ethereum Classic). Ethereum is the coin that changed to using the PoS method, and Ethereum Classic still uses the PoW method.

Albeit comparatively fewer than Monero CoinMiners, malware that mine Ethereum and Ethereum Classic coins have been steadily distributed in the past and these days as well. Ethereum mining is no longer possible, so Ethereum miners have disappeared, however, as Ethereum Classic coins are still available for mining, miners for these are still being distributed even today. It should also be noted that the various mining tools mentioned above support Ethereum Classic alongside Ethereum, and they are still used by threat actors in mining operations.


1. Ethereum CoinMiner Attack Cases

1.1. Distribution Using Discord

An ASEC blog post in 2021 covered an attack case involving the mining of Ethereum coins.[1] The threat actor disguised the miner as a hack for a game called Roblox and distributed them to Korean users over Discord. Along with a variety of other malware, lolMiner was installed on user systems to mine Ethereum.

Figure 1. CoinMiner execution flow
Figure 2. Malware that mines Ethereum using lolMiner
  • Threat actor’s Ethereum wallet address: 0x5421D5E7028a5B7DF436FEE75C59d9977ddbfd0D


1.2. Attack Abusing dnSpy Tool

In January 2022, a malware was distributed in disguise as dnSpy, an open-source .NET binary analysis tool, which also included a CoinMiner for Ethereum. According to Bleeping Computer, the threat actor used not only GitHub but also websites disguised as the official website to induce users to install dnSpy with the added malware.[2]

The actual malware is inside the dnspy.dll file among the modules within the compressed file. When the user runs dnSpy, dnSpy.dll is loaded, which in turn loads an obfuscated .NET downloader named dnSpyPlus.exe onto the memory area before running it. As shown below, dnSpyPlus follows multiple commands, registering a variety of commands on the task scheduler to have them run periodically.

Figure 3. dnSpy malware which installs multiple malware

The registered commands install various malware such as Defender Control (a Windows Defender deactivation tool), Quasar RAT, ClipBanker, and Ethereum miner. Characteristics of this attack method include the fact that VBS commands are registered to the task scheduler and run with mshta and that curl is used for malware installation.

Out of the many malware installed, m.exe is a CoinMiner that creates NbMiner in the same directory and runs it with an argument that contains configuration information to mine Ethereum in the infected system.

Figure 4. NbMiner malware which mines Ethereum coins

> nbminer.exe -a ethash -o stratum+tcp://asia2.ethermine.org:4444 -u 0x4dd10a91e43bc7761e56da692471cd38c4aaa426.[…]

  • Threat actor’s Ethereum wallet address: 0x4dd10a91e43bc7761e56da692471cd38c4aaa426


2. Ethereum Classic CoinMiner Attack Cases

2.1. Change to Ethereum Classic

While monitoring recent CoinMiners, the ASEC analysis team found a malware in circulation that mines Ethereum Classic. While the initial distribution method is yet to be determined, we found similarities between this case and the one where the malware was disguised as dnSpy; we could confirm that the miner was downloaded and installed with Curl and related files had included Defender Control and Clipbanker.

Figure 5. Ethereum Classic miner installed using Curl

While checking relevant information, we were able to find an actual case of infection of this malware from elektroda.pl, a Polish IT forum. The commands registered to the task scheduler have the same file path and download addresses as those detected and listed in ASD (AhnLab Smart Defense) infra logs. Moreover, these commands are almost similar to the actual fake dnSpy malware mentioned above.[3]

Figure 6. Infected system information posted on the forum

To elaborate, it registers and runs mshta, responsible for executing VBS commands, on the task scheduler and registers multiple commands that disable Windows Defender. The fact that Curl is used to download the malware, and the types of malware installed are what makes this case similar to the case above. The difference is that Ethereum miners were used in the past, while the recent version mines Ethereum Classic.

Though the files downloaded from each address differ, the types installed from verified addresses include Ethereum Classic CoinMiners, ClipBanker types and Defender Control, which is a Windows Defender disabling tool. Aside from these, RATs and Infostealers are also installed. The following is a brief summary of each malware.


A. Ethereum Classic CoinMiner

The CoinMiners are installed in the “%APPDATA%\DnsCache\dnsCleaner.exe” path. dnsCleaner.exe is a dropper malware, which creates a CoinMiner with the name ‘dnscache.exe’ in the same path before passing on an argument and executing the miner. There are types that install lolMiner and those that install PhoenixMiner.

The following are types of CoinMiners created for each case and the argument information, which is the threat actor’s wallet address.

lolMiner

Figure 7. lolMiner execution argument

PhoenixMiner #1

“%APPDATA%\DnsCache\dnscache.exe” -log 0 -pool ssl://asia1-etc.ethermine.org:5555 -log 0 -pool2 ssl://us1-etc.ethermine.org:5555 -wal 0x66B43Cc9B4f86E2B057a733816297a24BFa547D6. […]

PhoenixMiner #2

“%APPDATA%\DnsCache\dnscache.exe” -log 0 -pool ssl://asia1-etc.ethermine.org:5555 -log 0 -pool2 ssl://eu1-etc.ethermine.org:5555 -wal 0x4dd10a91e43bc7761e56da692471cd38c4aaa426.[…]

  • Threat actor’s Ethereum Classic wallet address 1 : 0x66B43Cc9B4f86E2B057a733816297a24BFa547D6
  • Threat actor’s Ethereum Classic wallet address 2 : 0x4dd10a91e43bc7761e56da692471cd38c4aaa426

B. CLIPBANKER

ClipBanker is a malware that checks data in the clipboard and changes it to the threat actor’s wallet address when it is determined to be a cryptocurrency wallet address, ClipBanker operates in the infected system, and when the user copies a string to the clipboard, it checks if it matches the following regular expressions.

Figure 8. Regular expressions used in the comparison of strings in the clipboard

Each expression is used to verify the wallet addresses for different coins including Bitcoin, Ethereum, and Litecoin. If the string on the clipboard matches the regular expression, it is changed to the threat actor’s wallet address. The following is the list of wallet addresses for each coin type.

– Bitcoin P2PKH (btc1) : 16ks5o3U2Vdo9ZVM22whdhaEB7PqitbFyR
– Bitcoin P2SH (btc3) : 3JzzbKbSpKcgxa95xym1JBJRRgv1Ps5azu
– Bitcoin Bech32 (btcbc2) : bc1qnswqxhwlq32vcfy8j8s227amt74j7vhxfnhwx6
– Ethereum (eth) : 0x66B43Cc9B4f86E2B057a733816297a24BFa547D6
– TRON (trx) : TDvZcjZ6tDVL3Hsc8dPK99bSr3QL2MmhAb
– Stellar (xlm) : GBMNM7KM7CKNK4BNOPWCXRDZ4HI572RW4V7TEJSCHPUFTS5I4BFIW7IY
– Ripple (xrp) : rw4bq6adT8gPQfNLxrv7Cq83CxQPANw4BR
– Litecoin (ltc) : LWwWkjczWKohkxVvqj5W22G3j2PSRmnUT6
– NEO Coin (nec) : 0x66B43Cc9B4f86E2B057a733816297a24BFa547D6
– Bitcoin Cash (bch) : qrjrvnw4y7mztw9pm2p3j2yennt9g27n3u9pksahg7

One thing to note is that the NEO wallet and the Ethereum wallet addresses are the same.


C. QUASAR RAT

Like the fake dnSpy distribution case from before, Quasar RAT is still being used until now. The threat actor Quasar RAT with the name (tag), “OldBot” in their attacks.

Figure 9. Quasar RAT with the OldBot tag

The C&C address of Quasar RAT is found from the external address seen in the routine above, And when accessed, the C&C address can be seen.

Figure 10. Quasar RAT C&C address uploaded to a website

D. VIDAR INFOSTEALER

The threat actor also used Vidar in their attacks. Vidar is an Infostealer that not only steals account credentials but also various other user information including web histories, cookies, and cryptocurrency wallet addresses. Aside from information extortion, it also supports a downloader feature that installs additional malware.

The recently distributed version of Vidar uses a variety of platforms such as Steam, Telegram, and Mastodon to find the C&C address.[4] The following are Steam and Mastodon profile web pages that Vidar connects to, and we can see that the C&C addresses are still visible on these pages.

Figure 11. Vidar C&C URL


3. Conclusion

The threat actor who mined Ethereum by distributing malware disguised as dnSpy in the past seems to have changed their tactics to mining Ethereum Classic following the disabling of Ethereum mining. While the current method of distribution is yet to be identified, the threat actor has a history of using a website disguised as an official website as the platform of distribution in the past.

Users must be particularly cautious about executables downloaded from unknown sources, and it is advised that users download programs such as utilities and games from their official websites. Users should also apply the latest patch for OS and programs such as internet browsers and update V3 to the latest version to prevent malware infection in advance.

File Detection
– Malware/Win32.RL_Generic.C4124695 (2020.06.14.01)
– Infostealer/Win.Vidar.R540446 (2022.12.13.01)
– Trojan/Win.Hpgen.R534371 (2022.11.14.01)
– Trojan/Win.ClipBanker.C4446208 (2021.04.30.02)
– Trojan/Win.Generic.R533377 (2022.11.07.02)
– Trojan/Win.Hpgen.R532433 (2022.11.01.02)
– Backdoor/Win32.QuasarRAT.R341693 (2020.06.27.06)
– HackTool/Win.Disabler.R442117 (2021.09.20.03)
– CoinMiner/Win.Generic.R551967 (2023.01.17.02)
– Win-Trojan/Miner3.Exp (2020.01.23.00)
– CoinMiner/Win.PhoenixMiner.R263897 (2021.04.13.00)

Behavior Detection
– Malware/MDP.Behavior.M2318
– SystemManipulation/MDP.DisableWindowsDefender.M2769

IOC
MD5

– 5503eec7cb0ca25f1ecb0702acd14fba : Ethereum Classic Miner (m.jpg)
– 436efede151a6b24171e4f7e7deb07bc : Ethereum Classic Miner (m.jpg, u.exe, obs.exe)
– aa2294040015cedbf94a56845f80e144 : Ethereum Classic Miner (m.jpg)
– 51ff42d909a879d42eb5f0e643aab806 : PhoenixMiner (dnscache.exe)
– 1b2878db748ddb13a90444ab36bae825 : lolMiner (dnscache.exe)
– 76b091bf16f1c11a72c4df12974215f0 : ClipBanker (b.exe)
– 54539d31c30670f1f9c0104ed1b6e661 : Quasar RAT (m.jpg)
– 8a49833ca67c783481869f99fba5566e : Vidar InfoStealer (obs.exe)
– f7bf1fd41df3159c5d6142c2b696bef3 : Vidar InfoStealer (obs.exe)
– 1575b49ffd9402c9b9186d803d491732 : Vidar InfoStealer (obs.exe)
– ad7858b9bbe0bdccae61cff787024ef9 : Vidar InfoStealer (obs.exe)
– 0a50081a6cd37aea0945c91de91c5d97 : Defender Control (d.exe)

C&C
– hxxps://priv8note[.]net/r/ipcontent : Quasar RAT
– 149.102.129[.]194:22 : Quasar RAT
– hxxps://steamcommunity[.]com/profiles/76561199436777531 : Vidar C&C
– hxxp://95.217.29[.]31/1758
– hxxp://116.202.3[.]192/1758
– hxxp://49.12.113[.]223/1758
– hxxps://mas[.]to/@ofadex : Vidar C&C
– hxxp://95.217.31[.]129/1758
– hxxp://88.99.120[.]225/1758
– hxxp://195.201.252[.]143/1758
– hxxps://mas[.]to/@jogifoy492 : Vidar C&C
– hxxp://95.216.182[.]219/1758
– hxxp://95.217.246[.]41/1758
– hxxp://95.217.27[.]155/1758
– hxxps://c[.]im/@xinibin420 : Vidar C&C
– hxxp://95.216.181[.]10/1758
– hxxp://95.216.182[.]38/1758

Download URL
– hxxp://176.57.150[.]117/m.jpg
– hxxp://176.57.150[.]117/b.exe
– hxxp://176.57.150[.]117/d.exe
– hxxp://176.57.150[.]117/u.exe
– hxxp://176.57.150[.]117/obs.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest

1 Comment
Inline Feedbacks
View all comments
trackback

[…] Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed Attack Cases of CoinMiners Mining Ethereum Classic Coins […]