AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining.
Figure 1 shows that the threat actor used the same command consistently on the infiltrated system. It shows a PowerShell script was detected being executed by a PowerShell command through the CMD process. Instead of downloading files directly, only a script is received as a string and executed.
The executed PowerShell script decodes data encoded in Base64 and creates a file named “nodejssetup-js.exe” in the TEMP directory, which it then executes.
The executed malware can be observed in Figures 3 and 4. Its main features include receiving data files encrypted in DES from a distribution site, decrypting them, and injecting (Process Hollowing) them into the normal process MSBuild.exe.
The injected (Process Hollowed) MSBuild.exe performs malicious behaviors. These malicious behaviors can be seen in Figures 5, 6, 7, and 8. Figure 5 shows the memory value of MSBuild.exe after it has been injected. These values can be found in the AhnLab EDR detection screens shown in Figures 6, 7, and 8. It receives additional malware (Figure 6), injects it into the normal process AddInProcess.exe, and executes it (Figure 7). By examining the command line during the execution in Figure 8, it can be confirmed that this is the method used for executing the CoinMiner.
Finally, CPU usage that exceeds a certain threshold can be observed from the injected (Process Hollowed) AddInProcess.exe.
The process of installing a cryptocurrency CoinMiner that utilizes system resources on an infiltrated system involves multiple processes. However, the malware used is only one: “nodejssetup-js.exe”. All other scripts and malicious PE files used in the injection (Process Hollowing) process exist only in the memory. To detect this distribution method, enabling behavior detection in V3, an endpoint anti-malware solution, is necessary. In case of infection, further actions can be taken through detailed analysis using EDR.
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.