CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)

CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)

AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining.

Figure 1. Execution of command from threat actor

  Figure 1 shows that the threat actor used the same command consistently on the infiltrated system. It shows a PowerShell script was detected being executed by a PowerShell command through the CMD process. Instead of downloading files directly, only a script is received as a string and executed.

Figure 2. Malicious PowerShell behavior

  The executed PowerShell script decodes data encoded in Base64 and creates a file named “nodejssetup-js.exe” in the TEMP directory, which it then executes.

Figure 3. Key behavior of the malware

  The executed malware can be observed in Figures 3 and 4. Its main features include receiving data files encrypted in DES from a distribution site, decrypting them, and injecting (Process Hollowing) them into the normal process MSBuild.exe.

Figure 4. Malware feature

 

Figure 5. Memory of msbuild after being injected

  The injected (Process Hollowed) MSBuild.exe performs malicious behaviors. These malicious behaviors can be seen in Figures 5, 6, 7, and 8. Figure 5 shows the memory value of MSBuild.exe after it has been injected. These values can be found in the AhnLab EDR detection screens shown in Figures 6, 7, and 8. It receives additional malware (Figure 6), injects it into the normal process AddInProcess.exe, and executes it (Figure 7). By examining the command line during the execution in Figure 8, it can be confirmed that this is the method used for executing the CoinMiner.

Figure 6. Malicious behavior from MSBuild 1

 

Figure 7. Malicious behavior from MSBuild 2

 

Figure 8. Malicious behavior from MSBuild 3

   

Figure 9. Miner behavior from AddInProcess.exe

  Finally, CPU usage that exceeds a certain threshold can be observed from the injected (Process Hollowed) AddInProcess.exe. The process of installing a cryptocurrency CoinMiner that utilizes system resources on an infiltrated system involves multiple processes. However, the malware used is only one: “nodejssetup-js.exe”. All other scripts and malicious PE files used in the injection (Process Hollowing) process exist only in the memory. To detect this distribution method, enabling behavior detection in V3, an endpoint anti-malware solution, is necessary. In case of infection, further actions can be taken through detailed analysis using EDR.   [Behavior Detection] Execution/MDP.Powershell.M2514 Connection/EDR.Behavior.M2650 Execution/EDR.Malware.M10459 Execution/MDP.Powershell.M1185 Injection/MDP.Hollowing.M10428 Execution/EDR.Powershell.M11170 

MD5

1c5d05def6e3baabe8da94a3d275c5e5
6efe15382531ae994f2f220046421b1d
URL

http[:]//185[.]174[.]136[.]91/name[.]dll
http[:]//79[.]137[.]196[.]27/bypass[.]ps1
https[:]//files[.]catbox[.]moe/k541xr[.]dll
https[:]//files[.]catbox[.]moe/kwfxr7[.]dll

To learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner below