Binary Managed Object File (BMOF) Distributing XMRig CoinMiner (Detected by MDS)
This blog post introduces Binary Managed Object Files (BMOFs) and cases where XMRig CoinMiner is distributed through them.
Binary Managed Object File (BMOF)
Binary Managed Object File (BMOF) is a compiled version of Managed Object File (MOF), which is used for defining and managing information related to Windows Management Instrumentation (WMI). The file itself is not malicious: hundreds of such files exist in the “C:\Windows\System32\wbem” path by default. However, it can be used for malicious purposes due to its feature that allows the execution of JScript and VBScript. Thus threat actors use BMOF with “Permanent Event Subscription” to maintain persistence for the malware.
Permanent Event Subscription is a structure used for receiving notifications on changes to certain events or data. It refers to the rule that sends a notification when the defined event occurs.
An example configuration of MOF is shown below.
Figure 1. MOF configuration example
“#pragma namespace(“\\\\.\\root\\subscription”)” in the 1st line indicates the intent to register Permanent Event Subscription. Because MOF is always included even upon system reboot or WMI Repository reconfiguration, the rule can be used permanently.
The rest of the configuration consists of Event Filter, Consumer, and Binding. Event Filter in the 3rd line designates the “event filtering conditions”. For example, threat actors can make it so that only the events that start up a certain process are monitored.
Consumer in the 11th line defines the “actions to perform when the event occurs”. This part enables a certain program to run when the event occurs.
Lastly, binding in the 18th line creates a subscription by “connecting the event filter and the consumer.” This line sets the consumer to run when an event that satisfies the event filter occurs. Based on the analysis, the example above can be described as the MOF that runs the Notepad app when Calculator is run.
Figure 2. The process tree upon executing the MOF example
As you can see in Figure 2, running Calculator executes Notepad as a subprocess of the Windows program “scrcons.exe”. Since the program is executed with admin privileges, serious issues might arise if the executed program is a malware strain.
Attack Cases
The first case of attack is presumed to be the self-propagation method used by Stuxnet in the attack on Iranian nuclear facilities in 2010. Currently, BMOF is being used for the distribution of XMRig CoinMiner by BondNet, which is a malware strain that first appeared in 2017. The initial access method is known to be using an exploit or a brute force attack on the SQL server SA account.
When the intrusion is successful, a malicious BMOF is created and executed. As the BMOF cannot be executed as a single file, it is executed through the Windows default program “mofcomp.exe”.
Figure 3. Execution example
When the BMOF is executed, it deletes the “hosts” file, creates guest accounts, downloads additional VBE files, and configures the RDP connection if the system has high performance. It then creates XMRig CoinMiner in the “C:\Windows\Temp” subpath before executing it. The process tress is as follows.
Figure 4. The final process tree
Detection by MDS
AhnLab MDS detects this malware type under the name “DefenseEvasion/MDP.Delete.M11648” in sandbox environments.
Figure 5. MDS detection screen
[File Detection]
CoinMiner/Win.XMRig.R649143 (2024.05.23.01)
CoinMiner/Win.XMRig.R636370 (2024.02.25.00)
Downloader/FOMB.Agent (2024.02.27.00)
Trojan/BAT.RUNNER.SC203192 (2024.08.20.03)
Trojan/VBS.Agent.SC199715 (2024.06.08.02)
Trojan/Win.Proxy.R661576 (2024.08.20.02)
[Behavior Detection]
DefenseEvasion/MDP.Delete.M11648
Execution/MDP.Event.M12052
Execution/MDP.Event.M12053
To learn more about AhnLab MDS's sandbox-based behavioral analysis, please click the banner below.
