AhnLab EDR Detects CoinMiner Propagated via USB in South Korea

1. Overview

CoinMiners typically secretly use the CPU and GPU resources of users’ computers to mine cryptocurrencies, which slows down the performance of the affected computers. CoinMiners are usually distributed through phishing emails, malicious websites, system vulnerabilities, and other means. For analysis of this malware, please refer to the AhnLab SEcurity intelligence Center (ASEC) Blog post.[1] This post shows the behavior of CoinMiner analyzed in the previous post through the diagram of AhnLab’s EDR and explains the detection details.

 

2. Privilege Escalation

The infected USB contains a shortcut called USB Drive.lnk instead of the files previously stored by the user. USB Drive.lnk executes the x<random 6 digits>.vbs file inside the rootdir, a hidden folder created during propagation. The executed x<random 6 digits>.vbs file executes the x<random 6 digits>.bat file, which creates a folder named “C:\Windows(space)\System32”. The diagram below shows the behavior of the x<random 6 digits>.bat file when it creates and accesses the folder named “C:\Windows(space)\System32”.

Figure 1. Behavior detected when creating and accessing the folder “C:\Windows(space)\System32”

If x.bat is executed normally, it creates printui.exe (normal) and printui.dll (malicious) files inside a folder named “C:\Windows(space)\System32”

Creating a folder with a space in the name of “C:\Windows\System32” is a technique often used by malware to disguise the location of important system files in “C:\Windows\System32” and escalate the privilege of the executable file. When the operating system needs to determine privilege escalation, it checks the following conditions:

 

• Checks for the presence of “<autoElevate>true</autoElevate>”
• Checks if the digital signature is valid
• Checks if the file is executed in a trusted folder (e.g., “C:\Windows\System32”) or a system folder

 

If these conditions are not met, the privilege escalation does not occur automatically. However, as shown in Figure 1, the files inside a folder named “C:\Windows (space)\System32” meet the criteria of a trusted folder, allowing privilege escalation to occur.

 

3. Bypassing Windows Defender

The malware executed using the DLL Side-Loading technique adds the “C:\Windows(space)\System32” and “C:\Windows\System32” folders to the Windows Defender scan exclusions paths by using a PowerShell command. This prevents the malware from being detected when it is subsequently created in these folders.

AhnLab EDR detects the behavior of registering folders to the Windows Defender scan exclusion path settings as shown below.

Figure 2. AhnLab EDR detects the behavior of bypassing Windows Defender

 

4. Maintaining Persistence

To maintain persistence, the malware registers a service and scheduled task. The file registered as a service is the CoinMiner malware, and the file in the form of a scheduled task is CoinMiner updater that downloads a new version of CoinMiner, which are detected by AhnLab EDR.

 

Figure 3. Detection of service registration behavior

Figure 4. Detection of scheduled tasks

 

5. USB Propagation

The CoinMiner executed first checks the USB devices connected to the user’s computer and generates malware. The malware hides the victim’s files on the infected USB inside a hidden folder. It then creates x<random 6-digit number>.vbs, x<random 6-digit number>.bat, x<random 6-digit number>.dat files in the rootdir hidden folder and finally creates USB Drive.lnk.
 

AhnLab EDR shows the behavior of creating files, changing them to hidden attributes, and modifying the registry as shown in the image below.

Figure 5. Detection of USB spreading behavior

 

6. Conclusion

Through AhnLab EDR, the behavior of distributing CoinMiner via USB, as well as the malware’s privilege escalation, Windows Defender bypass, and other malicious behaviors, can be identified. Using this method, security administrators can understand the flow of events leading up to the malware being executed and can also check the data that can be used as evidence by the threat actor for breach incident investigations.

 

EDR Detection Name

– Persistence/EDR.Event.M12408
– DefenseEvasion/EDR.WindowDefender.M11093
– Suspicious/DETECT.T1053.M2676

MD5

607ac6645be22077443b74cf38b92ce0

60f6acfb9efce8dbf5a6d69a418c0eed

819aa5e784063af3bf18b7a7fcdc1855

8972c43c579d02b463484e31506a64ff

a62826dabcdf904941b0793e9f7b2238