PyBitmessage Backdoor Malware Installed with CoinMiner
The AhnLab SEcurity intelligence Center (ASEC) has recently detected a new type of backdoor malware being distributed alongside the Monero coin miner. This blog post covers malware that utilizes the PyBitmessage library to perform communications on a P2P (Peer to Peer) network and encrypt the communication content between endpoints, instead of using traditional HTTP communications and IP connect methods. This allows the malware to conceal traces left by a central server and attempt to evade detection by antivirus products and network security solutions.
The Bitmessage protocol is a messaging system designed with anonymity and decentralization in mind, and it features the prevention of interception by intermediaries and the anonymization of message senders and receivers. Threat actors exploited the PyBitmessage module, which implements this protocol in the Python environment, to exchange encrypted packets in a format similar to regular web traffic. In particular, C2 commands and control messages are hidden within messages from real users in the Bitmessage network, making it very difficult for detection products to classify this communication as malicious behavior.
This report analyzes the structure of the backdoor malware and the PyBitmessage-based C2 implementation. It covers topics such as how the malware generates Monero coinminers, and how a malicious PowerShell script executed in a fileless manner performs backdoor functions.
Analysis
Figure 1. Attack flow
Decrypt & Drop
The Monero CoinMiner and BackDoor are both stored in the resource of the top-level file and encrypted. When the malware is executed, it retrieves data from the resource and decrypts it through XOR operations.
Figure 2. XOR Decrypt – RCDATA
Monero CoinMiner Malware
Monero coinminers exploit the strong anonymity of the Monero cryptocurrency to secretly use infected system resources for mining, thereby profiting the threat actor. For analysis information on the distribution of Monero malware, refer to the ASEC Blog [1][2].
The three files (config.json, WinRing0x64.sys, idle_maintenance.exe) needed to implement the mining function are created in the “%Temp%\3048491484896530841649” path.
Figure 3. Folder where Monero CoinMiner malware is created
PyBitmessage BackDoor Malware
As mentioned earlier, PyBitmessage is a P2P (Peer to Peer) communication implemented in Python. It can send and receive messages on the network without a central server by encrypting communications between the ends, and it can also conceal information such as the sender and receiver. When this technique is used for C2 communication, it is difficult to distinguish between the normal use of PyBitmessage and its malicious use. PyBitmessage is open-source and can be found on GitHub[3]. You can also check its functions on the official website below.
Figure 4. PyBitmessage official website
The BackDoor malware created with PowerShell installs the PyBitmessage file to handle POST requests coming to the local 8442 port upon initial execution. It attempts to download the file from the Release page on GitHub. If the URL is inaccessible, it accesses a URL suspected to be a personal drive and attempts to download the file from there. The personal drive page set by the threat actor is a file hosting and sharing site. Given that the site is based on Russian, it is likely that the threat actor is from Russia or a Russian-speaking country.
Figure 5. PyBitmessage file uploaded by the threat actor to the drive (spcs.bio)
The downloaded PyBitmessage file is created with PyInstaller. When executed, it creates .pyc and .pyd files and various modules in the “%TEMP%\_MEI~~” path before executing them. Among these files, QtGui4.dll is present. It is suspected that the threat actor is attempting to conceal the malware by patching a specific offset of this QtGui4.dll file to 0x00, thus removing its normal functionality.
Afterward, it creates several files and paths necessary for the function to operate, then waits for the threat actor’s command. It can be seen that the message received from the threat actor is saved and executed as a PowerShell script, as shown in the image below. The script is also saved in the .\s path.
Figure 6. Code that saves and executes the threat actor’s message as a PowerShell script
In cases like this, where a backdoor uses the network function of a legitimate program (PyBitmessage), it is difficult to detect, analyze, and trace the threat actor. Therefore, it is crucial to carefully monitor the behaviors involving P2P-based communications. While it has not been identified how the malware is being distributed, the fact that it is capable of disguising itself as a legitimate file suggests that it may be distributed disguised as a legitimate file or a cracked version of a software. As such, it is important to refrain from using files from unknown sources, torrents, or cracked versions of software, and instead use official websites and legitimate distribution channels. Keeping security products up to date can also help prevent similar malware strains.
