Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea

AhnLab SEcurity intelligence Center (ASEC) has recently identified cases of attacks installing CoinMiners in Korean Internet cafés. The threat actor is believed to have been active since 2022, and the attacks against Internet cafés have been occurring since the second half of 2024. The method of initial access is unknown, and most attacks targeted systems with Internet café management programs installed. The attackers used Gh0st RAT to gain control over infected systems. Most of the identified malware are either Gh0st RAT or droppers that install it. The threat actor also used malware to patch the memory of the management software, and downloaders to download these malware.

 

1. Attack Scenario

To efficiently manage and charge customers based on their usage time, Internet cafés require management programs. These programs automatically measure the time when customers log in upon taking a seat, calculate the usage fee, and apply events, simplifying the tasks of the operators. The attacks recently identified mostly targeted systems where Korean Internet café management programs are installed, which are systems managed by Internet cafés. The initial access is being investigated, but specific details have not been confirmed. The threat actor installed Gh0st RAT to control the infected system and ultimately installed a CoinMiner called T-Rex to mine cryptocurrency.

Figure 1. Flowchart

These attacks have been ongoing since the second half of last year, and it is likely that the management software manufacturer has detected and responded to the attacks. In fact, the company’s website showed that they are managing a list of processes blocked by malware.

Additionally, the threat actor is believed to have analyzed the software and gained a basic understanding of it. Among the malware strains used in the attacks, there are some that are responsible for patching the memory of programs installed on counter PCs. Although the exact method of how the program operates is unknown, the presence of logs showing that Gh0st RAT droppers have been installed in relevant paths suggests that it may be used for the purpose of maintaining persistence.

In addition, while this is a rare case, a log was found of a client process installed on a guest PC by a minority of users, which installed the Gh0st RAT dropper.

Figure 2. Gh0st RAT dropper being installed by the Internet café management program’s client

Figure 3. Gh0st RAT dropper executed by the Internet café management program’s client

• Installation Path: “%ProgramFiles% (x86)\********\**\*****\cmd.exe”

 

2. Malware

2.1. Gh0st RAT

Gh0st RAT is a remote control malware developed by the Chinese C. Rufus Security Team. Since the source code is publicly available, malware developers have been using it as a reference to develop various strains, which are continuously being used in attacks. However, it is mainly used by threat actors who speak Chinese.

The majority of malware used in the attacks are Gh0st RAT and its dropper. The dropper is usually packed with packers like Themida or MPRESS and is distributed. It includes Gh0st RAT in the resource area and creates and loads it in a path like “C:\map1800000.dll”.

Figure 4. Gh0st RAT in the resource

The Gh0st RAT loaded in the memory registers itself as a service to operate, and it can control the infected system according to the commands received from the C&C server. Due to its open-source nature, there are also various strains of Gh0st RAT. The type used in this attack includes not only the basic remote control features such as file and process control, but also information collection features like keylogging and screen capturing.

Additionally, the signature string used in communication with the C&C server is “Level” instead of “Gh0st”. Threat actors can control infected systems using the Gh0st RAT. Among the attack logs, a notable detail is that the threat actor used the RAT to download the Patcher malware.

Figure 5. Behavior of installing Patcher malware

 

2.2. Patcher

Patcher searches for a specific process of the Internet café management program among the currently running processes. It then reads the memory pattern and compares it with the available pattern, as shown in the image below. If a match is found, the memory is patched as shown in the bottom part of the image.

Figure 6. Memory scan and patch pattern

Note that the file name was previously that of a WAV file, but it has been changed to “cmd.exe”. While the specific behavior of the Internet café management program is unknown, the presence of the Gh0st RAT dropper in the following path suggests that it is used to manipulate the installation of malware when specific actions are taken.

• Installation Log: “%ProgramFiles% (x86)\********\**\sound\cmd.exe”

 

2.3. Downloader

Downloaders are simple in form and responsible for installing CoinMiner, Gh0st RAT, droppers, KillProc, or other downloaders.

 

2.4. T-Rex CoinMiner

Unlike other threat actors who generally use XMRig to mine Monero coins, the threat actor in this case uses T-Rex CoinMiner. This is likely due to the fact that PCs in PC cafes are genearlly equipped with GPUs to support high-performance games. T-Rex utilizes GPUs and is mainly used to mine coins such as Ethereum and RavenCoin.

The following shows the path where the T-Rex CoinMiner is installed. The file names mentioned in the notice on the company’s website mostly match the files in the path. It seems that the threat actor changes the installation path name every time the Internet café management program is updated.

• %ProgramFiles% (x86)\Windows NT\mmc.exe
• %ProgramFiles% (x86)\Windows NT\mtn.exe
• %ProgramFiles% (x86)\Windows NT\syc.exe
• %ProgramFiles% (x86)\Windows NT\syn.exe
• %ProgramFiles% (x86)\Windows NT\tnt.exe

Although the threat actor’s details are unknown due to the lack of command-line arguments and configuration files, the fact that they have distributed not only T-Rex but also PhoenixMiner suggests that their primary goal was cryptocurrency mining.

 

2.5. KillProc

Lastly, there are malware that terminate CoinMiners among the currently running processes. Of course, there are also other malware targeting software for blocking porn and gambling sites developed by the company, as well as unknown processes.

• ***Invoker.exe
• *****guard_c.exe
• *****guard_s.exe
• phoenixminer.exe
• miner.exe
• ethdcrminer64.exe
• mine.exe
• kminerclient.exe
• pms.exe
• chrome.exe
• scse.exe
• notice.exe
• mirc.exe
• svohost.exe
• scvhost.exe
• svvhost.exe
• geekminer.exe
• po4.exe
• cmd.exe
• conhost.exe
• U0f4d43d.bin.exe

 

3. Conclusion

A recent surge in malware attacks has been observed targeting Internet cafés in South Korea. These attacks are specifically aimed at environments where a certain Korean Internet café management software is installed. The malware used in the attacks mostly consist of Gh0st RAT and its associated droppers, with the ultimate payload being the T-Rex CoinMiner.

Administrators must keep the operating system and Internet café management program up to date to prevent vulnerabilities. They should also update their security products to the latest version to prevent malware infection. Administrators must also refer to the main file names in the IoC section to check for infection status and respond promptly.

 

MD5

04840bb2f22c28e996e049515215a744

0b05b01097eec1c2d7cb02f70b546fff

142b976d89400a97f6d037d834edfaaf

15ba916a57487b9c5ceb8c76335b59b7

15d6f2a36a4cd40c9205e111a7351643

URL

http[:]//112[.]217[.]151[.]10/config[.]txt

http[:]//112[.]217[.]151[.]10/mm[.]exe

http[:]//112[.]217[.]151[.]10/pms[.]exe

http[:]//112[.]217[.]151[.]10/statx[.]exe

http[:]//121[.]67[.]87[.]250/3[.]exe

IP

103[.]25[.]19[.]32

113[.]21[.]17[.]102

115[.]23[.]126[.]178

121[.]147[.]158[.]132

122[.]199[.]149[.]129