The high return rate offered by cryptocurrency mining operations is encouraging cybercriminals to put extra thought into how to hide their mining malware so it can function for as long as possible before discovery.
One such effort researched by Trend Micro focuses on Coinminer.Win32.MALXMR.TIAOODAM uses Windows Installer as its cloak of invisibility. Trend researchers Janus Agcaoili and Gilbert Sison found the malware being placed on a computer as a Windows Installer MSI file.
This is notable, they said, “because Windows Installer is a legitimate application used to install software. Using a real Windows component makes it look less suspicious and potentially allows it to bypass certain security filters.”
Additionally, the malware uses the custom Windows Installer builder WiX as a packer. Agcaoili and Sison believe this was done to further obfuscate the malware.
When installed, the miner either downloads, or creates and then downloads itself, into the directory %AppData%RoamingMicrosoftWindowsTemplateFileZilla Server. This will hold all the files needed to conduct the operation including a:
- bat – A script file used to terminate a list of antimalware processes that are currently running.
- exe – An unzipping tool used for another file dropped in the directory, icon.ico.
- ico – A password protected zip file posing as an icon file.
The researchers said the next step, which is possibly taken to prevent detection of the malware’s APIs, is to create copies of the kernel file ntdll.dll and the Windows USER component user32.dll in %AppData%RoamingMicrosoftWindowsTemplateFileZilla Server{Random Numbers}.
The miner is then dropped into %UserTemp%[Random Number].
Trend Micro did not directly attribute this miner to any one group, but it pointed out that the language on the installer is written in Cyrillic which possibly points to a Russian origin.
Code injection is handled through three Service Host processes, the first two of which are there for redundancy and persistence to redownload the malware via Windows Installer if any of the injected processes are terminated.
The final defensive measure in place is a self-destruct sequence that if triggered deletes every file in the directory along with every trace of the code the in system.