We recently published an article about the Xbooster parasitic malware campaign that uses Amazon Web Services (AWS) to deliver the payloads and exfiltrate victims host details. This blog will detail the technical analysis of Xbooster, the different Xbooster strains, and the Monero earnings of the associated accounts.
The Xbooster Monero miner that we initially observed was delivered by a drive-by-download, http://54[.]214[.]196[.]101/afplayer/aivengo_down[.]php?clickid=820d1j6slqdhqf9f. The URL path suggests the malware distribution involved in a “pay-per-install” (PPI)/ “pay-per-click” (PPC) model. This model generates revenue for each install or click to the threat actor.
The URL delivered a file disguised as Adobe flash player named AdobeFlashPlayer__820d1j6slqdhqf9f.exe in the format AdobeFlashPlayer__<clickid number>.exe. The sample also contained a PDB path – C:\Work\Xmrig_console_explorer4\Release\aivengo.pdb
The sample contained a zip file encapsulated in the resource section as shown in Figure 1.
Figure 1: Xbooster resource sectionThe password zip file is unzipped during runtime with a password ‘1’. This routine is shown in Figure 2.
Figure 2: Password of the zip file in the resource sectionThe zip file contains two binaries named xmrig.exe and manager.exe in the %Appdata%\Xbooster folder. In Windows XP, for persistence, the same files are also launched via job files named explorer.job and manager.job. The explorer.job file is used for launching the xmrig miner with the associated Monero receipt wallet hardcoded in the Xbooster binary as shown in Figure 3.
Figure 3: Explorer.job file created by Xbooster
Apart from the creation of the above-mentioned entries, Xbooster tries to notify the host, ztracker[.]xyz using the associated click ID “820d1j6slqdhqf9f”, that the host has been infected. Though the click ID’s are easily configurable, it becomes clear that the Xbooster malware distribution follows a PPI / PPC model. As an example, the packet capture of a get request using a click ID 12345.exe– is shown in Figure 4.
Figure 4: Xbooster installation notification to ztracker[.]xyzThe passive DNS records gave us further intelligence about the host, ztracker[.]xyz. At the time of analysis, the host resolved to two IP addresses 54[.]71[.]60[.]18 and 35[.]161[.]204[.]189 as shown in Figure 5.
Figure 5: Virustotal Passive DNS records of ztracker[.]xyzThe binaries communicating with these IPs were exclusively dominated by Xbooster binaries in the Virustotal Passive DNS records.
The execution flow of the binary in Windows 7 environment of Netskope Cloud Sandbox is shown in Figure 6.
Figure 6: Execution flow of Xbooster in Netskope Cloud SandboxAnalysis of Xmrig.exe
Xmrig.exe is a Monero CPU miner that supports stratum protocol. Stratum is an open source client-server “overlay” protocol that enables thin clients, and most commonly used by coin miners. The miner supports a wide range of options as shown in Figure 7.
Figure 7: Xmrig CPU miner optionsXmrig miner has an interesting option named “donation” that donates mining power to the XMRig developers. It is generally 5% (5 minutes in 100 minutes), but this can be reduced to 1% via command line option –donate-level. This provision can also be an option for the threat actors in using the xmrig miner.
The packet capture of the mining operation is shown in Figure 8.
Figure 8: Xmrig packet captureThe mining operation is carried by worker 39 to the associated Monero account using a routine as shown in Figure 9.