Netskope Threat Research Labs has detected several samples related to a coin miner malware named Zminer. The kill chain begins with the delivery of a drive-by download Zminer executable that downloads payloads from Amazon S3 cloud storage to a victim’s machine and then uses the machine’s computing resources to perform coin mining. Netskope Threat Research Labs detects the parent file as Gen:trojan.her.jp.iuw@acephpni and the downloaded payloads as Backdoor.generckd.12153334, Backdoor.generckd.5229808 and Application.BitCoinMiner.RH
Overview
“Coin mining” is a term that became popular after the introduction of Bitcoin. Bitcoin is the first decentralized digital currency invented by a programmer named Satoshi Nakamoto. It does not make use of financial institutions as it is solely tied to the Bitcoin addresses, so no central authority is necessary to control the currency. Transactions are made by digitally exchanging encrypted hash codes across a peer-to-peer (P2P) network between users. Each user’s bitcoins are stored in a program called a digital wallet, which also holds the user’s address for sending and receiving bitcoins and a private key only known to the user as an additional layer of protection. There are several coins similar to Bitcoin that we will explain in the cryptocurrencies section
Coin Mining
Coin mining is a procedure for earning coins by mining hardware based on a fixed amount of computing power. This is performed using a coin miner. Anyone with access to the internet and suitable hardware can participate in mining. Depending on the hardware and resources available, several mining methods like CPU mining, GPU mining, FPGA mining, ASC mining and cloud mining are used for coin mining. Upon verification of these mining transactions, a coin is generated using a public ledger, known as the blockchain.
Mining coins using standard computer hardware has become unprofitable. Pooled mining approach has been introduced to compensate this problem. Pooled mining is a mining approach where groups of individual miners contribute to the generation of a block, and then split the block reward according to the contributed processing power. A comprehensive list of some of the pools and their payout methods are documented in this Wikipedia article.
Cryptocurrency
A cryptocurrency works as a digital asset exchange medium using cryptography. Bitcoin is the first decentralized cryptocurrency, which has led to the creation of several cryptocurrencies. There are more than 900 cryptocurrencies as of 11 July 2017 documented in Wikipedia.
Cryptocurrency Valuation
Cryptocurrencies have a market cap of nearly $150 billion with Bitcoin taking the top spot. Currently valued around $4,000 per bitcoin and on a fast pace towards the $5,000 per bitcoin valuation, the chart of Bitcoin’s value is shown in Figure 1.
Figure 1: Bitcoin Price Chart
Cybercriminals and Cryptocurrency
The massive growth of the internet as a money model for cryptocurrencies has attracted the interest of cybercriminals. Malware is implanted in a victim’s machine to perform the following:
- Mine bitcoins using the machine’s computing resources or even a company’s server power
- Steal the victim’s Bitcoin wallet
- Pay ransom using Bitcoin to recover the ransomware-encrypted files
Analysis of Zminer
On execution, Zminer downloads two payloads from Amazon S3 Cloud storage named Claymore+CryptoNote+CPU+Miner+v3.5+Beta+-+POOL.zip and Manager.exe as shown in Figure 2 and Figure 3.
Figure 2: Claymore CryptoNote CPU Miner payload from Amazon S3 Cloud Storage
Figure 3: Manager.exe payload from Amazon S3 Cloud Storage
Analysis of the payloads
NsCpuCNMiner32.exe
NsCpuCNMiner32.exe is a Monero (XMR) CPU miner executable dropped in the %Application Data%\Claymore CryptoNote CPU Miner v3.5 Beta – POOL\ directory. Monero (XMR) is an open-source cryptocurrency that uses the CryptoNote technology. This makes anyone with a computer able to mine it with a simple processor. The hashing power can be distributed throughout an entire network as long as the mining is within a small/medium pool. The Monero (XMR) CPU miner executable is a command line application that has several functions as shown in Figure 4.
Figure 4: Monero (XMR) CPU miner executable options
Manager.exe
Manager.exe ensures that Zminer will be able to carry out the mining operation. This is dropped in %windir% on installation. The binary contains an encrypted string that is decrypted during runtime as shown in Figure 5.
Figure 5: Decrypted Amazon S3 URL with the payload
The decrypted string is a URL that downloads another binary named DBupdater.exe using Amazon S3 cloud storage. The packet capture of the download activity is shown in Figure 6.
Figure 6: DBupdater.exe payload from Amazon S3 cloud storage
DBUpdater.exe
DBupdater.exe creates a log file named log.txt, that contains several details of the victim’s machine. The file is then uploaded to the C&C server with IP 54.214.246[.]97. The IP is registered to Amazon S3 whose resolve host is ec2-54-214-246-97.us-west-2.compute[.]amazonaws.com. The packet capture of the download activity is shown in Figure 7.
Figure 7: Data uploaded to the C&C 54.214.246[.]97
The log.txt file is deleted once the data is uploaded to the C&C
Driver.job, Manager.job
Driver.job and Manager.job job files contain instructions for the Windows Task Scheduler to execute. These are dropped in %windir%\Tasks\ folder and is only created in Windows XP. An example of the job file created by driver.job is shown in Figure 8.