The rise of the crypto mining malware and it slowly replacing other types of computer viruses like ransomware is not that surprising after all. By using various obfuscation techniques these cryptocurrency-mining viruses manage to stay undetected by security programs, which makes them very appealing to hackers who don’t have to worry about their developed threat being quickly removed from the compromised system and slowly making revenue, which can be much greater than the income made from ransomware or advertising adware. (How)
However, in order to stay in the infected computers unnoticed, crypto miner creators always have to keep improving obfuscation techniques, because malware experts are improving the security almost as quickly as it is being developed. On November 8th, 2018 newly found cryptocurrency miner, called COINMINER.WIN32.MALXMR.TIAOODAM, demonstrated not-seen-before obfuscation methods, including using Windows Installer to remain invisible in the infected machine.
Trend Micro researchers Janus Agcaoili and Gilbert Sison in the same article disclosed even more details about the COINMINER, and it’s working principles, stating that Windows Installer allows to sneak in through the most sophisticated anti-spyware programs since it is treated as a legitimate program, therefore the further execution is not interrupted.
The malware arrives on the victim’s machine as a Windows Installer MSI file, which is notable because Windows Installer is a legitimate application used to install software. Using a real Windows component makes it look less suspicious and potentially allows it to bypass certain security filters.
The installation process starts with coin miner installing into the %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server directory, which has some necessary components for further processes:
- bat – A script file used to terminate a list of antimalware processes that are currently running
- exe– An unzipping tool used for another file dropped in the directory, icon.ico
- ico– A password protected zip file posing as an icon file
Unpacking icon.ico reveals two addition files contained within it:- ocx– The loader module responsible for decrypting and installing the cryptocurrency mining module
- bin – The encrypted, UPX-packed and Delphi-compiled cryptocurrency mining module
But that is not the only interesting improvement found during COINMINER.WIN32.MALXMR.TIAOODAM analysis. During malware setup, the installer was strangely using Cyrillic script instead of the usual English, possibly meaning that cryptocurrency mining malware could have come from Russian or other Slavic regions. Additionally, Trend Micro scientists guessed that later cryptovirus is using another obfuscation method to prevent detection of its APIs by creating copies of the kernel file ntdll.dll and Windows USER component user32.dll in %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server\{Random Numbers}, also placing miner’s files in %UserTemp%\ folder.
Overall, cryptocurrency mining malware these past years has brought tons of changes, which challenged the cybersecurity world and still keeps striking with new obfuscation methods. There are tons of crypto miners, which are extremely widespread in the cyber world, silently mining fortune from unsuspecting users, for example, XMRig, CoinHive, Rakhni, therefore, knowing the new presented features of COINMINER.WIN32.MALXMR.TIAOODAM, we can expect it soon becoming another major headache for malware professionals.