sha1:
- 6d8716cddc3ca6c8558eb4f842d81638f00f01f8
Description
Malicious PowerShell script that installs stealthy cryptocurrency mining software. Initially obfuscated. Delivered to a compromised system via a compiled Visual Basic application masquerading as video conferencing software.
Operating routine
The script downloads one of 5 sets of malicious modules from hxxps://asobimo[.]link:
| ZX-uninstaller2.rdp ZX-uninstaller.rdp ZE-uninstaller.rdp ZX.rdp ZE.rdp | S32-uninstaller.rdp S64-uninstaller.rdp S32.rdp S64.rdp | mc-uninstaller.rdp ec-uninstaller.rdp mc.rdp ec.rdp | updater-uninstaller.rdp updatere-uninstaller.rdp updaterx-uninstaller.rdp updaterx-uninstaller2.rdp updater.rdp updaterx.rdp | updater.rdp updaterx.rdp |
Any of the module sets performs the following actions:
- Deletes old miner tasks
- Installs the %APPDATA%\usernetwork\ipv4\updater.exe executable and adds a task to run it.
- Installs the %APPDATA%\usernetwork\ipv4\updaterx.exe executable file, which is Trojan.BtcMine.2742 and adds new tasks. The miner accesses its settings at: hxxp://myownservice.duckdns[.]org:8000/mclient[.]txt, hxxps://asobimo[.]link/marosa[.]txt, hxxps://pastebin[.]com/raw/9UHQkGec.
After downloading and executing the modules, the PowerShell script hxxps://asobimo[.]link/checkubr[.]txt is loaded, which saves and runs the following files:
- $env:PUBLIC\Pictures\un.exe, located at hxxps://asobimo[.]link/asom-uninstaller.rdp The file is Trojan.Hosts.51840, sha1:99111907b50911f9b2853cd73b373d231ab92f79. It deletes a mining task with a common name GoogleUpdateTaskMachineQC.
- $env:PUBLIC\Pictures\u.exe, located at hxxps://asobimo[.]link/xz-uninstaller.rdp The file is Trojan.Hosts.51839, sha1:385a72bede84c9c44b84b2f044ca77e440be0802. It alters the registry keys that are responsible for automatic Windows updates.
-
$env:PUBLIC\Pictures\m.exe, located at hxxps://asobimo[.]link/xz.rdp The file is Trojan.Siggen23.24088, sha1:0f05fbb257fc71ba649175b92fcd963ff23a2540. It installs the miner that downloads its settings from getcert[.]net/m.txt:
--algo=rx/0 --url=xmr-asia1.nanopool.org:10343 --user="44SC1Wk3tmZeVr6LvcaVcsZbnYCT5hUVWe4ptAPE445NWhcYUvkShPuJiYkxi5yofgdTWqPUCCNdcBar18Kecbgs15gRzhk" --pass="" --cpu-max-threads-hint=50 --cinit-winring="terzfardvkrs.sys" --cinit-remote-config="https://getcert.net/m.txt" --cinit-stealth-targets="Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe" --cinit-version="3.4.0" --tls --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-id="smyzfwfwcmmyixji"
Mitre matrix
|
Stage |
Tactic |
|---|---|
|
Execution |
Command and Scripting Interpreter (T1059) PowerShell (T1059.001) Native API (T1106) Shared modules (T1129) |
|
Privilege Escalation |
Process Injection (T1055) DLL Side-Loading (T1574.002) |
|
Defense Evasion |
Obfuscated Files or Information (T1027) Masquerading (T1036) Process Injection (T1055) Modify Registry (T1112) Impair Defenses (T1562) Disable or Modify Tools (T1562.001) Hide Artifacts (T1564) Hidden Files and Directories (T1564.001) Hidden Window (T1564.003) |
|
Discovery |
Application Window Discovery (T1010) Remote System Discovery (T1018) Process Discovery (T1057) System Information Discovery (T1082) File and Directory Discovery (T1083) Software Discovery (T1518) |
|
Command and Control |
Application Layer Protocol (T1071) Non-Application Layer Protocol (T1095) Encrypted Channel (T1573) |
