At FireEye Labs, we recently detected the resurgence of a coin mining
campaign with a novel and unconventional infection vector in the form
of an iFRAME (inline frame) – an HTML document embedded inside another
HTML document on a web page that allows users to get content from
another separate source and display it within the main web page
– embedded in a PE binary (Portable Executable Binary, or .exe).
We observed an anomaly when approximately 60 domains (all [.]top
TLDs registered on April 7, 2016) started serving a coin mining
malware – to mine BitMonero, a form of digital currency – on their
main page under the mime-type of html/text. All of these domains were
registered by the same entity and they were resolving to the same IP.
Only the PE binary file was directly hosted on the index page
without any browser exploit (in general, browser exploits are
delivered via third party software exploits such as JavaScript or
Flash). However, an HTML IFRAME tag that was embedded inside the
malware binary was being used to force the web browser to download its
copy as a file named “Photo.scr”. This filename is perhaps designed to
entice the human victim to click on the file and check the “Photo”
that was downloaded.
In the absence of a browser exploit mechanism, this appears to be a
social engineering attack, where the attacker would trick a user into
downloading and executing the binary hosted on this site. The page
contents were downloaded and analyzed by FireEye team members. The SCR
file had a md5sum: aba2d86ed17f587eb6d57e6c75f64f05. Our system
classified this as a coinminer malware, which uses its victim’s
computing resources to mine bitcoins.
What is a Bitcoin and BitMonero and how is it created?
Bitcoin and BitMonero are digital currencies that leverage a
peer-to-peer (P2P) decentralized model for validating and
transactions. Since no financial institutions are used, no central
authority is necessary to control this currency. Bitcoins are accepted
as currency by many merchants, can be used to pay for various online
services, products and goods, and can be traded for traditional
currency via Bitcoin/currency exchanges. Bitcoins are generated or
“mined” after processing a “block” of data. A Bitcoin or BitMonero
block is a cryptographic challenge that is solved by intensive
computing power.
Domains list serving the content
These 55 domains (tabulated in Table 1) associated with BitMonero
mining operations were registered on the same day and serving the same
content. These domains belonged to the [.]top TLD.
mlwhv[.]top
uogwq[.]top
ggkuu[.]top
yccwf[.]top
psilh[.]top
eadlr[.]top
ngdhi[.]top
yhens[.]top
eyxvm[.]top
jdjkc[.]top
uprhr[.]top
zylhq[.]top
voxzn[.]top
yuaek[.]top
ncasy[.]top
wikxu[.]top
mfxaw[.]top
lwwlg[.]top
fkfrl[.]top
lbnvy[.]top
ejqpw[.]top
xvrqo[.]top
ofmio[.]top
pealp[.]top
spvok[.]top
xrjsa[.]top
buacs[.]top
apbqd[.]top
zknhb[.]top
mdbfj[.]top
vkrov[.]top
wafpp[.]top
trwrx[.]top
bnxom[.]top
mdqlo[.]top
qilwl[.]top
yuhoa[.]top
fbldk[.]top
quiwq[.]top
wvrwv[.]top
osjjo[.]top
wisit[.]top
ejaiy[.]top
ewnoh[.]top
hitaz[.]top
bveat[.]top
vjrye[.]top
vjeyu[.]top
szbia[.]top
wniyz[.]top
dduni[.]top
iffis[.]top
wejyr[.]top
ppymk[.]top
ndyqr[.]top
Table 1: List of 55 registered domains for
Bitcoin mining
IP and Whois Information
IP and whois registration information for all these domains contains
the same registrant and these domains resolved to the same IP address
as of April 20, 2016. The addresses were determined to belong to a
single service provider located in North Kansas City, USA. The
registrant whois information shown in the following table specifies an
address in NanJing, China. This information is consistent for the
domains registered for this campaign:
domain
date created
registrant email
Registrant address
registrar name
IP address
ggkuu[.]top
4/7/2016
yaomaiyumingzhaowo@126.com
QingShuiTingDongLu163HaoHengDaLvZhouHuaYuan,
NanJing
Jiangsu
bangning science technology Co
198.204.254[.]82
Web Content Analysis
These domains were pointing to the IP: 198.204.254[.]82. The server
was configured to respond with the same content to any GET request for
these domains. An analysis of one of the domains is presented in this
post as a case study.
For this case study we chose a representative domain, “ggkuu[.]top”,
from the list. Browsing to the site http://www.ggkuu[.]top with a user
web browser results in the malware being loaded as an html/text
MIME-type object.
Figure 1 shows a screenshot of the web browser after visiting the
site. Because the Mime-type is set to html/text, the binary appears as
html/text in the browser. Note the MZ header at the beginning
of the page. MZ headers are associated with executable binaries. This
appears to be a benign looking file to the end-user; however, it is
treated by the end-user system as an executable.
Figure 1. www.Ggkuu[.]top content view in browser
The following is a session generated using the WGET utility, a
command line tool that can be used to generate web requests, which
verifies that the site serves the malware as mime-type of text/html.
Malware Delivery/Exploit method
The malware is delivered by way of a standard 1x1 iFRAME that will
attempt to load the binary file, “Photo.SCR” upon visiting the
website. The following is the iframe:
The binary object was obtained and is identical to “Photo.scr” based
on the file MD5 hashsum, also shown in Figure 2.
Figure 2. www.Ggkuu[.]top the iframe embedded in
the content triggering Photo.scr download in the web browser
A Historical Footprint
We observed that the original binary file (Photo.scr) is primarily a
container (with some additional features discussed later) for known
malware binary
NSCpuCNMiner32.exe with the MD5 hash
3afeb8e9af02a33ff71bf2f6751cae3a, a binary we first saw in the
wild in July 2014. The binary is packed with PolyEnE 0.01+.
Traditionally, the malware
has been propagated using social engineering through Skype,
email, removable media and by using phishing campaigns; where it
has masqueraded as a legitimate application. During this campaign we
have observed that NSCpuCNMiner32.exe is deployed after a victim
visits one of the 55 malicious websites described previously, as a
result of loading “photo.scr”.
Execution & Dynamic Analysis
The binary file “photo.scr” requires no special arguments, executing
on Windows and WINE-enabled systems through traditional user
interaction such as double-clicking.
Configurational Settings
As soon as the executable is launched, the following changes to the
host operating system are performed.
The following mutex is created:
BaseNamedObjectsgcc-shmem-tdm2-use_fc_key
BaseNamedObjectsgcc-shmem-tdm2-sjlj_once
BaseNamedObjectsgcc-shmem-tdm2-once_global_shmem
BaseNamedObjectsgcc-shmem-tdm2-once_obj_shmem
BaseNamedObjectsgcc-shmem-tdm2-mutex_global_shmem
BaseNamedObjectsgcc-shmem-tdm2-_pthread_tls_once_shmem
BaseNamedObjectsgcc-shmem-tdm2-_pthread_tls_shmem
BaseNamedObjectsgcc-shmem-tdm2-mtx_pthr_locked_shmem
BaseNamedObjectsgcc-shmem-tdm2-mutex_global_static_shmem
BaseNamedObjectsgcc-shmem-tdm2-mxattr_recursive_shmem
BaseNamedObjectsgcc-shmem-tdm2-pthr_root_shmem
BaseNamedObjectsgcc-shmem-tdm2-idListCnt_shmem
BaseNamedObjectsgcc-shmem-tdm2-idListMax_shmem
BaseNamedObjectsgcc-shmem-tdm2-idList_shmem
BaseNamedObjectsgcc-shmem-tdm2-idListNextId_shmem
BaseNamedObjectsgcc-shmem-tdm2-fc_key
BaseNamedObjectsgcc-shmem-tdm2-_pthread_key_lock_shmem
BaseNamedObjectsgcc-shmem-tdm2-_pthread_cancelling_shmem
BaseNamedObjectsgcc-shmem-tdm2-cond_locked_shmem_rwlock
BaseNamedObjectsgcc-shmem-tdm2-rwl_global_shmem
The following registry key is modified:
Within the registry path for Internet Settings, the following web
proxy settings are modified or deleted:
The malware reconfigures caching of web content:
The malware then disables the security settings of Internet Explorer
by modifying the following registry keys:
Next, the malware modifies global file extension settings for the
infected system to prevent showing the user file extensions via the
Windows Explorer.
Then it attempts to access potentially sensitive information from
local browsers:
It also adds itself to the autorun registry keypath for persistence.
Upon installation, the following DNS request is made:
Encoded instructions for mining
The malware makes a GET request to http://hrtests[.]ru/test.html?0;
this is the same domain against which a DNS request was first
performed. In response to the GET request, the malware expects the
following encoded data, as shown in Figure 3. The binary also contains
a list of domains (given in the appendix, registered in 2016), from
where it fetches the mining pool information.
Figure 3: Encoded response
We analyzed the encoded data and found that it is employing a simple
decoding algorithm (ROT47 on custom characterset). Pseudocode is shown here:
A decoded response is depicted in Figure 4.
Figure 4: The decoded response containing coin
mining hashes
The decoded text contains the mining parameters and credentials for mining.
Dropped Binary
The mining malware – NsCpuCNMiner32.exe – is typically run from
within a user temp directory. When executed in a standalone Windows
virtual machine (VM), it detects the virtual environment and exits
with a dialog box that “the application can’t run under virtual
machine”. However, when we execute it through FireEye multi-vector
virtual execution engine (MVX), it successfully executes and allowed
us to analyze the malware behavior.
C:Documents and
SettingsadminLocal SettingsTempNsCpuCNMiner32.exe
MD5: 3afeb8e9af02a33ff71bf2f6751cae3a
SHA1: fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107
It is a general-purpose miner that has been used for mining
cryptocurrencies in the past and is invoked by several families of
malware using several parameters. These settings define which mining
pool it will use.
NsCpuCNMiner32.exe is invoked by Photo.scr using the ShellExecuteA
method with the following parameters:
API Name: ShellExecuteA
Address: 0x00402404
Params: [0x0, open, cmd, /c start
/b %TEMP%NsCpuCNMiner32.exe -dbg -1 -o s
tratum+tcp://mine.moneropool.com:3333 -t 1 -u 4
4puJ9e27jyKc1et48J7SZLQ4pDcos96c6u84vcwHgCCce1T
YqXxzpyR3gY793D9mKGEY7WjtC6TKA7eDbtvfrgGHoDNBGx
-p
x, NULL, 0]
Note that these parameters are the same as those which are decoded
from the response from hrtests[.]ru (above). Photo.scr obtains the
settings regarding mining pool from hrtests[.]ru and passes them as
input to the miner, which uses this information to start mining activity.
The miner also checks for a Process Debug Port to detect
execution within a virtual machine or for the presence of a debugger.
It was successfully evading VMware and Qemu based virtualized
sandboxes, and terminated after execution in those virtualization
environments. If it executes successfully, it initiates mining
activity by contacting the mining pool defined in the parameters
passed from photo.scr.
Protocol Type: udp Qtype:
Host Address Hostname: mine.moneropool.com
Imagepath: c:Documents and SettingsadminLocal
SettingsTempNsCpuCNMiner32.exe
Coin Mining traffic
The following network traffic is generated by the miner executable
while mining activity is being performed, as shown in Figure 5.
Figure 5: Coin mining traffic
Mining pools contacted
The mining process contacts the mining pools, i.e.
mine.moneropool.com:3333, monero.crypto-pool.fr:3333,
pool.minexmr.com:5555, xmr.prohash.net:7777.
Propagation
The malware propagates from a victim system by copying photo.scr to
the root of all lettered drives connected to the victim machine. This
way, the malware propagates through both removable and network drives
mounted to a victim system. The malware invokes a native command-line
copying utility, “xcopy”, to propagate itself:
for %%i in (A B C D E F G H J K L
M N O P R S T Q U Y I X V X W Z) do xcopy /y "%s"
%%i:
FTP Traffic Analysis
Once the malware has been successfully copied to all the drives
connected to the system, it calls out to various public FTP servers
including servers belonging to Government, Industry, Education and SME
organizations. The binary was observed attempting to connect to almost
54,000 IPs via FTP; however, only 203 IPs were running active FTP
services. The malware attempted to authenticate using six different
usernames and 17 different passwords. The username and password
combinations attempted suggest that the attacker is attempting to
leverage weak or default credentials for authentication.
A geolocation map of the 203 active IPs is shown in Figure 6. (The
list of IPs is removed for privacy, please note that geolocation
metadata may not be reliable in all cases).
Figure 6: Geolocation of active FTP servers to
which the binary attempts to connect
The binary attempted the following username and password combinations:
Usernames: anonymous, www-data, administrator, ftp, user, user123
Passwords: password, pass1234, 123456, 1234567, 12345678,
123456789, 1234567890, qwerty, 000000, 111111, 123123, abc123,
admin123, derok010101, windows, 123qwe, 000000
The malware successfully authenticated to three of the 203 FTP
servers. In all three cases, the malware attempted to upload the file
“Photo.scr” from the local machine to the remote server. In two cases
the file upload wasn't allowed, leading to a “Permission denied”
error. The file transfer was successful in one case, as seen in Figure
7. The malware was observed attempting to FTP a copy of itself to a HP
printer with an Internet-routable IP address, but used the STOR
command instead of the commonly used PUT command.
Figure 7: Successful FTP transfer for Photo.scr
Pervasiveness of Photo.scr
We attempted to locate files named “Photo.scr” available on the
Internet using open sources. We identified both HTTP and FTP servers
residing in eight countries, indicating that the malware has been
present in many countries worldwide. A geolocation map of these
domains is shown in Figure 8.
Figure 8: Geolocation map of the public Web and
FTP servers containing the Photo.scr sample
URL Fuzzing on Domain List
Since there are no links on the site main page, we resolved to fuzz
commonly used names of HTML pages and directories in an attempt to
generate responses from the malicious web server. We found several
malicious active pages such as Photos.html and Photo.html serving the
same malicious content. As an example, browsing to the Photos.html
page results in the malware being loaded into the browser as text/html
and triggering the download via the iFRAME. However, there were other
pages on this site that were serving different, rather benign looking
content. Details of other pages found via fuzzing are mentioned in
Appendix B.
Conclusion
Cryptocurrencies have been gaining popularity in recent years,
particularly since Bitcoin emerged in 2009 as the first decentralized
cryptocurrency. The decentralized nature of the internet and the
widespread availability of vulnerable hosts has motivated
cybercriminals to covertly target connected machines and abuse them to
harvest cryptocurrencies.
Recently we observed a coin-mining campaign invovling around 60
unique domains being launched in April 2016, all pointing to a single
IP host. Using social engineering techniques, users were tricked to
browse to these domains, where they were presented with an HTML page
containing an iframe that forced the browser to download a file named
Photo.scr. This file was carefully named to entice curious users to
click on it, thus executing the malware binary, infecting the user’s
computer and enslaving its resources to mine BitMonero coins.
For persistence, the malware implemented a common Registry autorun
mechanism, attempted to infect removable and network drives, and
attempted to propagate to globally distributed FTP servers using weak
or default credentials. This hack-for-profit campaign is another
example of how the underground economy flourishes with the innovation
and ingenuity of cybercriminals. Analyzing this campaign provided
insights into the threat this campaign poses to online users globally.
FireEye’s multi-flow detection mechanism identifies this malware at
every level, from the point of entry to the callback. Additionally,
the malware was unable to detect or bypass the FireEye sandbox.
Credits and Acknowledgements
We would like to thank and acknowledge Dan Caselden, Devon Kerr,
Imad Khurram and Ali Hussain for their contribution.
Appendix A
Domain/URLs in the malware executable
An in-depth analysis into the binary revealed the following domains
(available as plain text strings) hosting the pool information for the miner.
Stafftest.ru (First seen in 2014,
resolving to IP: 88.214.200.145 back then )
Hrtests.ru
(First seen in 2013, resolving to IP: 88.214.200.145 )
Profetest.ru (First seen in 2016, resolving to IP:
5.196.241.192 )
Testpsy.ru (First seen in 2015,
resolving to IP: 178.32.238.223 )
Pstests.ru (First
seen in 2016, resolving to IP: 151.80.9.92 )
Qptest.ru
(First seen in 2015, resolving to IP: 88.214.200.145 )
Prtests.ru (First seen in 2016, resolving to IP:
178.33.188.146 )
Jobtests.ru (First seen in 2016,
resolving to IP: 178.33.188.146 )
Iqtesti.ru (First
seen in 2016, resolving to IP: No DNS answer)
Figure 9: Map showing the location of the
servers where these domains are hosted
Appendix B
Figure 10 shows browsing to Photo.html.
Figure 10: Browsing view of page Photo.html
Translating the title to Chinese results in this: “Magic Dragon
spider pool ---- purchase please contact: dragon magic spider pool”.
While the content on the page results in this: “Long sentences dynamic
magic _”
All the links on the page point to:
http://www.ggkuu[.]top/%3C%E9%BE%99%E9%AD%94_%E5%8A%A8%E6%80%81%E5%8F%A5%E5%AD%90%3E.
Clicking on any of these links, results in redirection to a page
serving the malware.
Looking for other HTML pages on this domain, we resorted to crawling
and fuzzing and found more than 1,200 HTML pages. A few of them are
illustrated in the following table. The majority of these pages seem
to be serving the same malware binary as the main page.
/awk.html
/l.html
/printer.html
/pdfs.html
/names.html
/author.html
/ls.html
/tf.html
/mirrors.html
/private.html
/viewonline.html
/firewall.html
/bv.html
/backups.html
/premier.html
/ppts.html
/cf.html
/compose.html
/kernel.html
/cgi.html
/disclaimer.html
/blogs.html
The Sitemap page of this domain was particularly interesting, as it
seems to be pointing to various news articles on ybnews[.]cn and
96hq[.]com. Each time we browse to this page, new content is
generated. Figure 10 and Figure 11 show manifesting links to
ybnews[.]cn and 96hq[.]com.
Figure 11: Sitemap containing URLs of ybnews[.]cn
Figure 12: Sitemap containing URLs from 96hq[.]com
Fuzzing and crawling for directories, we found more than 1,200
directory folders, which mostly point to pages that are serving
malware. A few of these folders are illustrated as follows:
‘/desktop/’, ‘/category/’, ‘/nz/’,’/8/’, ‘/fr/’, ‘/d/’, ‘/cz/’,
‘/fk/’, ‘/dk/’, ‘/cu/’, ‘/gr/’, ‘/cc/’, ‘/o/’, ‘/be/’, ‘/ar/’, ‘/bj/’.