Electronic money (e-money) is being used more and more often by people to make online purchases. And sure as night follows day, this means electronic money is also gaining the attention of malware authors who are trying to benefit from it by any means possible. We encountered a malicious sample, whose role is not to steal but to generate (to ‘mine’) digital currency using a Bitcoin ‘mining pool’ (a distributed computational network to generate ‘Bitcoins’). The attack is executed by installing a trojan horse program on a network of victim computers and then use their processing power to generate Bitcoin blocks.
So what is Bitcoin and how does it work? Well, unlike traditional currency, which is generated through a central authority like an issuing bank, Bitcoins are dynamically generated as and when required through a decentralized peer-to-peer network of nodes – or ‘miners’. Each ‘miner’ is a set of computer resources (sometimes just a regular computer like the one on your desktop) that has been devoted to dealing with Bitcoin transactions. Once there have been enough of these transactions, they are grouped into a ‘block’ – and this additional block of transactions is then added to the master ‘block chain’ that is maintained across the greater Bitcoin network. The key thing to note here is that the process of producing a ‘block’ is very hardware intensive and requires a great deal of computing power. So, in return for volunteering their hardware, miners that manage to generate a block are rewarded with a bounty of Bitcoins and given any transaction fees from that block. This system of granting rewards to miners is actually also the mechanism by which the Bitcoin money supply is increased.
As mentioned, the computational demands of producing a block are very high so the more processing power an entity can use, the more transactions they can handle and the more Bitcoins they are liable to receive. And what better source of computational power to a hacker than his own network of zombie PCs relentlessly crunching out Bitcoin transactions?
The trojan that installs the mining components is 80KB in size and, upon execution, it decrypts in memory a PE file located in the .code section, at 0x9400, size 0xAA00. Decryption is a simple byte XOR, with 20 successive byte keys located in .idata section. The installation steps are taken by the new decrypted in-memory process which downloads the necessary components and also contains the mining parameters (like user and password credentials for the mining pool, all encrypted in resources).
The encrypted file is packed with UPX. Important resources present in file:
It contains running parameters and credentials for mining pool (“-t 2 -o http://user:firstname.lastname@example.org:port“. The -t parameter stands for the number of threads used for calculations. The -o parameter specifies the server to connect to.
OTR2 – [7C 6E 6C 63 60 76 25 66 7F 68] – name of the dropped mining file (socket.exe)
OTR8 – [7C 6E 6C 63 60 76 78 2D 62 75 60] – name under which the file self-copies (sockets.exe)
OTR9 – [6F 41 6F 58 45 42 6B 43 47 6D 75 52 46 65 76 51 43] – decrypting key for encrypted resource strings (this will be used to decode the string parameters stored as resources)
The file copies itself to My Documents\Windows\sockets.exe and executes the copy.
After execution, it downloads the following files:
– 220.127.116.11/u/main.txt – A mining binary saved as “socket.exe”, which seems to be a modification of a known open-source mining application.
– 18.104.22.168/u/m.txt – A plain text file containing hex values of a binary PE will be transformed into “miner.dll”, a dependency of the previous.
– 22.214.171.124/u/usft_ext.txt – A binary file, dependency saved as “usft_ext.dll”.
– 126.96.36.199/u/phatk.txt – Saved as “phatk.ptx” – assembler instructions for GPUs, which can be used for advanced calculations.
– 188.8.131.52/u/phatk.cl – Saved as “phatk.cl” – source file designed for GPU calculations.
When all downloads are complete and dependencies are in place, the mining binary is launched with decoded parameters and starts making calculations to generate virtual coins. As predicted, the CPU usage rises, keeping the computer in high load.
The malicious binary repeatedly communicates with the pool server upon finishing computational cycles and sends the results of its calculations – the “virtual coins”.
Dropper trojan: Filename: sockets.exe SHA1: 52647f52912e81e0351b68e30a3b13fe4501bdda MD5: ba9c16fa419d24c3eadb74e016ad544f CIS detection name: TrojWare.Win32.Trojan.CoinMiner.k Mining binary: Filename: socket.exe SHA1: 1da22ddd904dfa0664a50aa6971ad1ff451651ce MD5: e82cd32fefb2f009c84c14cec1f13624 CIS detection name: Application.Win32.CoinMiner.b