Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Electronic money (e-money) is being used more and more often by people to make online purchases. And sure as night follows day, this means electronic money is also gaining the attention of malware authors who are trying to benefit from it by any means possible. We encountered a malicious sample, whose role is not to steal but to generate (to ‘mine’) digital currency using a Bitcoin ‘mining pool’ (a distributed computational network to generate ‘Bitcoins’). The attack is executed by installing a trojan horse program on a network of victim computers and then use their processing power to generate Bitcoin blocks.
So what is Bitcoin and how does it work? Well, unlike traditional currency, which is generated through a central authority like an issuing bank, Bitcoins are dynamically generated as and when required through a decentralized peer-to-peer network of nodes – or ‘miners’. Each ‘miner’ is a set of computer resources (sometimes just a regular computer like the one on your desktop) that has been devoted to dealing with Bitcoin transactions. Once there have been enough of these transactions, they are grouped into a ‘block’ – and this additional block of transactions is then added to the master ‘block chain’ that is maintained across the greater Bitcoin network. The key thing to note here is that the process of producing a ‘block’ is very hardware intensive and requires a great deal of computing power. So, in return for volunteering their hardware, miners that manage to generate a block are rewarded with a bounty of Bitcoins and given any transaction fees from that block. This system of granting rewards to miners is actually also the mechanism by which the Bitcoin money supply is increased.
As mentioned, the computational demands of producing a block are very high so the more processing power an entity can use, the more transactions they can handle and the more Bitcoins they are liable to receive. And what better source of computational power to a hacker than his own network of zombie PCs relentlessly crunching out Bitcoin transactions?
The trojan that installs the mining components is 80KB in size and, upon execution, it decrypts in memory a PE file located in the .code section, at 0x9400, size 0xAA00. Decryption is a simple byte XOR, with 20 successive byte keys located in .idata section. The installation steps are taken by the new decrypted in-memory process which downloads the necessary components and also contains the mining parameters (like user and password credentials for the mining pool, all encrypted in resources).
The encrypted file is packed with UPX. Important resources present in file:
It contains running parameters and credentials for mining pool (“-t 2 -o http://user:email@example.com:port“. The -t parameter stands for the number of threads used for calculations. The -o parameter specifies the server to connect to.
OTR2 – [7C 6E 6C 63 60 76 25 66 7F 68] – name of the dropped mining file (socket.exe)
OTR8 – [7C 6E 6C 63 60 76 78 2D 62 75 60] – name under which the file self-copies (sockets.exe)
OTR9 – [6F 41 6F 58 45 42 6B 43 47 6D 75 52 46 65 76 51 43] – decrypting key for encrypted resource strings (this will be used to decode the string parameters stored as resources)
The file copies itself to My Documents\Windows\sockets.exe and executes the copy.
After execution, it downloads the following files:
– 188.8.131.52/u/main.txt – A mining binary saved as “socket.exe”, which seems to be a modification of a known open-source mining application.
– 184.108.40.206/u/m.txt – A plain text file containing hex values of a binary PE will be transformed into “miner.dll”, a dependency of the previous.
– 220.127.116.11/u/usft_ext.txt – A binary file, dependency saved as “usft_ext.dll”.
– 18.104.22.168/u/phatk.txt – Saved as “phatk.ptx” – assembler instructions for GPUs, which can be used for advanced calculations.
– 22.214.171.124/u/phatk.cl – Saved as “phatk.cl” – source file designed for GPU calculations.
When all downloads are complete and dependencies are in place, the mining binary is launched with decoded parameters and starts making calculations to generate virtual coins. As predicted, the CPU usage rises, keeping the computer in high load.
The malicious binary repeatedly communicates with the pool server upon finishing computational cycles and sends the results of its calculations – the “virtual coins”.
CIS detection name: TrojWare.Win32.Trojan.CoinMiner.k
CIS detection name: Application.Win32.CoinMiner.b
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats