Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Cryptomining has become a gold rush of nowadays, and cybercriminals are also seized by it. They invent more and more cunning gimmicks to infect users’ machines and make them mine cryptocurrency for the attackers’ profit. The cybercrime recently detected by Comodo specialists is a striking illustration of this process. To infect users all over the world, the attackers used the legitimate application installer, the replicated server and… well, let’s not jump ahead but come through all the attack chain from the beginning to the end.
Here is PDFescape software. Many people use it to edit, annotate or fill forms in .PDF files. It’s highly likely you also used this or a similar software.
Of course, it’s legitimate and secure … at least it was so till the recent time when an idea to use it for spreading malware came to a cybercriminal’s mind.
But what is especially interesting, the malicious hackers didn’t try just to mimic PDFescape. They went further and decided to create its evil clone.
Just think of the attack’s scope: the perpetrators recreated the software partner’s infrastructure on a server under their control. Then they copied all MSI (installer package file for Windows) files and placed them on that server. The cloned software was the exact replica of the original one … except one small detail: the attackers decompiled and modified one of MSI files, an Asian font’s pack. And added the malicious payload containing some coinmining code.
This black magic turns original installer of PDFescape into a malicious one.
This modified installer redirects users to the malicious website and downloads the payload with the hidden file.
As you can see, the hacked installer has not original digital signature:
But how exactly this malware harm? Let’s see.
Dynamic Analysis
When a victim downloads this pdfescape-desktop-Asian-and-extended-font-pack, the malicious binary xbox-service.exe drops in Windows system32 folder and executes the malicious DLL, using run32dll. Disguising as setup.log, the malicious DLL hides in Windows folder.
Here is the process flow.
The pdfescape-desktop-Asian-and-extended-font-pack.msi is installed by the com
mand line “C:\\Windows\System32\msiexec.exe” /i
Then the installer drops xbox-service.exe in the system32 folder.
The dropped xbox-service.exe starts working as a service:
Then it runs malicious DLL under rundll32 by the name setup.log using the command line:
rundll32 C:\Windows\System32\setup.log.dll
Static Analysis
The modified MSI has embedded malicious DLL file. This DLL, in its turn, contains two executable files in the Resources.
Thus, the DLL file runs malicious process xbox-service.exe.
Another interesting aspect of the DLL payload is that during the installation stage, it tries to modify the Windows HOSTS file to prevent the infected machine from communication with update servers of various PDF-related apps and security software. Thus malware tries to avoid a remote cleaning and remediation of affected machines.
The HOSTS file modified with malicious DLL
And finally, inside the DLL we found the main evil: malicious browser script. The script has an embedded link to http://carma666.byethost12.com/32.html
Let’s follow the link and see where it goes:
As it’s now clear, it downloads JavaScript of coinminer named CoinHive that malicious hackers covertly use to infect hosts’s around the world. You can find more details about it in Comodo Q1 2018 and Comodo Q2 2018.
So all that fuss was to infect users with a cryptominer?! Yes, that’s right. And it helps us to aware that we shouldn’t take this kind of malware lightly.
“As we mentioned in Comodo Q1 2018 and Q2 2018 Global Threat Reports, cryptominers remain one of the most dangerous threats in the cybersecurity space”, comments Fatih Orhan, The Head of Comodo Threat Research Labs.” Some people consider the cryptominers as a not-so-serious threat because they do not steal information or encrypt users’ files but this mistake can be very costly for them in the reality. Cryptominers are turning into sophisticated malware that can crash users systems or capture all the IT resources of an infected enterprise and make them work only for mining cryptocurrency for cybercriminals. Thus, financial losses from a cryptominer attack can be as devastating as of other malware types. Cryptominers will continue to become more and more devious with their dangerous abilities growing. And the story with modified installer detected by our analysts is a clear evidence of it”.
According to the Comodo stats, this malicious file hit 12 810 users in 100 countries around the world. Below are the top-ten affected countries.
In general, from April to August 2018, Comodo specialists detected 146,309 JavaScript-based coinminers with unique SHAs.
Live secure with Comodo!
Related Resources:
Tags: cryptominers,cryptomining,Cybercriminals
Reading Time: 5 minutes Update: check the latest version of Comodo’s free mobile security app How Your Smartphone can Turn Hazardous Your smartphone is your best friend and assistant. But within a few minutes, it can turn into an insidious betrayer. Then it begins tracking every move you make, catching every word you say or write – and pass…
Reading Time: 5 minutes Cybercriminals fond of celebration dates like Thanksgiving Day — but not for the same reason that upstanding people do. For the perpetrators, it’s the favorite time to attack. Why? Because people are tuned on pleasant and good thoughts and feelings on such days. Unfortunately, it makes them more vulnerable. When they see a greeting letter…
Reading Time: 5 minutes If the headline above frightened or at least alarmed you, that means you really can fall prey of this cybercrime. Because it is a bit different from others. While the perpetrators usually aim at a vulnerability of your PC, this attack targets vulnerabilities of your mind. Throughout the crooks use no malware, it lets them…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP