At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME (inline frame) – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate source and display it within the main web page – embedded in a PE binary (Portable Executable Binary, or .exe).
We observed an anomaly when approximately 60 domains (all [.]top TLDs registered on April 7, 2016) started serving a coin mining malware – to mine BitMonero, a form of digital currency – on their main page under the mime-type of html/text. All of these domains were registered by the same entity and they were resolving to the same IP.
In the absence of a browser exploit mechanism, this appears to be a social engineering attack, where the attacker would trick a user into downloading and executing the binary hosted on this site. The page contents were downloaded and analyzed by FireEye team members. The SCR file had a md5sum: aba2d86ed17f587eb6d57e6c75f64f05. Our system classified this as a coinminer malware, which uses its victim’s computing resources to mine bitcoins.
What is a Bitcoin and BitMonero and how is it created?
Bitcoin and BitMonero are digital currencies that leverage a peer-to-peer (P2P) decentralized model for validating and transactions. Since no financial institutions are used, no central authority is necessary to control this currency. Bitcoins are accepted as currency by many merchants, can be used to pay for various online services, products and goods, and can be traded for traditional currency via Bitcoin/currency exchanges. Bitcoins are generated or “mined” after processing a “block” of data. A Bitcoin or BitMonero block is a cryptographic challenge that is solved by intensive computing power.
Domains list serving the content
These 55 domains (tabulated in Table 1) associated with BitMonero mining operations were registered on the same day and serving the same content. These domains belonged to the [.]top TLD.
Table 1: List of 55 registered domains for Bitcoin mining
IP and Whois Information
IP and whois registration information for all these domains contains the same registrant and these domains resolved to the same IP address as of April 20, 2016. The addresses were determined to belong to a single service provider located in North Kansas City, USA. The registrant whois information shown in the following table specifies an address in NanJing, China. This information is consistent for the domains registered for this campaign:
Jiangsu bangning science technology Co
Web Content Analysis
These domains were pointing to the IP: 198.204.254[.]82. The server was configured to respond with the same content to any GET request for these domains. An analysis of one of the domains is presented in this post as a case study.
For this case study we chose a representative domain, “ggkuu[.]top”, from the list. Browsing to the site http://www.ggkuu[.]top with a user web browser results in the malware being loaded as an html/text MIME-type object.
Figure 1 shows a screenshot of the web browser after visiting the site. Because the Mime-type is set to html/text, the binary appears as html/text in the browser. Note the MZ header at the beginning of the page. MZ headers are associated with executable binaries. This appears to be a benign looking file to the end-user; however, it is treated by the end-user system as an executable.
Figure 1. www.Ggkuu[.]top content view in browser
The following is a session generated using the WGET utility, a command line tool that can be used to generate web requests, which verifies that the site serves the malware as mime-type of text/html.
Malware Delivery/Exploit method
The malware is delivered by way of a standard 1x1 iFRAME that will attempt to load the binary file, “Photo.SCR” upon visiting the website. The following is the iframe:
The binary object was obtained and is identical to “Photo.scr” based on the file MD5 hashsum, also shown in Figure 2.
Figure 2. www.Ggkuu[.]top the iframe embedded in the content triggering Photo.scr download in the web browser
A Historical Footprint
We observed that the original binary file (Photo.scr) is primarily a container (with some additional features discussed later) for known malware binary NSCpuCNMiner32.exe with the MD5 hash 3afeb8e9af02a33ff71bf2f6751cae3a, a binary we first saw in the wild in July 2014. The binary is packed with PolyEnE 0.01+.
Traditionally, the malware has been propagated using social engineering through Skype, email, removable media and by using phishing campaigns; where it has masqueraded as a legitimate application. During this campaign we have observed that NSCpuCNMiner32.exe is deployed after a victim visits one of the 55 malicious websites described previously, as a result of loading “photo.scr”.
Execution & Dynamic Analysis
The binary file “photo.scr” requires no special arguments, executing on Windows and WINE-enabled systems through traditional user interaction such as double-clicking.
As soon as the executable is launched, the following changes to the host operating system are performed.
The following mutex is created:
The following registry key is modified:
Within the registry path for Internet Settings, the following web proxy settings are modified or deleted:
The malware reconfigures caching of web content:
The malware then disables the security settings of Internet Explorer by modifying the following registry keys:
Next, the malware modifies global file extension settings for the infected system to prevent showing the user file extensions via the Windows Explorer.
Then it attempts to access potentially sensitive information from local browsers:
It also adds itself to the autorun registry keypath for persistence.
Upon installation, the following DNS request is made:
Encoded instructions for mining
The malware makes a GET request to http://hrtests[.]ru/test.html?0; this is the same domain against which a DNS request was first performed. In response to the GET request, the malware expects the following encoded data, as shown in Figure 3. The binary also contains a list of domains (given in the appendix, registered in 2016), from where it fetches the mining pool information.
Figure 3: Encoded response
We analyzed the encoded data and found that it is employing a simple decoding algorithm (ROT47 on custom characterset). Pseudocode is shown here:
A decoded response is depicted in Figure 4.
Figure 4: The decoded response containing coin mining hashes
The decoded text contains the mining parameters and credentials for mining.
The mining malware – NsCpuCNMiner32.exe – is typically run from within a user temp directory. When executed in a standalone Windows virtual machine (VM), it detects the virtual environment and exits with a dialog box that “the application can’t run under virtual machine”. However, when we execute it through FireEye multi-vector virtual execution engine (MVX), it successfully executes and allowed us to analyze the malware behavior.
It is a general-purpose miner that has been used for mining cryptocurrencies in the past and is invoked by several families of malware using several parameters. These settings define which mining pool it will use.
NsCpuCNMiner32.exe is invoked by Photo.scr using the ShellExecuteA
method with the following parameters:
API Name: ShellExecuteA
Note that these parameters are the same as those which are decoded from the response from hrtests[.]ru (above). Photo.scr obtains the settings regarding mining pool from hrtests[.]ru and passes them as input to the miner, which uses this information to start mining activity.
The miner also checks for a Process Debug Port to detect
execution within a virtual machine or for the presence of a debugger.
It was successfully evading VMware and Qemu based virtualized
sandboxes, and terminated after execution in those virtualization
environments. If it executes successfully, it initiates mining
activity by contacting the mining pool defined in the parameters
passed from photo.scr.
Protocol Type: udp Qtype:
Host Address Hostname: mine.moneropool.com
Coin Mining traffic
The following network traffic is generated by the miner executable while mining activity is being performed, as shown in Figure 5.
Figure 5: Coin mining traffic
Mining pools contacted
The mining process contacts the mining pools, i.e. mine.moneropool.com:3333, monero.crypto-pool.fr:3333, pool.minexmr.com:5555, xmr.prohash.net:7777.
The malware propagates from a victim system by copying photo.scr to the root of all lettered drives connected to the victim machine. This way, the malware propagates through both removable and network drives mounted to a victim system. The malware invokes a native command-line copying utility, “xcopy”, to propagate itself:
for %%i in (A B C D E F G H J K L M N O P R S T Q U Y I X V X W Z) do xcopy /y "%s" %%i:\
FTP Traffic Analysis
Once the malware has been successfully copied to all the drives connected to the system, it calls out to various public FTP servers including servers belonging to Government, Industry, Education and SME organizations. The binary was observed attempting to connect to almost 54,000 IPs via FTP; however, only 203 IPs were running active FTP services. The malware attempted to authenticate using six different usernames and 17 different passwords. The username and password combinations attempted suggest that the attacker is attempting to leverage weak or default credentials for authentication.
A geolocation map of the 203 active IPs is shown in Figure 6. (The list of IPs is removed for privacy, please note that geolocation metadata may not be reliable in all cases).
Figure 6: Geolocation of active FTP servers to which the binary attempts to connect
The binary attempted the following username and password combinations:
Usernames: anonymous, www-data, administrator, ftp, user, user123
Passwords: password, pass1234, 123456, 1234567, 12345678, 123456789, 1234567890, qwerty, 000000, 111111, 123123, abc123, admin123, derok010101, windows, 123qwe, 000000
The malware successfully authenticated to three of the 203 FTP servers. In all three cases, the malware attempted to upload the file “Photo.scr” from the local machine to the remote server. In two cases the file upload wasn't allowed, leading to a “Permission denied” error. The file transfer was successful in one case, as seen in Figure 7. The malware was observed attempting to FTP a copy of itself to a HP printer with an Internet-routable IP address, but used the STOR command instead of the commonly used PUT command.
Figure 7: Successful FTP transfer for Photo.scr
Pervasiveness of Photo.scr
We attempted to locate files named “Photo.scr” available on the Internet using open sources. We identified both HTTP and FTP servers residing in eight countries, indicating that the malware has been present in many countries worldwide. A geolocation map of these domains is shown in Figure 8.
Figure 8: Geolocation map of the public Web and FTP servers containing the Photo.scr sample
URL Fuzzing on Domain List
Since there are no links on the site main page, we resolved to fuzz commonly used names of HTML pages and directories in an attempt to generate responses from the malicious web server. We found several malicious active pages such as Photos.html and Photo.html serving the same malicious content. As an example, browsing to the Photos.html page results in the malware being loaded into the browser as text/html and triggering the download via the iFRAME. However, there were other pages on this site that were serving different, rather benign looking content. Details of other pages found via fuzzing are mentioned in Appendix B.
Cryptocurrencies have been gaining popularity in recent years, particularly since Bitcoin emerged in 2009 as the first decentralized cryptocurrency. The decentralized nature of the internet and the widespread availability of vulnerable hosts has motivated cybercriminals to covertly target connected machines and abuse them to harvest cryptocurrencies.
Recently we observed a coin-mining campaign invovling around 60 unique domains being launched in April 2016, all pointing to a single IP host. Using social engineering techniques, users were tricked to browse to these domains, where they were presented with an HTML page containing an iframe that forced the browser to download a file named Photo.scr. This file was carefully named to entice curious users to click on it, thus executing the malware binary, infecting the user’s computer and enslaving its resources to mine BitMonero coins.
For persistence, the malware implemented a common Registry autorun mechanism, attempted to infect removable and network drives, and attempted to propagate to globally distributed FTP servers using weak or default credentials. This hack-for-profit campaign is another example of how the underground economy flourishes with the innovation and ingenuity of cybercriminals. Analyzing this campaign provided insights into the threat this campaign poses to online users globally.
FireEye’s multi-flow detection mechanism identifies this malware at every level, from the point of entry to the callback. Additionally, the malware was unable to detect or bypass the FireEye sandbox.
Credits and Acknowledgements
We would like to thank and acknowledge Dan Caselden, Devon Kerr, Imad Khurram and Ali Hussain for their contribution.
Domain/URLs in the malware executable
An in-depth analysis into the binary revealed the following domains (available as plain text strings) hosting the pool information for the miner.
Stafftest.ru (First seen in 2014, resolving to IP: 184.108.40.206 back then )
Hrtests.ru (First seen in 2013, resolving to IP: 220.127.116.11 )
Profetest.ru (First seen in 2016, resolving to IP: 18.104.22.168 )
Testpsy.ru (First seen in 2015, resolving to IP: 22.214.171.124 )
Pstests.ru (First seen in 2016, resolving to IP: 126.96.36.199 )
Qptest.ru (First seen in 2015, resolving to IP: 188.8.131.52 )
Prtests.ru (First seen in 2016, resolving to IP: 184.108.40.206 )
Jobtests.ru (First seen in 2016, resolving to IP: 220.127.116.11 )
Iqtesti.ru (First seen in 2016, resolving to IP: No DNS answer)
Figure 9: Map showing the location of the servers where these domains are hosted
Figure 10 shows browsing to Photo.html.
Figure 10: Browsing view of page Photo.html
Translating the title to Chinese results in this: “Magic Dragon spider pool ---- purchase please contact: dragon magic spider pool”. While the content on the page results in this: “Long sentences dynamic magic _”
All the links on the page point to: http://www.ggkuu[.]top/%3C%E9%BE%99%E9%AD%94_%E5%8A%A8%E6%80%81%E5%8F%A5%E5%AD%90%3E. Clicking on any of these links, results in redirection to a page serving the malware.
Looking for other HTML pages on this domain, we resorted to crawling and fuzzing and found more than 1,200 HTML pages. A few of them are illustrated in the following table. The majority of these pages seem to be serving the same malware binary as the main page.
The Sitemap page of this domain was particularly interesting, as it seems to be pointing to various news articles on ybnews[.]cn and 96hq[.]com. Each time we browse to this page, new content is generated. Figure 10 and Figure 11 show manifesting links to ybnews[.]cn and 96hq[.]com.
Figure 11: Sitemap containing URLs of ybnews[.]cn
Figure 12: Sitemap containing URLs from 96hq[.]com
Fuzzing and crawling for directories, we found more than 1,200 directory folders, which mostly point to pages that are serving malware. A few of these folders are illustrated as follows: ‘/desktop/’, ‘/category/’, ‘/nz/’,’/8/’, ‘/fr/’, ‘/d/’, ‘/cz/’, ‘/fk/’, ‘/dk/’, ‘/cu/’, ‘/gr/’, ‘/cc/’, ‘/o/’, ‘/be/’, ‘/ar/’, ‘/bj/’.