At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME (inline frame) – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate source and display it within the main web page – embedded in a PE binary (Portable Executable Binary, or .exe).

We observed an anomaly when approximately 60 domains (all [.]top TLDs  registered on April 7, 2016) started serving a coin mining malware – to mine BitMonero, a form of digital currency – on their main page under the mime-type of html/text. All of these domains were registered by the same entity and they were resolving to the same IP.  

Only the PE binary file was directly hosted on the index page without any browser exploit (in general, browser exploits are delivered via third party software exploits such as JavaScript or Flash). However, an HTML IFRAME tag that was embedded inside the malware binary was being used to force the web browser to download its copy as a file named “Photo.scr”. This filename is perhaps designed to entice the human victim to click on the file and check the “Photo” that was downloaded.   

In the absence of a browser exploit mechanism, this appears to be a social engineering attack, where the attacker would trick a user into downloading and executing the binary hosted on this site. The page contents were downloaded and analyzed by FireEye team members. The SCR file had a md5sum: aba2d86ed17f587eb6d57e6c75f64f05. Our system classified this as a coinminer malware, which uses its victim’s computing resources to mine bitcoins.

What is a Bitcoin and BitMonero and how is it created?

Bitcoin and BitMonero are digital currencies that leverage a peer-to-peer (P2P) decentralized model for validating and transactions. Since no financial institutions are used, no central authority is necessary to control this currency. Bitcoins are accepted as currency by many merchants, can be used to pay for various online services, products and goods, and can be traded for traditional currency via Bitcoin/currency exchanges. Bitcoins are generated or “mined” after processing a “block” of data. A Bitcoin or BitMonero block is a cryptographic challenge that is solved by intensive computing power.

Domains list serving the content

These 55 domains (tabulated in Table 1) associated with BitMonero mining operations were registered on the same day and serving the same content. These domains belonged to the [.]top TLD.

mlwhv[.]top

uogwq[.]top

ggkuu[.]top

yccwf[.]top

psilh[.]top

eadlr[.]top

ngdhi[.]top

yhens[.]top

eyxvm[.]top

jdjkc[.]top

uprhr[.]top

zylhq[.]top

voxzn[.]top

yuaek[.]top

ncasy[.]top

wikxu[.]top

mfxaw[.]top

lwwlg[.]top

fkfrl[.]top

lbnvy[.]top

ejqpw[.]top

xvrqo[.]top

ofmio[.]top

pealp[.]top

spvok[.]top

xrjsa[.]top

buacs[.]top

apbqd[.]top

zknhb[.]top

mdbfj[.]top

vkrov[.]top

wafpp[.]top

trwrx[.]top

bnxom[.]top

mdqlo[.]top

qilwl[.]top

yuhoa[.]top

fbldk[.]top

quiwq[.]top

wvrwv[.]top

osjjo[.]top

wisit[.]top

ejaiy[.]top

ewnoh[.]top

hitaz[.]top

bveat[.]top

vjrye[.]top

vjeyu[.]top

szbia[.]top

wniyz[.]top

dduni[.]top

iffis[.]top

wejyr[.]top

ppymk[.]top

ndyqr[.]top

 

 

 

 

 

Table 1: List of 55 registered domains for Bitcoin mining

IP and Whois Information

IP and whois registration information for all these domains contains the same registrant and these domains resolved to the same IP address as of April 20, 2016. The addresses were determined to belong to a single service provider located in North Kansas City, USA. The registrant whois information shown in the following table specifies an address in NanJing, China. This information is consistent for the domains registered for this campaign:

domain

date created

registrant email

Registrant address

registrar name

IP address

ggkuu[.]top

4/7/2016

yaomaiyumingzhaowo@126.com

QingShuiTingDongLu163HaoHengDaLvZhouHuaYuan, NanJing

Jiangsu bangning science technology Co

198.204.254[.]82

Web Content Analysis

These domains were pointing to the IP: 198.204.254[.]82. The server was configured to respond with the same content to any GET request for these domains. An analysis of one of the domains is presented in this post as a case study.

For this case study we chose a representative domain, “ggkuu[.]top”, from the list. Browsing to the site http://www.ggkuu[.]top with a user web browser results in the malware being loaded as an html/text MIME-type object.

Figure 1 shows a screenshot of the web browser after visiting the site. Because the Mime-type is set to html/text, the binary appears as html/text in the browser. Note the MZ header at the beginning of the page. MZ headers are associated with executable binaries. This appears to be a benign looking file to the end-user; however, it is treated by the end-user system as an executable.

Figure 1. www.Ggkuu[.]top content view in browser

The following is a session generated using the WGET utility, a command line tool that can be used to generate web requests, which verifies that the site serves the malware as mime-type of text/html.

Malware Delivery/Exploit method

The malware is delivered by way of a standard 1x1 iFRAME that will attempt to load the binary file, “Photo.SCR” upon visiting the website. The following is the iframe:

The binary object was obtained and is identical to “Photo.scr” based on the file MD5 hashsum, also shown in Figure 2.

Figure 2. www.Ggkuu[.]top the iframe embedded in the content triggering Photo.scr download in the web browser

A Historical Footprint

We observed that the original binary file (Photo.scr) is primarily a container (with some additional features discussed later) for known malware binary NSCpuCNMiner32.exe with the MD5 hash 3afeb8e9af02a33ff71bf2f6751cae3a, a binary we first saw in the wild in July 2014. The binary is packed with PolyEnE 0.01+.

Traditionally, the malware has been propagated using social engineering through Skype, email, removable media and by using phishing campaigns; where it has masqueraded as a legitimate application. During this campaign we have observed that NSCpuCNMiner32.exe is deployed after a victim visits one of the 55 malicious websites described previously, as a result of loading “photo.scr”.    

Execution & Dynamic Analysis

The binary file “photo.scr” requires no special arguments, executing on Windows and WINE-enabled systems through traditional user interaction such as double-clicking.

Configurational Settings

As soon as the executable is launched, the following changes to the host operating system are performed. 

The following mutex is created:

\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key
\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once
\BaseNamedObjects\gcc-shmem-tdm2-once_global_shmem
\BaseNamedObjects\gcc-shmem-tdm2-once_obj_shmem
\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_shmem
\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_once_shmem
\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_shmem
\BaseNamedObjects\gcc-shmem-tdm2-mtx_pthr_locked_shmem
\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_static_shmem
\BaseNamedObjects\gcc-shmem-tdm2-mxattr_recursive_shmem
\BaseNamedObjects\gcc-shmem-tdm2-pthr_root_shmem
\BaseNamedObjects\gcc-shmem-tdm2-idListCnt_shmem
\BaseNamedObjects\gcc-shmem-tdm2-idListMax_shmem
\BaseNamedObjects\gcc-shmem-tdm2-idList_shmem
\BaseNamedObjects\gcc-shmem-tdm2-idListNextId_shmem
\BaseNamedObjects\gcc-shmem-tdm2-fc_key
\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_lock_shmem
\BaseNamedObjects\gcc-shmem-tdm2-_pthread_cancelling_shmem
\BaseNamedObjects\gcc-shmem-tdm2-cond_locked_shmem_rwlock
\BaseNamedObjects\gcc-shmem-tdm2-rwl_global_shmem

The following registry key is modified:

Within the registry path for Internet Settings, the following web proxy settings are modified or deleted:

The malware reconfigures caching of web content:

The malware then disables the security settings of Internet Explorer by modifying the following registry keys:

Next, the malware modifies global file extension settings for the infected system to prevent showing the user file extensions via the Windows Explorer.

Then it attempts to access potentially sensitive information from local browsers:

It also adds itself to the autorun registry keypath for persistence.

Upon installation, the following DNS request is made:

Encoded instructions for mining

The malware makes a GET request to http://hrtests[.]ru/test.html?0; this is the same domain against which a DNS request was first performed. In response to the GET request, the malware expects the following encoded data, as shown in Figure 3. The binary also contains a list of domains (given in the appendix, registered in 2016), from where it fetches the mining pool information.

Figure 3: Encoded response

We analyzed the encoded data and found that it is employing a simple decoding algorithm (ROT47 on custom characterset). Pseudocode is shown here:

A decoded response is depicted in Figure 4.

Figure 4: The decoded response containing coin mining hashes

The decoded text contains the mining parameters and credentials for mining.

Dropped Binary

The mining malware  – NsCpuCNMiner32.exe – is typically run from within a user temp directory. When executed in a standalone Windows virtual machine (VM), it detects the virtual environment and exits with a dialog box that “the application can’t run under virtual machine”. However, when we execute it through FireEye multi-vector virtual execution engine (MVX), it successfully executes and allowed us to analyze the malware behavior.

C:\Documents and Settings\admin\Local Settings\Temp\NsCpuCNMiner32.exe
  MD5:  3afeb8e9af02a33ff71bf2f6751cae3a
  SHA1: fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107

It is a general-purpose miner that has been used for mining cryptocurrencies in the past and is invoked by several families of malware using several parameters. These settings define which mining pool it will use.

NsCpuCNMiner32.exe is invoked by Photo.scr using the ShellExecuteA method with the following parameters:

API Name:  ShellExecuteA   Address:  0x00402404
Params:  [0x0, open, cmd, /c start /b %TEMP%\NsCpuCNMiner32.exe -dbg -1 -o s
   tratum+tcp://mine.moneropool.com:3333 -t 1 -u 4
   4puJ9e27jyKc1et48J7SZLQ4pDcos96c6u84vcwHgCCce1T
   YqXxzpyR3gY793D9mKGEY7WjtC6TKA7eDbtvfrgGHoDNBGx
    -p x, NULL, 0]

Note that these parameters are the same as those which are decoded from the response from hrtests[.]ru (above). Photo.scr obtains the settings regarding mining pool from hrtests[.]ru and passes them as input to the miner, which uses this information to start mining activity.

The miner also checks for a Process Debug Port to detect execution within a virtual machine or for the presence of a debugger. It was successfully evading VMware and Qemu based virtualized sandboxes, and terminated after execution in those virtualization environments. If it executes successfully, it initiates mining activity by contacting the mining pool defined in the parameters passed from photo.scr.

  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  mine.moneropool.com
  Imagepath:  c:\Documents and Settings\admin\Local Settings\Temp\NsCpuCNMiner32.exe

Coin Mining traffic

The following network traffic is generated by the miner executable while mining activity is being performed, as shown in Figure 5.

Figure 5: Coin mining traffic

Mining pools contacted

The mining process contacts the mining pools, i.e. mine.moneropool.com:3333, monero.crypto-pool.fr:3333, pool.minexmr.com:5555, xmr.prohash.net:7777.

Propagation

The malware propagates from a victim system by copying photo.scr to the root of all lettered drives connected to the victim machine. This way, the malware propagates through both removable and network drives mounted to a victim system. The malware invokes a native command-line copying utility, “xcopy”, to propagate itself:

for %%i in (A B C D E F G H J K L M N O P R S T Q U Y I X V X W Z) do xcopy /y "%s" %%i:\

FTP Traffic Analysis

Once the malware has been successfully copied to all the drives connected to the system, it calls out to various public FTP servers including servers belonging to Government, Industry, Education and SME organizations. The binary was observed attempting to connect to almost 54,000 IPs via FTP; however, only 203 IPs were running active FTP services. The malware attempted to authenticate using six different usernames and 17 different passwords. The username and password combinations attempted suggest that the attacker is attempting to leverage weak or default credentials for authentication.

A geolocation map of the 203 active IPs is shown in Figure 6. (The list of IPs is removed for privacy, please note that geolocation metadata may not be reliable in all cases).

Figure 6: Geolocation of active FTP servers to which the binary attempts to connect

The binary attempted the following username and password combinations:

Usernames: anonymous, www-data, administrator, ftp, user, user123

Passwords: password, pass1234, 123456, 1234567, 12345678, 123456789, 1234567890, qwerty, 000000, 111111, 123123, abc123, admin123, derok010101, windows, 123qwe, 000000

The malware successfully authenticated to  three of the 203 FTP servers. In all three cases, the malware attempted to upload the file “Photo.scr” from the local machine to the remote server. In two cases the file upload wasn't allowed, leading to a “Permission denied” error. The file transfer was successful in one case, as seen in Figure 7. The malware was observed attempting to FTP a copy of itself to a HP printer with an Internet-routable IP address, but used the STOR command instead of the commonly used PUT command.

Figure 7: Successful FTP transfer for Photo.scr

Pervasiveness of Photo.scr

We attempted to locate files named “Photo.scr” available on the Internet using open sources. We identified both HTTP and FTP servers residing in eight countries, indicating that the malware has been present in many countries worldwide. A geolocation map of these domains is shown in Figure 8.

Figure 8: Geolocation map of the public Web and FTP servers containing the Photo.scr sample

URL Fuzzing on Domain List

Since there are no links on the site main page, we resolved to fuzz commonly used names of HTML pages and directories in an attempt to generate responses from the malicious web server. We found several malicious active pages such as Photos.html and Photo.html serving the same malicious content. As an example, browsing to the Photos.html page results in the malware being loaded into the browser as text/html and triggering the download via the iFRAME. However, there were other pages on this site that were serving different, rather benign looking content. Details of other pages found via fuzzing are mentioned in Appendix B.

Conclusion

Cryptocurrencies have been gaining popularity in recent years, particularly since Bitcoin emerged in 2009 as the first decentralized cryptocurrency. The decentralized nature of the internet and the widespread availability of vulnerable hosts has motivated cybercriminals to covertly target connected machines and abuse them to harvest cryptocurrencies.

Recently we observed a coin-mining campaign invovling around 60 unique domains being launched in April 2016, all pointing to a single IP host. Using social engineering techniques, users were tricked to browse to these domains, where they were presented with an HTML page containing an iframe that forced the browser to download a file named Photo.scr. This file was carefully named to entice curious users to click on it, thus executing the malware binary, infecting the user’s computer and enslaving its resources to mine BitMonero coins. 

For persistence, the malware implemented a common Registry autorun mechanism, attempted to infect removable and network drives, and attempted to propagate to globally distributed FTP servers using weak or default credentials. This hack-for-profit campaign is another example of how the underground economy flourishes with the innovation and ingenuity of cybercriminals. Analyzing this campaign provided insights into the threat this campaign poses to online users globally.

FireEye’s multi-flow detection mechanism identifies this malware at every level, from the point of entry to the callback. Additionally, the malware was unable to detect or bypass the FireEye sandbox.

Credits and Acknowledgements

We would like to thank and acknowledge Dan Caselden, Devon Kerr, Imad Khurram and Ali Hussain for their contribution.

Appendix A

Domain/URLs in the malware executable

An in-depth analysis into the binary revealed the following domains (available as plain text strings) hosting the pool information for the miner.

Stafftest.ru (First seen in 2014, resolving to IP: 88.214.200.145 back then )

Hrtests.ru (First seen in 2013, resolving to IP: 88.214.200.145 )

Profetest.ru (First seen in 2016, resolving to IP: 5.196.241.192 )

Testpsy.ru (First seen in 2015, resolving to IP: 178.32.238.223 )

Pstests.ru (First seen in 2016, resolving to IP: 151.80.9.92 )

Qptest.ru (First seen in 2015, resolving to IP: 88.214.200.145 )

Prtests.ru  (First seen in 2016, resolving to IP: 178.33.188.146 )

Jobtests.ru  (First seen in 2016, resolving to IP: 178.33.188.146 )

Iqtesti.ru  (First seen in 2016, resolving to IP: No DNS answer)

Figure 9: Map showing the location of the servers where these domains are hosted

Appendix B

Figure 10 shows browsing to Photo.html.

Figure 10: Browsing view of page Photo.html

Translating the title to Chinese results in this: “Magic Dragon spider pool ---- purchase please contact: dragon magic spider pool”. While the content on the page results in this: “Long sentences dynamic magic _”

All the links on the page point to: http://www.ggkuu[.]top/%3C%E9%BE%99%E9%AD%94_%E5%8A%A8%E6%80%81%E5%8F%A5%E5%AD%90%3E. Clicking on any of these links, results in redirection to a page serving the malware.

Looking for other HTML pages on this domain, we resorted to crawling and fuzzing and found more than 1,200 HTML pages. A few of them are illustrated in the following table. The majority of these pages seem to be serving the same malware binary as the main page.

/awk.html

/l.html

/printer.html

/pdfs.html

/names.html

/author.html

/ls.html

/tf.html

/mirrors.html

/private.html

/viewonline.html

/firewall.html

/bv.html

/backups.html

/premier.html

/ppts.html

/cf.html

 

/compose.html

/kernel.html

/cgi.html

/disclaimer.html

/blogs.html

The Sitemap page of this domain was particularly interesting, as it seems to be pointing to various news articles on ybnews[.]cn and 96hq[.]com. Each time we browse to this page, new content is generated. Figure 10 and Figure 11 show manifesting links to ybnews[.]cn and 96hq[.]com.

Figure 11: Sitemap containing URLs of ybnews[.]cn

Figure 12: Sitemap containing URLs from 96hq[.]com

Fuzzing and crawling for directories, we found more than 1,200 directory folders, which mostly point to pages that are serving malware. A few of these folders are illustrated as follows: ‘/desktop/’, ‘/category/’, ‘/nz/’,’/8/’, ‘/fr/’, ‘/d/’, ‘/cz/’, ‘/fk/’, ‘/dk/’, ‘/cu/’, ‘/gr/’, ‘/cc/’, ‘/o/’, ‘/be/’, ‘/ar/’, ‘/bj/’.