Trojan.VBS.MALXMR.THEBIBO

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %Public%\Libraries\Content → Coinminer.PS1.MALXMR.MPN
• %Public%\Libraries\reg.bat
• For Windows 10:
  
  • %User Temp%\CMSTP.inf

It adds the following processes:

• uac {%User Temp%\CMSTP.inf} {Command to execute} (For Windows 10 only)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
CheckIN = powershell -exec bypass -windowStyle hidden -enc {Content of %Public%\Libraries\Content}

Propagation

The said .INF file contains the following strings:

[version]
Signature=`$chicago`$
AdvancedINF=2.5

[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection

[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
{Command to execute}
taskkill /IM cmstp.exe /F

[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7

[AllUSer_LDIDSection]
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""

[Strings]
ServiceName="CorpVPN"
ShortSvcName="CorpVPN"

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• https://{BLOCKED}d.ly/Firts
  
  • redirects to: http://{BLOCKED}xrkbiepyylgdcwrcjimxnfsrbgravivgbannnpnubawpdvekzbdbuqrd.{BLOCKED}.com.ua/uac.txt

Other Details

This Trojan does the following:

• For Windows 7, it will bypass UAC (User Access Control) by using the Invoke-PsUACme method by using the following parameters:
  
  • -Payload {Command to execute}
  • -CustomDLL32 {DLL to be used for "method" parameter}
  • -CustomDLL64 {DLL to be used for "method" parameter}
  • If CustomDLL32 and/or CustomDLL64 parameters are not used, it will used the hard-coded DLLs on the script instead.
  • -method
  • method types:
  • Sysrep
  • OOBE
  • ActionQueue
  • migwiz
  • cliconfg
  • winsat
  • mmc
• For every "method" type used, the contents of the DLL stated on "CustomDLL32/64" parameters or the hard-coded DLL will be written on a created DLL file under %User Temp% in which the name will depend on the "method" type and Windows Build Version.
• The contents of the created DLL file will then be copied to a created file %User Temp%\uac.cab
• It will then extract the contents of %User Temp%\uac.cab on a directory using wusa then executes a program that will load the created DLL with elevated privileges.
• The directory where the contents of %User Temp%\uac.cab will be extracted and executed program are also dependent on the method type used.
• Below are the following DLL Name, Directory and Executed pragram for each method type and Windows OS Build Version:
  
  • For Windows 7 and Windows Server 2008 only:
  • Method type: Sysprep
  • DLL Name: %User Temp%\CRYPTBASE.dll
  • Directory: %System%\Sysprep\
  • Executed Program: %System%\Sysprep\sysprep.exe
  • Method type: ActionQueue
  • DLL Name: %User Temp%\ActionQueue.dll
  • Directory: %System%\Sysprep\
  • Executed Program: %System%\Sysprep\sysprep.exe
  • Method type: winsat
  • DLL Name: %User Temp%\ntwdblib.dll
  • Directory: %System%\Sysprep\
  • Executed Program: %System%\Sysprep\winsat.exe
  • Method type: mmc
  • DLL Name: %User Temp%\ntwdblib.dll
  • Directory: %System%\
  • Executed Program: %System%\mmc.exe
  • For Windows 8.1 and Windows Server 2012 only:
  • Method type: Sysprep
  • DLL Name: %User Temp%\shcore.dll
  • Directory: %System%\Sysprep\
  • Executed Program: %System%\Sysprep\sysprep.exe
  • Method type: winsat
  • DLL Name: %User Temp%\devobj.dll
  • Directory: %System%\Sysprep\
  • Executed Program: %System%\Sysprep\winsat.exe
  • Method type: mmc
  • DLL Name: %User Temp%\elsext.dll
  • Directory: %System%\
  • Executed Program: %System%\mmc.exe
  • For both Windows OS Build Versions:
  • Method type: OOBE
  • DLL Name: %User Temp%\wdscore.dll
  • Directory: %System%\oobe\
  • Executed Program: %System%\oobe\setupsqm.exe
  • Method type: migwiz
  • DLL Name: %User Temp%\wdscore.dll
  • Directory: %System%\migwiz\
  • Executed Program: %System%\Sysprep\migwiz.exe
  • Method type: cliconfg
  • DLL Name: %User Temp%\ntwdblib.dll
  • Directory: %System%\
  • Executed Program: %System%\cliconfg.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)