SHA1:
- 916f82f365bf5f8bc3e2f87422ddb10303b7a4d6
A Trojan designed to mine cryptocurrency. It is installed on servers that run on Microsoft Windows Server using a vulnerability in Cleverence Mobile SMARTS Server.
It is launched as a critically important process with a displayed name “Plug-and-Play Service”. If one tries to shut down this process, Windows performs an emergency shutdown and displays the “blue screen of death” (BSOD). It attempts to delete the following system services:
WinDefend
MsMpSvc
SepMasterService
DrWebEngine
DrWebAVService
AVP
AVP18.0.0
AVP17.0.0
AVP15.0.2
KAVFS
ekrn
a2AntiMalware
ZAMSvc
AntiVirService
QHActiveDefense
It attempts to detect and shut down the following running processes:
anvir
msmpeng
dwengine
dwservice
ekrn
avp
kavfs
ccsvchst
cmdagent
a2service
ZAM
avguard
QHActiveDefense
If at least one of the indicated processes is detected, the Trojan decrypts its resource Service.x64.dat, which stores the Process Hacker driver, saves it to a disk called x64.sys and loads it. It uses this driver to shut down the detected running processes.
It obtains the following port list from the configuration:
8100
9100
10100
11100
12100
Then the malicious program launches a service SSDPSRV and attempts to detect a router in its network. For each port from the obtained list, the Trojan uses the UPnP protocol to redirect the TCP port of the router to the infected server. Then it starts tracking ports from the list thus waiting for the incoming HTTP connection.
To define operating command and control servers, whose list of IP addresses is stored in the Trojan’s configuration, it sends them the following string:
"{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"0\",\"pass\":\"x\",\"agent\":\"Test/1.0\"}}\r\n"The malicious program stores settings required for its operation in the Windows system registry.
[HKEY_CLASSES_ROOT]\\datfile
Then the Trojan configures proxy servers on the infected machine. The following servers will be used to mine cryptocurrencies:
8080
8081
8082
9080
9081
9082
8083
8084
8085
9083
9084
9085
The Trojan tracks the status of the port 51515. When a remote user connects to it, the Trojan waits for a command “deadbeef”. Once it receives the command, it launches the command shell PowerShell and redirects an input-output to a socket of the connected user.
Once these actions are executed, the Trojan embeds a module into all running processes. It is designed to mine cryptocurrencies. For each process the Trojan:
- extracts its resource "Service.rmxi.dat”, decrypts it using the XOR algorithm and saves with an arbitrary name and extension;
- embeds this module to a process using the functions WinAPI VirtualAllocEx, WriteProcessMemory, RtlCreateUserThread and LoadLibrary.
Instead of receiving tasks/sending results to a pool, the decrypted "Service.rmxi.dat" is a miner which does these actions via called pipes created by the Trojan service.
For the miner’s operation, the Trojan:
- creates an event "Global\\{F2B06D4B-01B0-4F5C-B0FF-DC9F73696E63}” — for the XMR cryptocurrency;
- creates an event "Global\\{9D91E9F3-F27B-44F7-8A9D-4D67BEFB5D08}" — for the Aeon cryptocurrency;
- creates FileMapping "Global\\{CCE2F35E-0F38-413A-B118-EDF75722B8E4}” to store configuration.
The Trojan creates two called pipes:
- "{29F248DD-592B-48AF-B9F3-1596AA1BB280}" — for XMR
- "{111A00F9-3BF6-49D2-9A19-5FB4A50D68AF}" — for Aeon
IPC is used to exchange tasks with the miner and to obtain results of its work.
Also the malicious program can scan the network for servers with the installed Cleverence software.
To process the incoming HTTP connections, the Trojan receives a full path and parameters of a request, divides the obtained string into substrings with a divider ' / ‘ and goes through the obtained substrings. If a substring concurs with "result”, the Trojan decrypts base64, extracts data and parses XML. XML must contain two fields — Address and Port. If a substring concurs with “proxy”, the Trojan sends a list of IP addresses from the configuration after collecting them into a string with a divider ' | ‘. After this, it adds to its configuration the received addresses of other infected hosts (also divided with ' | ').
| News about the Trojan |
