Source |
AlienVault Blog |
Identifiant |
822528 |
Date de publication |
2018-09-24 18:10:00 (vue: 2018-09-24 21:02:10) |
Titre |
MadoMiner Part 1 - Install |
Texte |
2018 seems to be a time for highly profitable cryptominers that spread over SMB file-shares. Following my analysis on ZombieBoy in July, I found a new malware sample that I’m calling MadoMiner. With the help of Chris Doman, I was able to analyze it to discover that it uses techniques similar to ZombieBoy, because it hijacks Zombieboy’s CPUINFO.exe.
However, MadoMiner is much, much, larger, in terms of:
The size of the malware;
The amount of systems infected; and
Total profit gained by the attackers.
The previously analysed ZombieBoy was earning around $750 a month, while mining at its maximum power. MadoMiner, on the other hand, is earning around $6015 a month, while only mining at 50% power:
Malware Analysis
An overview of the Install module is below. Depending on the victim’s architecture, obtained from CPUInfo.exe, either x86.dll or x64.dll is installed:
X86.dll and x64.dll are virtually identical just one is specifically for x86-x64 OS architecture and one is specifically for x86 OS architecture.
Domains
MadoMiner appears to use two different servers to distribute payloads for each module.
http://da[dot]alibuf.com:3/
http://bmw[dot]hobuff.info:3/
In addition, in Mask.exe, the second module, here are some identified mining servers used by MadoMiner:
http://gle[dot]freebuf.info
http://etc[dot]freebuf.info
http://xmr[dot]freebuf.info
http://xt[dot]freebuf.info
http://boy[dot]freebuf.info
http://liang[dot]alibuf.com
http://dns[dot]alibuf.com
http://x[dot]alibuf.com
Exploits
During the execution of the Install module, MadoMiner makes use of several exploits:
CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
Installation
MadoMiner begins on a victim’s computer as a DLL installed by the EternalBlue/DoublePulsar exploits. Depending on OS architecture, you’ll either find x86.dll or x64.dll installed on your computer. Both are basically the same, just adjusted for operating system.
Just like ZombieBoy, MadoMiner makes use of a heavily modified version of ZombieBoyTools in order to install its DLL. The reason for this it seems, is that the CPUInfo.exe dropped by the Install module of MadoMiner appears to be the same CPUInfo.exe dropped by an earlier version of 64.exe, a module from ZombieBoy (similar to current day CPUInfo in ZombieBoy, sans embedded miner and anti-VM guards).
In fact, if CPUInfo.exe in MadoMiner is ran without the surrounding Install module, it will attempt to communicate with ZombieBoy’s servers and ultimately install ZombieBoy
Packet showing malware communicating to ca[dot]posthash.org:443
Setup
Once either x86.dll or x64.dll is successfully installed and executed on a victim’s computer, several actions are performed. First, 2 UPX packed modul |
Envoyé |
Oui |
Condensat |
“c: “hklm 1kb 2/td> 2df2d6d9db08558e88f1636ed2acc146 2nd 3322 360safe 4a14e7fb274462e844b5595210350400 4ae31911c1ef2ca4eded1fdbaa2c7a49 741 bat bmw ce606d80b44ea2aae81056b9088ba1e4 com conhost cpuinfo currentcontrolset d8470f5c12f5a5fee89de4d4c425d614 demc demo dot dst eventlog” exe exe” file fonts frebuf freebuf gle hobuff iis info:3 info:3/ info:80 install installer ip138 mado madominer mask module net part rundllhost servicemaims” servicemais” services sogou svchost system windows www x64 x86 |
Tags |
|
Stories |
|
Notes |
|
Move |
|