There isn't a day that goes by without a headline about yet another massive spike in [Bitcoin valuation](), or a story about someone [mortgaging their house]() to purchase the hardware required to become a serious cryptocurrency miner. If many folks are thinking about joining the 'crypto craze' movement, they may be surprised to learn that they already have. We've documented in-browser miners before on this blog, or what we call [drive-by cryptomining](), but drive-by download attacks such as those via the RIG exploit kit want a piece of the action, too. While the latter is [not a new trend](), we have noticed an increase in malware payloads from EKs that are coin miners, and we think this is going to be something to follow for 2018. ### Overview Today, we take a look at a prolific campaign that is focused on the distribution of coin miners via drive-by download attacks. We started to notice larger-than-usual payloads from the RIG exploit kit around November 2017, a trend that has continued more recently via a campaign dubbed [Ngay](). What happened is that the initial dropper contained additional binaries that contributed to its oversized nature as depicted below. Droppers from this campaign have contained one or more coin miners consistently, for at least Monero and lesser known but still popular other currencies such as [Bytecoin](). [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/Ngay_payloads.png)]( "" ) _One payload leads to two different coin miners._ For the same attack, these two processes will mine for the well-known Monero and Electroneum cryptocurrencies. When both executables are running, the CPU usage on the victim's computer is maxed at 100 percent. ### Distribution The [Ngay campaign](), identified as such by [Nao_Sec](), is one of several malvertising chains that relies on the RIG exploit kit to distribute its payloads. Recently, we observed a more complex redirection chain involving _bestadbid_ and various XML feeds upstream, eventually trickling down to the more familiar redirect to RIG. [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/traffic_view.png)]( "" ) _Infection flow showing redirection to RIG EK, followed by coin miner payloads_ [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/iframe_RIG.png)]( "" ) _iframe to RIG EK is inserted in Ngay's template page_ The dropped binary from RIG EK contains two other artifacts that each lead to a different coin miner and are launched in a rather unusual procedure. In the following sections, we will study their deployment mechanism. ### Monero miner Monero is one of the most well-known digital currencies that, contrary to Bitcoin, does not require special hardware and provides additional privacy benefits. Threat actors have jumped on it in via large-scale drive-by mining attacks, with the help of coin miner-purposed malware. Here the Monero miner is downloaded after a convoluted process that also aims at registering it permanently as a running service. The extracted binary from the RIG EK payload (_3yanvarya.exe_) is an installer that drops several .NET modules: [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/dotnetmodules.png)]( "" ) _.NET modules extracted from one of the two artifacts contained in RIG EK's payload_ _starter.exe_ uses an exploit (Invoke-MS16-032) copied from this [GitHub repository]() (It even re-uses the original license!) to elevate privileges: ![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/in_starter.png) _Code snippet showing PowerShell code designed to elevate privileges_ _foxcon.exe_ contains two sub-modules inside: Hydra and Hand, which purport to protect and manage services: [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/foxcon.png)]( "" ) _Hydra and Hand: two modules in charge of miner services_ _services.exe_ is a service to download and manage the miner: [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/services_exe.png)]( "" ) _Miner is downloaded from a remote IP address_ Finally, the Monero miner (_series64.exe_) is retrieved and can start the mining activity. The overall process can be summarized in the diagram below. _"C:\Windows\TEMP\series64.exe" -o 5.23.48.207:5555 -u x -p x -k -B -max-cpu-usage=30 -safe_ [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/Monero_overall_flow.png)]( "" ) _Overview of the Monero miner deployment_ ### Electroneum miner [Electroneum,]() the "mobile friendly" digital currency, has only been recently introduced but became [popular]() almost immediately. The Android app allows anyone to mine and manage their wallet, but miners running desktop platforms can also participate. Malware authors are abusing it via a malicious coin miner binary that is dropped from _dp.exe_ in yet another unusual redirection chain. Indeed, it involves the _Bit.ly_ URL shortener to retrieve a fake PNG image containing instructions for the download and eventual launch of the miner itself. _"C:\Users\\[username]\AppData\Roaming\bvhost\bvhost.exe" -o etn-eu2.nanopool.org:13333 -u etnkKc…_ [![](https://blog.malwarebytes.com/wp-content/uploads/2018/01/Electroneum_overall_flow_.png)]( "" ) _Overview of the Electroneum miner deployment_ ### Conclusion As cryptocurrencies become more and more popular, we can only expect to see an increase in malicious coin miners, driven by the prospect of financial gains and increased anonymity. As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors. Indeed, they can put hundreds of thousands of compromised machines to work mining for the latest and hottest digital currency around. For end users, the threat of a coin miner infection may seem less impactful than, say, a banking Trojan, but perhaps that is only true in the short term. Not only can existing malware download additional payloads over the course of time, but the illicit gains from cryptomining contribute to financing the criminal ecosystem, costing billions of dollars in losses. This particular RIG EK campaign is noteworthy for its focus on cryptominers and the way it unconventionally and at times inefficiently loads them. We will keep monitoring the drive-by download landscape to report on any change in payloads from other threat actors. _Many thanks to [@hasherezade]() for help studying the binaries._ ### Indicators of compromise RIG EK dropper FD4A117EDFEA1075132CF7D0A2AD5376B174AFD1C924D91E9B0D124320E3177D Redirections to downloader script 5.101.179.249 *.lolkekss[.]us bit[.]ly/2lXCGUy Downloader script for Electroneum miner (fake PNG) lolkekss.usite[.]pro/DF.png 195.216.243.130 Electroneum miner (_bvhost.exe_) 74.115.50.111 115776615-884492032168661957.preview.editmysite[.]com/uploads/1/1/5/7/115776615/be 13CE8C6C8E9E4A06880A5F445A391E9E26BB23FCD0C6F4CC495AA5B80E626C0B Monero miner (_series64.exe_) 188.225.46.219:3000/files/mh/series64.exe F651B1C5AE7B55B765994EB6630C45A0A7F1E43EBABD801CB8B3B26BDDB09D17 Additional miner loaders via RIG EK (SHA256, size in bytes, date found): 24ff04ef166cbc94d88afd0c7a3cba78dfe2f2d9e02a273a60fcc45ced5cb484,1732969,2017-12-29 d68c5095bd7b82e28acd4df5514a54db6d6d340ada860b64b932cb014fe1ecb3,1513983,2018-01-02 5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f,1732965,2018-01-02 2876ceb760c5b37e03ebb3cabbfb25a175e8c3556de89af9dd9941fda183bc79,1840725,2018-01-03 bba35503156eee0aa6ecef7aa76bbe3e6d26791585aac328f895278cd1c09cb2,2819600,2018-01-04 The post [RIG exploit kit campaign gets deep into crypto craze]() appeared first on [Malwarebytes Labs]().

Query Builder