Recently we at K7 Labs came across a new strain of malware which abuses PowerShell and publicly available source code with an intent to drop a payload of a Monero Miner on the victim’s system/network. Digging further, we found the PowerShell scripts used in the attack were hosted on GitHub, which the threat actor had downloaded and strung together to carry out the attack.

In this blog we describe how this crypto-miner ends up on a user system, and also give details about how users/enterprises can protect themselves from these kinds of threats.

Without further ado, let’s check this malware out.

Upon investigating the system under attack, we noticed a scheduled task as depicted in Figure 1. The task points to a base64-encoded PowerShell script that is supposed to download and execute the malware.

Figure 1: Scheduled task

On execution, the process downloads another base64-encoded PowerShell script which intends to download additional modules, details of which are discussed later in this blog. Figure 2 is an excerpt from the script file:

Figure 2: PowerShell script downloaded by command in scheduled task

Digging into the modules

The PowerShell script downloads four modules onto the infected system with an intent to execute the following tasks:

Module 1:  Propagation, evasion and persistence
Module 2: Reconnaissance (Trojan responsible for retrieving system information from the host)
Module 3: Credential dumping (Python-compiled binary which drops PowerShell implementation of Mimikatz)
Module 4: Payload dropper (PowerShell script which uses reflective injection to inject Miner)

Read on for more technical details on all modules involved in the campaign.

Module 1: Propagation, evasion and persistence

This module intends to propagate by using a dictionary-based attack (trying out a list of weak password combinations) to logon to other systems on the network as depicted in Figure 3. If it succeeds in infiltrating the targeted systems, it sets up a similar scheduled task for persistence as shown earlier in Figure 1. It also changes the firewall and port-forwarding settings.

Figure 3: Remote access to machine and creation of scheduled task

If it fails to sneak onto the systems, the module dumps the password hashes stored in the current host system and authenticates itself to the server by pass-the-hash method (authenticating using the hash of the password rather than the password itself).

It then utilizes the hashes to execute a file sharing operation via SMB using a publicly-downloadable script from Invoke-TheHash on GitHub. The code snippet is depicted in Figure 4 where the function “geth” hints that it is the “gethash” function.

Figure 4: Function to get the password hashes

The file-sharing operations include downloading a file from or uploading a file to a share/sub-directory, deleting a file from the share and listing the share/sub-directory contents. Below is the code snippet responsible for these actions.

Figure 5: File sharing instruction

It also has the ability to use the EternalBlue exploit so that the propagation phase is less failure prone. On successfully gaining access, it drops the following files:

AppData\Roaming\flashplayer.tmp – a PowerShell command (depicted in Figure 6)
AppData\Roaming\sign.txt – used to indicate whether the machine is already infected or not
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flashplayer.lnk – persistence for flashplayer.tmp file.
It also deletes the file
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat, if it exists, and drops a new file with the same name.

Figure 6: Content of flashplayer.tmp
Figure 7: List of files dropped

The malware checks and updates all dropped components with newer versions, and adds a scheduled task for the same. The newer version of the PowerShell script is nothing but an implementation of a basic obfuscation technique like string reversal, and addition of junk strings and/or symbols to bypass signature-based detections.

This script also checks for AV product(s) installed on the system, gathers information about its MAC address (as depicted in Figure 8) and downloads additional modules.

Figure 8: Gathers information on any AV product installed

The above actions portray the first module’s primary goal: infiltrate as many systems on the network as possible.

Module 2: Reconnaissance

The second module is a binary file and is responsible for retrieving system information. It copies itself to the %AppData% and Startup folders with added junk data in the overlay to increase its size, thereby changing the hash of the file, to evade detection.

The collected information includes computer name, GUID, MAC address, OS version, system architecture (32-bit or 64-bit), graphics memory information, system time and these are sent to a C&C as depicted in Figure 9.

Figure 9: System information being sent to C&C

Module 3: Credential dumping

The third module is a python-compiled executable which drops a PowerShell implementation of Mimikatz. It drops a PowerShell script named m2.ps1 which reflectively injects the Mimikatz binary into either its PowerShell process or any remote process. This is achieved once again by using publicly available source code Invoke-ReflectivePEInjection on Github where the threat actor has added the base64-encoded Mimikatz binary to the code.

Before the code injection, it bypasses AMSI (Microsoft’s Anti-Malware Scan Interface) as depicted in Figure 10 to ensure products subscribing to AMSI callbacks won’t scan the input console.

Figure 10: AMSI bypass
Figure 11: base64 encoded Mimikatz binary for logging passwords

In addition this module also consists of Impacket. For those who are unaware, Impacket is a collection of python classes used for working with network protocols, remote access, lateral movements, etc.

The malware tries to use the same weak password for SQL to access vulnerable server databases, and also scan for vulnerable devices on the network which can be exploited using publicly available code in the exploit database.

Figure 12: Scanning for vulnerability

Module 4: Payload dropper

The final module is a PowerShell script which downloads the actual payload of the Miner as depicted in Figure 13, but it never gets stored as a file on disk. Instead, it gets injected into the PowerShell process and gets executed. It also creates a scheduled task for persistence.

Figure 13: PowerShell script to download CoinMiner
Figure 14: Miner payload execution

This sophisticated attack highlights the necessity of securing not only individual systems but the entire network, and keeping it free of known vulnerabilities or security issues. Unlike other cyber attacks, this attack was executed using publicly available source code, research documentation and tools. The simplicity of this might well encourage other cybercriminals to launch similar insidious attacks in future.

Security best practices to mitigate such attacks: 

  • Download and update necessary software patches.
  • Use complex passwords (not to mention changing passwords regularly).
  • Disable PowerShell feature when not needed.
  • Do not open any email attachment that looks suspicious or that you weren’t expecting.
  • Install robust and fast-acting security software which provide multi-layered detection, such as K7 Security products.

Indicators of Compromise

Malware ComponentHashK7 Detection Name
cert.ps1 (Module 1)
Trojan ( 0001140e1 )
64-bit Mimikatz
Trojan ( 004dd3fa1 )
32-bit Mimikatz
Riskware ( 004dc6a21 )
Trojan ( 0054c9911 )
Collect system information
Riskware ( 0040eff71 )
Trojan ( 0001140e1 )
Python-compiled binary for Mimikatz
Trojan ( 00548cd51 )
PowerShell script to download Miner
Trojan ( 0001140e1 )

• hxxp://lp[.]abbny[.]com
• hxxp://lp[.]beahh[.]com
• hxxp://lp[.]haqo[.]net
• hxxp://v[.]beahh[.]com/wm?hp
• hxxp://d[.]beahh[.]com/update.png?p=11
• hxxp://v[.]y6h[.]net/g?h
• hxxp://down[.]beahh[.]com/newol.dat

The above URLs are actively blocked by K7 Safe Surf.

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “A Major Miner Menace – Story of a Miner Delivered by Weaponizing Publicly Available Code”