{"id":2038,"date":"2018-02-26T16:06:06","date_gmt":"2018-02-26T16:06:06","guid":{"rendered":"https:\/\/blog.gridinsoft.com\/?p=2038"},"modified":"2022-07-03T20:18:27","modified_gmt":"2022-07-03T20:18:27","slug":"coin-miner-investigation","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/coin-miner-investigation\/","title":{"rendered":"Coin Miner Investigation: When, Why, For What"},"content":{"rendered":"

1. Coin Miner malware gains its popularity<\/h2>\n

Due to rising cost of cryptocurrency recently, Bitcoin particularly (BTC) to 20000 USD, our Analysts Team noticed an increased amount of malicious programs, especially those who focused on the secret mining of cryptocurrency. GridinSoft Anti-malware<\/a> detect them as Trojan.CoinMiner\/Risk.CoinMiner<\/a>.<\/p>\n

For few recent months CoinMiner is one of the top 20 the most popular threats among with Adware, that were super popular once.<\/p>\n

\"Most
Most popular malware families for the last 30 days<\/figcaption><\/figure>\n

Analyzing the dynamics of detection such type of threats, we predict that coinminers will at least keep its positions in the near future, and even get more distribution.<\/p>\n

\"CoinMiner
CoinMiner malware family distribution<\/figcaption><\/figure>\n

2. Coin Miner wanna be WannaCry<\/h2>\n

Cyber-criminals create many complicated ways to infect users\u2019 systems. The most popular method of infection is called Bundled Software.<\/p>\n

While unsuspecting user installs legitimate software, one or several (usually malicious) programs are silently installed alongside. The same method is now actively used by the authors of CoinMiner.<\/p>\n

Often, installed mining programs are copies of utilities for mining xmrig, gplyra, or slightly modified versions. This distribution method is straightforward, but you can only infect one computer per installation. The authors of Trojan.CoinMiner began to look for other ways of infection.<\/p>\n

The unprecedented success of the WannaCry (WannaCrypt) ransomware family showed the authors of malicious software an easy way to infect computers over the network. Moreover, they discovered that most a computer users don\u2019t work on the latest version of Windows OS, which makes them easy money in the hands of skillful cybercriminals.<\/p>\n

Of course, the authors of CoinMiner took advantage of this opportunity. After all, it is enough to infect somehow one computer in the network to distribute the miner to all the others. And this is a noticeable increase in the mining bot-net.<\/p>\n

And that is exactly what happened. Some time ago, all the major antivirus vendors reported using the exploit EnernalBlue in conjunction with the miners. We also noticed the presence of exploits from the hacker group ShadowBrokers in conjunction with CoinMiner on users\u2019 systems. GridinSoft detects such utilities as Virtool.ShadowBrokers.<\/p>\n

\"System
System infected with Trojan.CoinMiner (SecUpdateHost.exe) along with EternalBlue exploit (spoolsv.exe)<\/figcaption><\/figure>\n
\"SecUpdateHost.exe
SecUpdateHost.exe detections on virustotal.com<\/figcaption><\/figure>\n

Link for the full report<\/a><\/p>\n

\"spoolsv.exe
spoolsv.exe detections on virustotal.com<\/figcaption><\/figure>\n

Let’s remind you that the exploit EnernalBlue allows you to remotely execute code in kernel mode on a networked computer using vulnerabilities in the SMB v1 protocol. Together with the latest Windows updates, Microsoft forcibly turns off this protocol.<\/p>\n

\"Microsoft
Microsoft disables SMBv1<\/figcaption><\/figure>\n

3. Coin Miner software bundled with your browser. Really?<\/h2>\n

Our analysts analyze the state of users’ systems daily to identify new threats. This time, during the research, a suspicious file was found in the browser WebFreer. We made further analysis that you can find below.<\/p>\n

\"Suspicious
Suspicious file found along with WebFreer browser<\/figcaption><\/figure>\n

The browser has its official website (hXXps:\/\/www.webfreer.com), where WebFreer is advertised as a safe, convenient and fast browser.<\/p>\n

\"Official
Official WebFreer web site<\/figcaption><\/figure>\n

Let\u2019s look on the site in details. Specifically – at the home page code.<\/p>\n

\"Oops!
Oops! We got Monero miner<\/figcaption><\/figure>\n

Indeed, the page’s code is worth a look. On the main page of the WebFreer website, a 3malicious script is built-in that executes the cryptocurrency mining when your browser is just open. The latest versions of popular browsers block content that is sent from unsafe HTTP protocol, so in our case, the script was blocked by the Chrome browser. If you are using an older browser version, you may be at risk.<\/p>\n

By clicking on the download button, the WebFreer installer starts downloading. The file named WebFreer_Setup_1.3.2.0 is an NSIS installer of 53.7 MB size. Interestingly, the file is not signed by any digital signature, making it impossible to verify its authenticity. So, anyone who has access to WebFreer servers can modify the browser without users’ notice.<\/p>\n

\"Setup
Setup file is not digitally signed<\/figcaption><\/figure>\n

Downloaded version 1.3.2.0 is the latest one at the moment. The installation process is standard.<\/p>\n