{"id":26391,"date":"2024-09-20T12:35:07","date_gmt":"2024-09-20T12:35:07","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=26391"},"modified":"2024-09-20T20:08:35","modified_gmt":"2024-09-20T20:08:35","slug":"altisik-service-virus","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/altisik-service-virus\/","title":{"rendered":"Altisik Service Virus Analysis & Removal"},"content":{"rendered":"

Altisik Service<\/strong> is a malicious coin miner that usually installs and runs on the target system without the explicit consent of the PC owner. It disguises itself as a Windows service, which makes it difficult to stop or remove. Let\u2019s have a closer look at how this malware operates and how to delete it from the system.<\/p>\n

Altisik Service Overview<\/h2>\n

Altisik Service is a malicious coin miner<\/a> masquerading as a legitimate Windows process. It is used for hidden illegal cryptocurrency mining, thereby creating a significant load on the processor (up to 80% or 100%). However, this miner differs in one key aspect – it registers itself in the system as a service<\/strong>. As a result, hackers ensure their malware’s increased sustainability. Attempts to manually stop or delete the service can lead to critical system failures, potentially causing a \u201cblue screen of death\u201d.<\/p>\n

\"Altisik
Altisik Service in the Task Manager<\/figcaption><\/figure>\n

Attackers choose the form of a service for their malware not only for the sake of sustainability. Unlike executable files, services are suspected of malicious activity much less often, simply because users trust them more. Also, Windows services can get higher privileges much more easily<\/strong>, and with less suspicion from security software.<\/p>\n

As for the distribution method, users on Reddit report<\/a> receiving Altisik as an unwanted “bonus” with other software. Miners generally enter systems disguised as bundled software within installers of cracked programs<\/a>. Another method is through additional malware already present on the computer: vast loader malware botnets<\/strong> can offer huge gains for the operators of malicious coin miners.<\/p>\n

Altisik Analysis<\/h2>\n

Upon execution, Altisik checks for virtual environments and security mechanisms by accessing specific system files and registry keys related to .NET configurations and GPU settings. It pays special attention to Windows Defender settings, especially those concerning real-time protection, by examining related directories and registry entries to potentially disable or bypass these security features. To evade detection, the malware employs stalling tactics with long periods of inactivity, aiming to hinder dynamic analysis and circumvent antivirus sandboxes that might report the file as safe due to lack of immediate activity. These strategies enable Altisik to stealthily operate on infected systems, mining cryptocurrency without user awareness.<\/p>\n

Let\u2019s have a closer look at the behavior of the Altisik miner. At the beginning, it is rather typical for a coin miner: upon launching itself, Altisik initially checks for a virtual environment and security mechanisms. Specifically, it checks the following locations:<\/p>\n

C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config
\nHKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D\\Drivers
\nHKEY_CURRENT_USER\\Software\\Microsoft\\DirectX\\UserGpuPreferences<\/code><\/p>\n

Further, it pays special attention to Windows Defender settings<\/strong>, specifically ones that touch real-time protection. The malware checks the following system sections.<\/p>\n

C:\\Program Files\\Windows Defender
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\PassiveMode
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection<\/code><\/p>\n

The sample employs stalling tactics, including long periods of inactivity, to hinder dynamic analysis. This also helps with circumventing some of the antivirus sandboxes: seeing no activity, one will report that the file is safe.<\/p>\n

Persistence and Privilege Escalation<\/h3>\n

Altisik miner achieves persistence and elevates its privileges by installing itself as a system service. It executes specific shell commands to run helper processes like AltisikHelper.exe<\/strong> and AltisikHelper.dll<\/strong>, which are designed to prevent users from manually terminating the mining activity. Furthermore, the Altisik creates a DirectInput object<\/strong> to read keystrokes, indicating it captures user input. While it is unlikely that Altisik functions as a keylogger, this input capturing could be used for other purposes, such as monitoring user activity to avoid detection or interference.<\/p>\n

Let’s look closer: The miner maintains persistence in the system as a service, which grants it elevated privileges. It executes the following shell commands:<\/p>\n

\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\\\AppData\\Local\\Temp\\AltisikDevPL\/AltisikHelper.dll\",#1
\nC:\\Windows\\system32\\SecurityHealthService.exe
\nC:\\Windows\\system32\\WerFault.exe -u -p 4328 -s 548
\nC:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding<\/code><\/p>\n

The AltisikHelper.exe and AltisikHelper.dll processes needed to prevent the user from manually stopping the mining process. Further analysis revealed that the miner creates a DirectInput object, which allows it to read keystrokes. It is unlikely that the Altisik miner can act as a keylogger, but there are quite a few other applications for input capturing.<\/p>\n

Network Communication <\/h3>\n

Altisik uses network communication to send and receive data necessary for its mining operations. The miner communicates with the api.altruistics.org<\/strong> server, likely used for monitoring, control, or data transmission. This may include the miner’s status, statistics, or other mining-related parameters. The response is in text\/html format, indicating that the server is returning a web page or text-based data. It also uses Cloudflare DNS 104.18.7.80<\/strong> and 104.18.6.80<\/strong>, potentially complicating traffic analysis.<\/p>\n

How To Remove Altisik?<\/h2>\n

To get rid of Altisik service, I recommend using GridinSoft Anti-Malware<\/strong> \u2013 an effective and easy-to-use antivirus, that will quickly repel any threats present in the system. Though first, I would recommend entering Safe Mode with Networking: go to the Start<\/strong> menu \u2192 click Reboot while holding down the Shift button<\/strong> on the keyboard.<\/p>\n

\"Press<\/p>\n

When your PC reboots, in the menu that appears after restarting, select \u201cTroubleshoot\u201d \u2192 \u201cAdvanced options\u201d \u2192 \u201cStartup Settings\u201d \u2192 \u201cRestart\u201d.<\/p>\n

\"Advanced<\/p>\n

Next, select the Safe Mode with Networking and press the corresponding key (usually F5, though it may vary depending on your Windows version).<\/p>\n

\"Startup<\/p>\n

Hint: If you have any problems with switching to Safe Mode, please read our guide: How to Remove a Virus From a Computer in Safe Mode<\/a>.<\/p>\n

After switching to the Safe Mode with Networking, follow the steps below:<\/p>\n\"GridinSoft\n

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n

Download Anti-Malware<\/a><\/div>\n

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n\"Scan\n

Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n\"Removal\n","protected":false},"excerpt":{"rendered":"

Altisik Service is a malicious coin miner that usually installs and runs on the target system without the explicit consent of the PC owner. It disguises itself as a Windows service, which makes it difficult to stop or remove. Let\u2019s have a closer look at how this malware operates and how to delete it from […]<\/p>\n","protected":false},"author":7,"featured_media":26407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[23,28],"class_list":{"0":"post-26391","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-coin-miner","9":"tag-malware"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/08\/What-is-Altisik-Service.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/26391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=26391"}],"version-history":[{"count":23,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/26391\/revisions"}],"predecessor-version":[{"id":27160,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/26391\/revisions\/27160"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/26407"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=26391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=26391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=26391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}