Evil clone to attack users: how cybercrooks use legitimate software to spread cryptominers

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Cryptomining has become a gold rush of nowadays, and cybercriminals are also seized by it. They invent more and more cunning gimmicks to infect users’ machines and make them mine cryptocurrency for the attackers’ profit. The cybercrime recently detected by Comodo specialists is a striking illustration of this process. To infect users all over the world, the attackers used the legitimate application installer, the replicated server and… well, let’s not jump ahead but come through all the attack chain from the beginning to the end.

Here is PDFescape software. Many people use it to edit, annotate or fill forms in .PDF files. It’s highly likely you also used this or a similar software.

pdfescape
Of course, it’s legitimate and secure … at least it was so till the recent time when an idea to use it for spreading malware came to a cybercriminal’s mind.

But what is especially interesting, the malicious hackers didn’t try just to mimic PDFescape. They went further and decided to create its evil clone.

Just think of the attack’s scope: the perpetrators recreated the software partner’s infrastructure on a server under their control. Then they copied all MSI (installer package file for Windows) files and placed them on that server. The cloned software was the exact replica of the original one … except one small detail: the attackers decompiled and modified one of MSI files, an Asian font’s pack. And added the malicious payload containing some coinmining code.

pdfescape-advanced

This black magic turns original installer of PDFescape into a malicious one.

pdf-desktop

This modified installer redirects users to the malicious website and downloads the payload with the hidden file.

vps11240

As you can see, the hacked installer has not original digital signature:

Hacked

But how exactly this malware harm? Let’s see.

Dynamic Analysis

When a victim downloads this pdfescape-desktop-Asian-and-extended-font-pack, the malicious binary xbox-service.exe drops in Windows system32 folder and executes the malicious DLL, using run32dll. Disguising as setup.log, the malicious DLL hides in Windows folder.

Here is the process flow.

The pdfescape-desktop-Asian-and-extended-font-pack.msi is installed by the com

mand line “C:\WindowsSystem32msiexec.exe” /i

dynamic analysis

Then the installer drops xbox-service.exe in the system32 folder.

The dropped xbox-service.exe starts working as a service:

xboxservice

Then it runs malicious DLL under rundll32 by the name setup.log using the command line:

rundll32 C:WindowsSystem32setup.log.dll

Static Analysis

The modified MSI has embedded malicious DLL file. This DLL, in its turn, contains two executable files in the Resources.

Thus, the DLL file runs malicious process xbox-service.exe.

Another interesting aspect of the DLL payload is that during the installation stage, it tries to modify the Windows HOSTS file to prevent the infected machine from communication with update servers of various PDF-related apps and security software. Thus malware tries to avoid a remote cleaning and remediation of affected machines.

host file

The HOSTS file modified with malicious DLL

And finally, inside the DLL we found the main evil: malicious browser script. The script has an embedded link to http://carma666.byethost12.com/32.html

DLL

Let’s follow the link and see where it goes:

CoinHive

As it’s now clear, it downloads JavaScript of coinminer named CoinHive that malicious hackers covertly use to infect hosts’s around the world. You can find more details about it in Comodo Q1 2018 and Comodo Q2 2018.

comodo Q1

So all that fuss was to infect users with a cryptominer?! Yes, that’s right. And it helps us to aware that we shouldn’t take this kind of malware lightly.

“As we mentioned in Comodo Q1 2018 and Q2 2018 Global Threat Reports, cryptominers remain one of the most dangerous threats in the cybersecurity space”, comments Fatih Orhan, The Head of Comodo Threat Research Labs.” Some people consider the cryptominers as a not-so-serious threat because they do not steal information or encrypt users’ files but this mistake can be very costly for them in the reality. Cryptominers are turning into sophisticated malware that can crash users systems or capture all the IT resources of an infected enterprise and make them work only for mining cryptocurrency for cybercriminals. Thus, financial losses from a cryptominer attack can be as devastating as of other malware types. Cryptominers will continue to become more and more devious with their dangerous abilities growing. And the story with modified installer detected by our analysts is a clear evidence of it”.

According to the Comodo stats, this malicious file hit 12 810 users in 100 countries around the world. Below are the top-ten affected countries.

countries attack

In general, from April to August 2018, Comodo specialists detected 146,309 JavaScript-based coinminers with unique SHAs.

ctrl labs

Live secure with Comodo!

The post Evil clone to attack users: how cybercrooks use legitimate software to spread cryptominers appeared first on Comodo News and Internet Security Information.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1 Followers
About Comodo
Comodo Cybersecurity is a global innovator of cybersecurity solutions, and a division of Comodo Security Solutions Inc. For over 20 years, Comodo Cybersecurity has been at the forefront of successfully protecting the most sensitive data; and today, we deliver an innovative cybersecurity platform that renders threats useless across the LAN, Web & Cloud. Comodo Cybersecurity’s ongoing mission is to protect what matters most, while enabling businesses and customers to confidently accept risk in a world where preventing all attacks is impossible.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel