SonicWALL Inc.
04/30/2024 | Press release | Distributed by Public on 05/01/2024 09:56
Fake Windows Explorer Installs a Crypto Miner
Overview
This week the SonicWall Capture Labs threat research team came across a sample purporting to be Windows Explorer. At a glance, everything checks out - it uses the legitimate Windows Explorer icon and the file properties say Microsoft - but, once executed, it installs and runs a crypto miner.
Infection Cycle
The sample arrives as a Windows executable file using the following icon and bearing these file properties:
Figure 1: Malware installer's file properties showing Windows Explorer from Microsoft
Upon execution, it drops malicious files in the /Windows/Fonts/ directory, including the main crypto miner file, a batch file containing malicious commands to start the mining process, and two registry files whose registry subkeys and values will later be inserted into the system registry using regedit.exe.
- svchost.exe
- 1.bat
- server.reg
- restart.reg
It then spawns the Windows command interpreter to execute the batch file.
Figure 2: Cmd is used to run 1.bat
Simultaneoulsy, it also runs the attrib command to set attributes of the entire %fonts% directory as a read-only (+r) and archive (+a).
Figure 3: The malicious Explorer.exe will run the attrib command to change attributes of the Fonts directory
Meanwhile, the 1.bat file contains the following commands:
Figure 3A: Commands
The command installs and runs a crypto miner using the specified mining pool address, port and xmr wallet. It then installs the contents of the two .reg files using regedit.exe. Next, it deletes these registry files and proceeds to change the attributes of several component files.
Figures 4 and 5 show the contents of the reg files which were imported into the system registry.
Figure 4: Contents of server.reg
Figure 5: Contents of restart.reg
Our static analysis revealed another mining configuration that uses a different mining pool address, port and xmr wallet which we did not observe being used during runtime.
Figure 6: Alternate mining pool address and xmr wallet that may be used by this malware
SonicWall Protections
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Miner.XMR_1 (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.