The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The attackers distributed the malicious files using websites for downloading popular software (uTorrent, Microsoft Office, Minecraft, etc.) for free. The resulting file contains not only the executable code itself, but also additional malicious files which will be installed directly from the implant. It’s important to mention that the websites, videos, and Telegram channels created by the attackers primarily target users seeking free versions of popular software or videogame cheats. In a recent campaign starting in 2022, unknown malicious actors have been trying to mine cryptocurrency on victims’ devices without user consent; they’ve used large amounts of resources for distribution, but what’s more, used multiple unusual vectors for defense evasion and persistence. Even though the main goal of the attackers is to make profit by stealthily mining cryptocurrency, some variants of the malware can perform additional malicious activity, such as replacing cryptocurrency wallets in the clipboard and taking screenshots. The BAT file from autorun extracts the encrypted RAR archive and runs the “start” command with two DLL files as arguments — these were previously extracted from the archive. If the “start” command failed, the BAT file removes the entire directory with the installed files, including itself. The next stage of the infection chain consists of two DLL files, that use the same technique as the first stage: a legitimate AutoIt interpreter and another A3X implant, located in the signature of the legitimate dynamic library. Before compilation, this call just copies the file from its source path to its destination, but during the compilation the interpreter stores the files for installation right inside the compiled script. This behavior allows the attackers to hide their malicious payload anywhere in the file where it won’t be harmful for the container itself. The malicious payload is an A3X script which was compiled into an EXE file and injected right inside the second DLL file signature. In addition, using the icacls utility, the implant forbids all users across all domains to remove these folders, change their permissions, own them, add any files or subdirectories, write to them any attributes (including extended ones), or remove files from them. All these methods are used again for a better persistence by launching the “insta.bat” file right before the end of the A3X implant execution. After visiting the attackers’ website or channel, users might download a ZIP file being falsely advertised as popular software. Persistence is established not only through WMI; the implant also directly starts netcat, the “nun.bat” files, and the “start” command. After installing all the necessary files, the implant establishes persistence using WMI by creating filters which are activated by common events — common enough to guarantee filter activation. First, the A3X script is added to the signature in such a way that its validity remains intact and the whole file is still considered as signed, even with the payload. We’ve also seen some of the malware variants sending a screenshot of the user’s desktop or installing a malicious browser extension, which may replace cryptocurrency wallets in the clipboard. Some of these links redirected users immediately to malicious websites, while others led to the aforementioned Telegram channels. The file is scanned for a specific AutoIt signature which is present only in compiled scripts, and all other contents of the file are ignored. Users would see these malicious sites in the top results when searching for resources freely distributing popular software like uTorrent, MS Excel, MS Word, Minecraft, Discord and so on. This script launches a BAT file which extracts the next element of the attack chain from an encrypted archive. Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats and gambling. In many cases, the instructions and the password are also provided on the websites and channels from which the user downloaded the malicious archive. But what makes this attack stand out is the bypass of signature verification, making it possible for the payload-bearing file to seem legitimate. To ensure that the attackers can execute any arbitrary command on the victim’s device, during the agent installation, the “remote_commands” option is set. Aside from its main purpose of generating cryptocurrency, SilentCryptoMiner can also hide its own activity from the processes specified in the “stealth-targets” argument and stop processes from the “kill-targets” process names list. As a result of the multistage infection chain, the attackers can establish persistence in users’ systems in multiple ways, gaining full access. While trying to deliver malware on victims’ devices and stay on them as long as they can, sometimes attackers are using quite unusual techniques. The attackers are running multiple Telegram channels distributing the malware in question. Most of the attacks with this infection chain targeted Russian users (87.63%). After that, the other top ten countries with the highest number of users affected by these attacks were Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, Czech Republic, Mozambique, and Turkey. One of these files is a legitimate AutoIt interpreter and the second is a legitimate dynamic library with a valid digital signature. Such a malicious addition is almost impossible to detect without file content analysis. After that, it also abuses the registry keys “Image File Execution Options”, “Debugger” and “MonitorProcess” with the same goals.
This Cyber News was published on securelist.com. Publication date: Fri, 04 Oct 2024 09:13:06 +0000