Fake MSI Afterburner Sites Delivering Coin-Miner
Published 01/06/2023
Originally published by Cyble on November 23, 2022.
Stealthy Miner Bypasses Detection Using Shellcode And Process Injection
Gamers and other high-performance computing users use various utility software tools such as MSI Afterburner, which monitors system performance and allows users to modify the hardware settings to enhance the system’s performance. Threat Actors (TAs) generally target these software tools to deliver malware to the user’s machine.
Recently, Cyble Research & Intelligence Labs (CRIL) identified several phishing campaigns targeting MSI Afterburner software to deliver coin-miner malware. The TAs behind these campaigns used sophisticated phishing pages that mimic the legitimate MSI Afterburner site to lure the users into downloading coin-miner malware that performs the crypto-mining process. The TA hosted a phishing site to deliver the payload of coin-miner malware bundled with legitimate MSI Afterburner installers.
Crypto mining is a power and resource-intensive activity that requires dedicated hardware like GPUs. By bundling a coin-miner into the tools such as Afterburner and installing it in the user’s machine, the TAs can hijack the processing power of the victim’s machine to mine the cryptocurrencies without their consent. The figure below shows the phishing website created by TAs.
Figure 1 – Phishing page downloading malicious MSI Afterburner installer
In the last three months, we Identified approximately 50 phishing websites targeting MSI Afterburner to deliver malware on the user’s machine. The figure below shows the timeline of the phishing sites created to target MSI Afterburner.
Figure 2 – Timeline of Phishing websites
Technical Analysis
In this technical analysis, we analyzed a sample named “MSIAfterburnerSetup.msi” with SHA265 as 2279b8cf7a2b1fa13f1832b4dc0331bd9f971240f38b0fbd694ed6aec093bb8d, downloaded from a phishing site hxxps://git[.]git[.]skblxin[.]matrizauto[.]net.
The “MSIAfterburnerSetup.msi” installer file contains four executable files such as “MSIAfterburnerSetup465Beta2.exe”, “install.exe”, “comp.cab”, a cabinet file containing redline stealer, and “browser_assistant.exe” which loads XMR Miner.
The figure below shows the contents of the MSIAfterburnerSetup.msi.
Figure 3 – Contents of the downloaded installer file
When a user runs the MSIAfterburnerSetup.msi file, it further executes “install.exe”, which shows the installation wizard to install the program. The figure below shows the Installation Wizard.
Figure 4 – Afterburner setup window
In the background, the installer drops a file named “browser_assistent.exe” in the %Program files% location and executes it. Upon execution, “the browser_assistent.exe” Injects itself and loads a shellcode which gets the encoded XMR Miner binary from the GitHub repository and further injects it into explore.exe. The below image shows the process tree of the XMR miner.
Figure 5 – Process tree of XMR Miner
The malware installs XMR Miner silently in the background by injecting malicious code into a running process without saving the actual payload in the disk. The below image shows the infection chain of the XMR miner.
Figure 6 – XMR miner infection chain
XMR Miner Analysis
The loader “browser_assistant.exe” is a 64-bit PyInstaller executable with SHA256: 0e154eed00b71c0d11bd2caeb64fa2efcbb10524b797c076895752affa0f46c. Additional information is shown in the figure below.
Figure 7 – Loader File Details
Upon execution of “browser_assistant.exe”, it drops multiple Python-supporting files into the %temp% directory. The below figure shows the “.pyc”, “.pyd”, and “.dll” files extracted from the PyInstaller executable.
Figure 8 – Extracted files of PyInstaller executable
The “Binary_Stub_Replacer.pyc”, Python compiled file is responsible for XMR miner activity. During execution, it retrieves and injects the XMR Miner into “explorer.exe” using the following steps:
- Initially, the “Binary_Stub_Replacer.pyc” decodes the actual data using replace function, converts the stub into binary format first, and then changes it into ASCII format, as shown in Figure 9.
Figure 9 – Decoded python content (Stage 1)
- The decoded stub forms a new python code containing an embedded base64 encoded content shown in Figure 10. This python code decodes the base64encoded stub, which creates a shellcode.
- The Shellcode is further injected into “browser_assistant.exe” using the CreateThread() API function, as shown in Figure 10.
Figure 10 – Decoded python content (Stage 2)
- After that, the loaded Shellcode retrieves encoded raw data (XMR Miner) from the GitHub repository (hxxps[:]//raw.githubusercontent[.]com:443/CyberSECx/Dimitri_Quaser_LASTSM_B64/main/RawData), decodes it, injects it into explorer.exe and invokes the explorer.exe with the mining parameters shown in the below Figure 11.
Figure 11 – Shellcode retrieves encoded XMR Miner content from GitHub
The injected XMR Miner further launches commands to connect the mining pool for crypto mining operations, as shown in the figure below.
Figure 12 – Injected XMR mining pool details in the memory explorer.exe
The table below shows the arguments used by the XMR miner malware.
–algo | mining algorithm |
–url | URL of mining server |
–user | username for the mining server |
–pass | password for the mining server |
–cpu-max-threads-hint | Maximum CPU usage |
–cinit-stealth-targets | When any programs listed under “Stealth Targets” are running, this option pauses the miner and clears the GPU memory. |
–cinit-api | C&C API URL |
–cinit-version | Version |
–tls | enable SSL/TLS support |
–cinit-idle-wait | Idle wait time |
–cinit-idle-cpu | Can be set to mine when the computer is in use or not, at varying rates, or not at all. |
–cinit-id | User ID |
The malware simultaneously collects sensitive information such as computer name, username, GPU, CPU, and other details from the victim’s system and sends them to the below C&C (Command and Control) server URL API:
- hxxp[:]//45[.]87[.]0[.]89/api/endpoint[.]php
The below figure shows exfiltrated sensitive details from the victim’s machine.
Figure 13 – Exfiltrated data
Finally, the malware starts mining using the TA’s wallet address on the victim’s machine to generate revenue. The below figure shows the TA’s XMR mining pool dashboard, which displays the stats such as total money paid, balance, etc., indicating the possibility of financial gain using this XMRminer.
Figure 14 – Transaction Details of TAs Wallet Address
Conclusion
This coin-miner malware campaign uses MSI Afterburner phishing sites targeting gamers and other individuals who require high-performance computing. TAs use phishing emails, online ads, and various other means to propagate links over the internet. TAs could also target other specialized software to spread malware.
In this case, Afterburner drops the XMR miner for mining which silently abuses the victim’s system resources (CPU and RAM mostly) and produces revenues for attackers. This significantly decreases the victim’s overall system performance and drains their system resources, severely affecting the productivity of the victim user or organization.
Our Recommendations
- Users are advised to check their system performance and CPU usage periodically.
- Enterprises should prevent users from downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Organizational information security policies/acceptable usage policies should be updated to explicitly prohibit downloading and installing crypto mining software on end-user systems.
- Users should turn on the automatic software update feature on their computer, mobile, and other connected devices.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile devices.
- As part of ongoing security awareness and training, users should be educated to refrain from opening untrusted links and Email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing attacks and untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Endpoints and Servers should be monitored for unexpected spikes in CPU and RAM utilization that could point to a potential malware infection.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Execution | T1204 T1064 | User Execution Scripting |
Persistence | T1547 | Registry Run Keys / Startup Folder |
Privilege Escalation | T1055 | Process Injection |
Defense Evasion | T1497 T1036 | Virtualization/Sandbox Evasion Masquerading |
Discovery | T1057 T1082 T1518 T1120 | Process Discovery System Information Discovery Security Software Discovery Peripheral Device Discovery |
Command and Control | T1071 T1105 | Application Layer Protocol Ingress Tool Transfer |
Indicators Of Compromise
Indicators | Indicator Type | Description |
96a3469891a23e0aa49fd009979b668b a9205e91e5694bb60efe73892bf14652e065bf67 2279b8cf7a2b1fa13f1832b4dc0331bd9f971240f38b0fbd 694ed6aec093bb8d | MD5 SHA1 SHA256 | MSIAfterburnerSetup.msi |
a9e09703d13de2fd20ca8aab4e02e7c8 a785b651aa699ba651e9fccd94f86fefff88cc6a 00e154eed00b71c0d11bd2caeb64fa2efcbb10524b797c0 76895752affa0f46c | MD5 SHA1 SHA256 | browser_assistant.exe |
git[.]git[.]skblxin[.]matrizauto[.]net git[.]git[.]git[.]skblxin[.]matrizauto[.]net git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net www[.]matrizauto[.]net | Domain | Download Link |
hxxp://45[.]87[.]0[.]89/api/endpoint[.]php | URL | Contacted URL |
104[.]20[.]67[.]143 | IP | Contacted IP |
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024