Cyber Security researchers have just discovered a new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies.
Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, according to a recent report.
The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent.
The researchers have previously analyzed the cryptocurrency file infector CoinMiner; and the Cyber Threat Alliance, with major assistance from a renowned security vendor, has published a report, “The Illicit Cryptocurrency Mining Threat.” Recently we examined the Russian application WebCobra, which silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. McAfee products detect and protect against this threat.
We believe this threat arrives via rogue PUP installers. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.
This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects. We will discuss that detail later in this post.
The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server. Once data.bin is decrypted and executed, it tries a few anti-debugging, anti-emulation, and anti-sandbox techniques as well as checks of other security products running on the system. These steps allow the malware to remain undetected for a long time.
Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.
MITRE Attack Techniques:
- Exfiltration over command and control channel
- Command-line interface
- Hooking
- Data from local system
- File and directory discovery
- Query registry
- System information discovery
- Process discovery
- System time discovery
- Process injection
- Data encrypted
- Data obfuscation
- Multilayer encryption
- File deletion
- Indicators of compromise
- IP addresses
- 249.13:2224
- 254.170:2223
- 92.212
- Domains
- xmrig.com
- xmrig.com
- ru
- slushpool.com
Coin mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value. Mining coins on other people’s systems requires less investment and risk than ransomware, and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.
