According to our data, cryptocurrency miners are rapidly gaining in popularity. In an earlier publication we noted that cybercriminals were making use of social engineering to install this sort of software on users’ computers. This time, we’d like to dwell more on how exactly the computers of gullible users start working for cybercriminals.

Beware freebies

We detected a number of similar websites with offers to download various types of free software. Some of them really were free applications (such as OpenOffice), while others attempted to entice users with “free” software packages of Adobe Premiere Pro, CorelDraw, PowerPoint, etc. From the victim’s point of view, the software was indeed free – it didn’t ask for activation keys and could be used immediately. Moreover, the cybercriminals used domain names resembling those of recognized legitimate products, such as thefinereader.ru, theopenoffice.ru, etc. There was one thing all these apps had in common – they were installed on the victim computer along with a custom-configured version of cryptocurrency mining software from the NiceHash project.

All sites followed the same design template, differing only in their product descriptions and download links

Mining coins at any price

Kaspersky Lab’s products detect the NiceHash miner with the verdict not-a-virus:RiskTool.Win64.BitCoinMiner.cgi; it is not malicious according to Kaspersky Lab’s classification. According to KSN data, around 200 files are detected with this verdict. We chose the file FineReader-12.0.101.382.exe for analysis. It was obtained from the website thefinereader.ru which is no longer available; at this website, it was presented as a “free full version” of ABBYY FineReader. It should be noted that this hacked version, minus the miner component, has long been available on the internet via Torrent file distribution systems:

The executable file contains the installation package Inno Setup; unpacking it will produce a number of folders containing the actual software and its resources, as well as an installation guide script. The installer’s root folder looks like this:

The {app} folder is of interest to us; it contains the software that is installed. This folder contains a ‘portable’ version of FineReader:

The lib folder contains some suspicious-looking files:

Among these files is the NiceHash miner that we mentioned above. There are also text files in this folder that contain the information required to initialize the miner – namely the wallet details and the mining pool’s address. This folder will be installed stealthily to the victim computer while FineReader is installing.

A shortcut will also be created in the autorun folder:

The shortcut reveals the path to the miner’s work directory on the C drive:

That leaves the tskmgr.exe and system.exe files of interest for analysis. Both files are BAT scripts compiled into PE files. Let’s look at the contents of system.exe after extracting the BAT script:

It ensures the wallet’s address is up to date and initializes the miner’s operation. It contacts the following addresses:

http://176.9.42.149/tmp1.txt

http://176.9.42.149/tmp3.txt?user=default&idurl=3

http://176.9.42.149/tmp2.txt?user=3id170927143302

After the third query, the following response is received:

This is a PowerShell script that assigns a unique ID to the infected computer and launches mining with the correct wallet details (in this specific case, the zcash cryptocurrency is mined). IDs are generated following a specific algorithm based on the mining start time. For example, the ID 4v09v2017v03v24v26 is made up of the date (14.09.2017) and time (03:24:26).

We have also identified other types of covert miners with a slightly different logic. Below is the same Inno Setup installation package, but if we take a look at its contents, we can see lots of shortcuts:

Let’s take a look inside:

This is a classic case – the shortcuts are scattered across the system; when opened by the user, they launch the miner. The package includes the TrayIt! utility that hides the miner’s window from the user by minimizing it to the system tray. This miner doesn’t receive any data from the server, but instead operates using the wallet and pool details that were hardwired into it.

Finances

Among the mining pools used by cybercriminals, we detected some that provided statistics about the wallets and the number of miners. At the time of our analysis, total revenue from all wallets was nearly US$3400.

Conclusion

This small piece of research once again demonstrates that no one should ignore protection measures and get lulled into a false sense of security, believing cybercriminals are only interested in financial organizations; practice shows that regular users are also targeted. The mining software that we analyzed, albeit incapable of inflicting any damage, can seriously impair your workstation’s performance by hijacking its resources and making it work for somebody else.

Indicators of Compromise

C&C

176.9.42.149

MD5

a9510e8f59a34a17ca47df9f78173291

19cdaf36a4bafd84c9f7b2cfff09ca50

613bd514f42e7cc78d6e0e267fc706d0

ab31d1cbed96114f2ea9797030fb608f

0a571873a125c846861127729fcf41bb

fd8f89a437bcb5490a92dc1609f190d1

dd639dc20f62393827c2067021b7fd50

6b567d817b94f714c0005e183ffb6d47

11e66ac4c9e7e3d0b341bdb51f5f8740

58c7db74c6ce306037f22984dd758362

f38b5a31eee2fd8c97249cefbc5fa19f

f378951994051bf90dc561457c88c69f

fb9c1f949f95caeada09c0fd70fb5416

b017f2836988f93b80f4322dbd488e00

211c6c52527b8c1029d64bb75a9a39d8

57cda2f33fce912f4f5eecbc66a27fa6

URLs

thefinereader[.]ru

abby-finereader[.]ru

thexpadder[.]ru

theteamspeak[.]ru

thecoreldraw[.]ru

the-powerpoint[.]ru

theoutlook[.]ru

picturemanager[.]ru

furmark[.]ru

thedxtory[.]ru

thevisio[.]ru

kmp-pleer[.]ru

theadobepremiere[.]ru

cdburner-xp[.]ru

theopenoffice[.]ru

iobit-uninstaller[.]ru