Executive Summary
The Fortra Intelligence and Research (FIRE) team has discovered and aided in the mitigation of a malware campaign delivering an open-source cryptocurrency miner, known as XMRig. This campaign stands out to security researchers because cryptojacking or malicious cryptocurrency mining operations rarely target enterprise environments with these methods, and more frequently focus on individuals due to the larger pool of available targets, lower security practices, and smaller risk of detection.
The actors behind these attacks used uncommon staging methods and a rarely seen persistence technique, prompting a deeper technical analysis to determine the real purpose and potential impact to enterprise environments. The targets were mainly larger financial groups, banking institutions, and wealth management firms.
The method of delivery is the typical phishing email, in this instance containing a link to a Czech-based online file-sharing and storage service urging the recipient to download a backup of their cryptocurrency wallet. After downloading, unzipping, and running the malicious payload, the malware will reach out to the threat actor’s infrastructure for more instructions. Using many observed evasion and anti-analysis techniques, its goal is to persist on the infected system as long as possible, use system resources without consent, and send back as much cryptocurrency as possible to the wallet specified by the attacker.
Cryptocurrency Miners and XMRig
Cryptocurrency miners are software programs designed to utilize system resources, such as the processor, to generate virtual currency. This software will continuously utilize these resources requiring a constant source of power. The goal of an attacker using a cryptocurrency miner is to infect as many systems as possible for as long as possible, maximizing profit from mined cryptocurrency.
Once a system is compromised via a cryptocurrency miner, the attacker can send further instructions to the malware and perform reconnaissance, or they can deploy other malware capable of stealing information, granting remote access, or more.
XMRig is an open-source cryptocurrency miner primarily developed for mining Monero, although it supports other types of coin. Written in C and C++ the source code of this coin miner is available to the public. It is a legitimate piece of software that threat actors unfortunately abuse.
Their own documentation highlights its capabilities to use both CPU and GPU resources for mining. There are versions available for Windows, Linux, and MacOS.
Breakdown
Staging
Throughout this campaign, there were two main staging methods observed. The first involves a zip file which contains an executable. The second and more interesting infection chain begins with the delivery of a .reg file – a method that is uncommon. This is perhaps because Windows will notify the user that this file type can damage the system or because larger organizations with better security practices block these files from running or from ever reaching the user.
When a .reg file is opened it can set up something called a registry key on Windows machines. Registry keys are generally small files containing information read by the Windows operating system to determine its own configuration or behavior. Anything from the profile picture of the user’s account to the software that is loaded at start up is stored in these registry keys. This is what our malware sample is abusing.
If the file reaches the Downloads folder, the threat actor(s) in this campaign used a common way of tricking users into believing they are seeing a harmless .txt file. They add white spaces between a fake file extension and the actual extension.
Once opened, it sets the execution of the payload at logon. This is how it initially attempts to evade detection. The actual malware will not be executed until the user logs in again.
Here is the command once we manually decoded the content:
Another interesting feature of registry keys is they can hold strings or series of characters of indeterminate length. This means the entire contents of a piece of software can be stored in the Windows registry and evade detection from common antivirus scan methods. We observed precisely this behavior here. The command shown in the previous image will:
Extract payload from registry
↳ Write it to disk
↳ Execute it silently
The payload that is extracted and executed silently will run a third stage from the current user’s temp directory. Luckily, Windows Defender can pick up on this suspicious activity at this point in the infection chain, since it monitors for execution from the temp directory and can quarantine the malware. However, this is not difficult for threat actors to change to avoid detection in the future. The detection names Windows Defender provides won’t give us much more information other than a generic coin miner, so we must continue our analysis to confirm the malware family.
XMRig Analysis
Persistence
The detected executable shows up as a process running under the name WinTemp-v4.exe on the infected system. We observed a unique command we suspect is a persistence mechanism. This variant of XMRig seems to disable REAgentC.exe. We could not locate any documented instances of crytominers leveraging this method, however, disabling system restore capabilities isn’t uncommon in more damaging malware such as ransomware.
This Windows REAgentC.exe utility enables commands for managing the Windows Recovery Environment. It is used to restore a Windows system to a previously known working state or to a period before it became infected with malware.
As seen before, Windows registry keys manage all kinds of system settings including startup processes. The XMRig malware replaces a key pointing to a copy of itself with a slightly different name “Win-v43.exe” blending into the environment. This ensures it will always run when the system boots up. Monitoring changes to these commonly targeted registry keys with suspicious paths is a good way to detect possible malicious behavior.
Detection Opportunities
There are several other opportunities for defenders to create detection rules for this strain of malware. The creation of two mutexes stood out for us, since they are an easy way to identify XMRig. These were however dynamically set at runtime, so a debugger was required to understand where they exist.
Mutexes can be thought of as a way for malware to take hold of a resource and not allow other processes to use it. It can also be used to detect itself and avoid running twice causing system strain, raising suspicion and risking being detected. EDR solutions should be able to monitor API calls to CreateMutexA and check for those names: v4Invoker and v4Admin.
Another point of interest was XMRig setting up the user agent for C2 (Command-and-Control) communication. The chosen name intends to blend in with normal network traffic appearing legitimate. Defense teams can monitor network activity for signs of this user agent in http requests to suspicious IP addresses.
The samples analyzed employ many other evasion techniques such as anti-debugging checks, looking for signs of being run in virtual machines to avoid analysis, and sending out a ping to Google to make sure it has access to an internet connection. If we can fool the malware into thinking it is running on a legitimate machine it will communicate with the Command-and-Control server set up by the threat actor(s).
During our analysis we were unable to obtain any information being sent back from its C2 server. We’d expect the response to include configurations, perhaps target wallet information but more worryingly, the risk lies in this compromised system now having a backdoor and allowing for further intrusion, data theft or more damaging malware to be deployed.
Takeaways
This campaign highlights a noticeable deviation from the typical threats we see targeting our clients. While most email-based attacks we observe focus on credential theft or establishing remote access, this campaign appears to prioritize long-term resource abuse generating profit through the stealthy deployment of the XMRig cryptocurrency miner. The deliberate targeting of the financial sector, combined with an interesting staging and unique persistence mechanism, along with the use of evasion and anti-analysis techniques, suggests a calculated approach. While the only behavior we observed is the deployment of this crypto miner, its full capabilities and intent could pose a greater threat. It reinforces the need to remain vigilant against even low-profile malware, as its true impact can be far-reaching when embedded within enterprise environments.
Indicators of Compromise
| File Extension | SHA256 |
| .reg | b3a78c629ace70d85f0e19434fd3dbcace41e11b3805b383af4168de87cd5024 |
| .exe | e879ff2975fcdb979c486017f8cae511181bdff575422f4e777a8f5f6ca36ea8 |
| .exe | 529ebeb094c141edf2bbcce2bb399f8816c841deb3cc4bd3a39e9384797b53f3 |
| .zip | 27eac780448c48d4ad730d1ba3195ba0b27c1de04530508e4c201e277038f5cf |
| .exe | fa57fbed23f78334b9f43dd95e1dbf2de8195abae27f6bc5c8f63a482375964d |
| .txt | 5d2f6ccf609cdccdbe56dcf2ddcaf48bfaf7cfd943bfe6addbfe2f47c9619cc2 |
| .exe | 5b22214977d9888c9a4a4621e8f54fdea8e0a0cf39d94d9b5c3c628d963abdec |
IOC Type Address
| IOC Type | Address |
| url | hxxps[://]www[.]uschovna[.]cz/en/zasilka/TFE62T7CEM9MW4TY-TF4 |
| url | hxxps[://]www[.]uschovna[.]cz/en/zasilka/TFRKZWL8I9Z2C9KE-SSD |
| url (C2) | hxxps[://]xai830k[.]com/sapphire[.]exe |
| url (C2) | hxxps[://]singularity-drop[.]com |
| IP (C2) | 45[.]141[.]233[.]253 |
| IP (C2) | 45[.]144[.]212[.]77:7777 |
