Some time ago, we detected a number of fake apps delivering a Monero cryptocurrency miner to user computers. They are distributed through malicious websites that may turn up in the victim’s search results. By the looking of it, it appears to be a continuation of the summer campaign covered by our colleagues from Avast. Back then, cybercriminals distributed malware under the guise of the Malwarebytes antivirus installer.
In the latest campaign, we have seen several apps impersonated by the malware: the ad blockers AdShield and Netshield, as well as the OpenDNS service. Such articles analyzes simply fake AdShield app, but all the other cases follow the same scenario.
Distributed under the name adshield [.] pro, the malware impersonates the Windows version of the AdShield mobile ad blocker. After the user starts the program, it modifies the DNS defines on the device so that all domains are resolved through the attackers’ servers, which, in turn, prevent users from retrieving certain antivirus websites, such as Malwarebytes.com.
After substituting the DNS servers, the malware starts updating itself by running update.exe with the argument self-upgrade (” C :\ Program Files( x86 )\ AdShield \ updater.exe” -self-upgrade ). Updater.exe contacts C& C and mails data about the infected machine and information about the start of the installation. Some of the lines in the executable file, including the line with the C& C server address, are encrypted to make static detection more difficult.
Updater.exe code snippet containing the encrypted address
Updater.exe downloads from the site transmissionbt [.] org and operates a modified version of the Transmission torrent client( the original distribution can be found at transmissionbt.com ). The modified program sends installation information together with the ID of the infected machine to C& C, and downloads a mining module from it.
Notifying C& C about the successful installation
The mining module is made up of legitimate auxiliary libraries, an encrypted miner file named data.pak, the executable file flock.exe and the “license” file lic.data. The latter contains a SH-A2 56 hexadecimal hash of some parameters of the machine for which the module is intended and the data from the data.pak file. The modified Transmission client operates flock.exe, which first of all calculates the hash of the parameters of the infected computer and the data from the data.pak file, and then compares it with the hash from the lic.data file. This is necessary because C& C produces a unique placed of files for each machine so as to hinder static detecting and prevent the miner from operating and being analyzed in various virtual environments.
If the hashes do not match, the execution stops. Otherwise, flock.exe decrypts the data from the data.pak file using the AES-1 28 -CTR algorithm, whereby the decryption key and initialization vector are assembled from several parts stored in the sample code. The decryption makes in a Qt binary resource file that contains two executable files: the open-source XMRig miner( the same one used in the summer attack) and the bxsdk6 4. dll library.
Decrypted data.pak file
The bxsdk6 4. dll file is part of the BoxedApp SDK for creating a virtual environment, but in this case it is used to run the miner under the guise of the legitimate app find.exe. The level is that to implement its functionality, bxsdk intercepts calls to system parts and can manipulate their executing. In such cases, the BoxedAppSDK_CreateVirtualFileA function generates the find.exe file( which is a copy of the C :\ Windows \ System3 2 \ find.exe file) in the C :\ ProgramData \ Flock directory. All further manipulations with find.exe occur in RAM and do not affect the file on the disk. When the find.exe process starts, bxsdk intercepts the event and runs the file from the C :\ ProgramData \ Flock directory; then, applying the WriteProcessMemory and CreateRemoteThread roles, it injects the decrypted miner body into the process memory.
According to data from Kaspersky Security Network, at the time of preparing this article, since the beginning of February 2021, there have been attempts to install fake apps on the machines of more than 7 thousand users. At the crest of the current campaign, more than 2,500 unique users per period came under attack, with most of the victims located in Russia and CIS countries.
! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );
Number of users assaulted, August 2020- February 2021( download)
Kaspersky’s security answers detect the above-described menaces with the following judgments 😛 TAGEND
If flock.exe is detected on your device 😛 TAGEND
Uninstall NetshieldKit, AdShield, uninstall or reinstall OpenDNS( whichever is installed on your machine ). Reinstall the Transmission torrent client or uninstall it if you don’t need it. Delete the folders( if present on the disk)
C :\ ProgramData \ Flock %allusersprofile%\start menu \ programs \ startup \ flock %allusersprofile%\start menu \ programs \ startup \ flock2
Delete the servicecheck_XX task( where XX are random numbers) in Windows Task Scheduler.
5aa0cda743e5fbd1d0315b686e5e6024( AdShield installer) 81BC965E07A0D6C9E3EB0124CDF97AA2( updater.exe) ac9e 74 ef5ccab1d5c2bdd9c74bb798cc( modified Transmission installer) 9E989EF2A8D4BC5BA1421143AAD59A47( NetShield installer) 2156F6E4DF941600FE3F44D07109354E( OpenDNS installer)