This is a guest post by independent security researcher James Quinn.
If you have not yet read the first part of the MadoMiner analysis, please do so now. This analysis will pick up where Part 1 left off, while also including a brief correction. The x64 version of the Install module was listed as identical to the x86 Install module. However, this is not correct. The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis.
In addition, take care with this portion of the malware. The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine.
Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies. Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit. While madominer was earning $6,000 a month as of the last analysis,
Around 10/14, MineXMR closed the old address due to botnet reports. A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again. Currently, the hashrate is at 109Kh/s, and steadily rising.
Also, around the time that the address changed, MadoMiner also became drastically different.
Malware Analysis
Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files. In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet.
Domains
In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server:
However, the domain is currently dead. In addition, the mining server currently used is pool.minexmr[dot]com
A C2 server(newly updated version):
- http://qq.honker[dot]info
Previously identified distribution domains:
- http://da[dot]alibuf.com:3/
- http://bmw[dot]hobuff.info:3/
Previously Identified IPs:
Previously identified mining servers:
- http://gle[dot]freebuf.info
- http://etc[dot]freebuf.info
- http://xmr[dot]freebuf.info
- http://xt[dot]freebuf.info
- http://boy[dot]freebuf.info
- http://liang[dot]alibuf.com
- http://dns[dot]alibuf.com
- http://x[dot]alibuf.com
In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling.
Exploits
During the execution of sogou.exe, the following exploits are used to install on new victims’ PCs:
- CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
- CVE-2017-0143, SMB exploit
- CVE-2017-0146, SMB exploit
Installation
Mask.exe ends up on a victim’s computer after either x86.dll or x64.dll downloads mado.exe or dst.exe, respectively. However, unlike with Install.exe, it doesn’t matter which file is downloaded because they are the same files (They have the same file hash).
Setup
Once Mask.exe is on a victim’s computer, it attempts to connect to one of the distribution servers identified above (bmw[dot]hobuff.info). Once a connection is established, it attempts to download two files, sogou.exe and 360safe.exe. Sogou.exe is the payload that contains the CPUInfo scanner, however, it has been set to scan for IPV6 addresses. Sogou is saved as Conhost.exe in C:WindowsInstaller. 360Safe.exe is the payload that contains the XMRig miners as well as the service manager (NSSM). 360Safe is saved as Makes.exe
Mask.exe
Mask.exe seems to be the profitable part of MadoMiner. Because of this, there are a lot more anti-debug tricks used during Mask.exe’s runthrough. Mask.exe seems to be in charge of downloading/executing Sogou.exe and 360Safe.exe. Each of the modules also have batch scripts that will be discussed in the analysis that are run during different stages of the execution.
MadoMiner generates money by mining for XMR using Mask.exe, 360Safe.exe, and XMRig. Mask.exe installs 360Safe.exe which in turn installs XMRig. MadoMiner uses the service manager NSSM in order to install the necessary services for runtime and persistence. In addition, in Sogou.exe, MadoMiner appears to search for IPV6 addresses that are vulnerable to EternalBlue, as well as installs some tasks.
If Mask.exe detects another copy of itself, demC.Bat is run (see removal section for information). DemC.Bat is just like the DemC in Part 1, where it attempts to delete the malware from as an attempt at anti-debugging. It also seems to close any open ports so that you can’t be reinfected — how thoughtful!
Sogou.exe runtime analysis
Sogou.exe appears to be another propagation module for MadoMiner, which answers the question of “Since x64.dll installed a miner during Install.exe, how did the x64 version of the malware propagate?”
Sogou.exe, once downloaded by Mask.exe, saves itself to C:%Windows%Installerconhost.exe, and then executes. However, Sogou.exe is more of a dropper than the full malware itself. Sogou.exe drops FileFtp.exe into C:Program FilesWindowsd. FileFtp.exe appears to be a partially encrypted propagation module that uses the same exploits as ZombieBoyTools, which it drops into Windowsd. However, this propagation module has a bit more in the way of hiding. Just like in all other modules of MadoMiner, FileFtp includes a script to delete itself from the filesystem. However, as any forensic investigator can tell you, when a file is deleted, it isn’t really gone, at least not immediately. However, with FileFtp.exe, prior to deleting itself after installing the propagation exploits and the executable used to spread, runs cmd /c cipher /w:C , which begins overwriting unallocated space, where deleted files are stored. Not only does FileFTP.exe delete itself, it also wipes itself from the system entirely.
Tasks and batch scripts used by Sogou.exe
AutoKMSK is used by sogou.exe to execute a copy of itself saved as C:WindowsInstallerconhost.exe every 15 minute. It does this by using the command
schtasks /create /sc minute /mo 15 /tn “AutoKMSK” /tr “C:windowsInstallerconhost.exe” /ru “system” /f
AutoKMSKK is used by sogou.exe to execute a script known as “free.bat”, which is very similar to Install.exe’s free.bat. However, this script will essentially delete all files installed by conhost.exe every 26 mins. This is used by the malware in order to evade detection. The command for this is as follows
schtasks /create /sc minute /mo 26 /tn “AutoKMSKK” /tr “C:WindowsInstallerfree.bat” /ru “system” /f
Mask.exe’s Free.bat
360Safe.exe Brief Overview
Where Sogou.exe appears to be a propagation module, 360Safe.exe is a pure mining module. 360Safe.exe begins on a computer after having been downloaded from bmw.hobuff[dot]info and executed by Mask.exe. As the main mining payload for MadoMiner, 360Safe is in charge of installing the service manager used by MadoMiner, and then dropping and installing the miner. However, 360Safe does this in a fairly modular and interesting way, because not only does 360Safe consist of both the x86 and x64 versions of the service manager used and the miner used, but it also identifies the architecture of the host PC and then dynamically creates a payload based on the architecture identified. In addition, 360Safe uses a number of anti-vm techniques, such as changing the base language of the files used by the service manager and using complete information when setting up registry keys (such as official looking descriptions and error messages upon tampering with malware).
360Safe Service Manager
360Safe uses NSSM as its service manager (Non-Sucking Service Manager). NSSM allows it to quickly and easily install services to the system using simple commands like NSSM install <service name> <path-to-service>. However, 360Safe uses some techniques to hide the fact that it is NSSM. First, 360Safe changes the base language of the installation information for NSSM. The information is changed to the Host’s language during runtime using the MessageBoxEx Windows API command. However, the result of this is that the strings are semi-unreadable when a basic string analysis is performed.
NSSM strings information
In addition, once the architecture has been identified and the NSSM installer selected, a different installation location is used. In 360Safe’s use of NSSM, it installs the service manager to the directory C:%Windows%Fonts as “svchost.exe”, with the registry keys
- “HKLMSYSTEMCurrentControlSetServicesEventLog”
- “HKLMSYSTEMCurrentControlSetServicesEventLogApplication”
- “HKLMSYSTEMCurrentControlSetServicesEventLogApplicationNSSM”
NSSM values
- “EventMessageFile = C:WindowsFontssvchost.exe”
- “TypesSupported = 0x00000007”
All of these can be used as IOCs.
In addition, any windows opened by NSSM are hidden so that the host doesn’t suspect anything. Anytime that 360Safe needs to install a service, it calls “C:windowsFontssvchost.exe” in order to do so.
NSSM Registry Installation
360Safe Miner Installation
Just like the rest of 360Safe, the mining portion also installs all of its executables to C:%Windows%Fonts. However, it doesn’t use just one executable to install the miners. First, 360Safe.exe drops Conhost.exe into C:%Windows%Fonts. In addition to dropping conhost into C:%Windows%Fonts, a new service is created called ServiceMaims, which serves for persistence for Conhost.
The Display Name (EG: the Name that shows on Task manager) for ServiceMaims is “Network Location Service”, and the Description is “Provides performance library information from Windows Management”.
ServiceMaims is then started which in turn starts Conhost.
Registry Keys:
- “HKLMSYSTEMCurrentControlSetServicesServiceMaims”
- “HKLMSYSTEMCurrentControlSetServicesServiceMaimsParameters”
- “HKLMSYSTEMCurrentControlSetServicesServiceMaimsParametersAppExit”
Values in ServiceMaims
- “DisplayName = ServiceMaims”
- “ErrorControl = 0x00000001”
- “ImagePath = C:windowsFontssvchost.exe”
- “ObjectName = LocalSystem”
- “PreshutdownTimeout = 0x0002bf20”
- “Start = 0x00000002”
- “Type = 0x00000010”
Values in ServiceMaimsParameters:
- “AppDirectory: C:windowsFonts”
- “Application: C:windowsFontsconhost.exe”
- “AppParameters: “
Values in ServiceMaimsParametersAppExit:
360Safe Conhost
Conhost.exe in C:%Windows%Fonts is used as a backup/dropper for the miner that will be installed. Conhost consists of the x86 version of XMRig, the x64 version of XMRig, and a dropper. The dropper has some installation scripts that are used for persistence, and also drops only one version of the miner, either x86 or x64 depending on your OS.
On first runtime, conhost enumerates the victim’s OS architecture and then creates a file in C:%Windows%Fonts, called “rundllhost.exe”, where it saves either the x86 miner or the x64 miner, depending on your OS. It then runs a script to save the miner as a Service, as well as save the mining information into registry so that it can be passed to the miner during execution.
The DisplayName = “WMI Performance Services”
The Description = “Identify Computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed”
The script then runs ServiceMais so that the miner can be executed.
Note: This miner only mines at 50% power, but was giving the authors over $6,000 a month before minexmr shut down the address. The new address is earning around $2,000 a month, and has only been active for a few days, however I’ll get more into that below.
Registry Keys:
- “HKLMSYSTEMCurrentControlSetServicesServiceMais”
- “HKLMSYSTEMCurrentControlSetServicesServiceMaisParameters”
- “HKLMSYSTEMCurrentControlSetServicesServiceMaisParametersAppExit”
Values in ServiceMais:
- “DisplayName = ServiceMais”
- “ErrorControl = 0x00000001”
- “ImagePath = C:windowsFontssvchost.exe”
- “ObjectName = LocalSystem”
- “PreshutdownTimeout = 0x0002bf20”
- “Start = 0x00000002”
- “Type = 0x00000010”
Values in ServiceMaisParameters:
- “AppDirectory: “
- “Application = rundllhost.exe”
- “AppParameters = -o pool.minexmr.com:443 -u 45WVNRZkKoR55thZWviZ3diXBLAcNRp4yFCtDCnCLRL7bq9E7XqQ7GX5auuc8thCvgUv1av6MpgC5gFVECYGHmx1VKkfEnp -p x -k –donate-level=1 –max-cpu-usage = 50
Mask.exe Removal
Disclaimer regarding updated malware: While MadoMiner did update itself around 10/14-10/16, 2018, it doesn’t look like it can update the current bots that are already deployed, only new ones. For this reason, while IOCs regarding the new malware will be listed at the bottom, a removal section for the old malware will still be included. Just keep in mind that if your infection occurs after 10/16/2018, the file names listed in this guide may not be entirely accurate.
Warning Regarding Batch Scripts
Before attempting to remove this malware, the batch files should be brought up and treated with care. Make sure that all of your files are backed up. This malware deletes files and then wipes unallocated space, so file recovery is incredibly difficult.
DemC is mainly used by the malware to disable analysis attempts. If another copy of it is detected, or if you try to run the 64bit version of Install.exe on a 32 bit system, it scans your system for several different files and folders used in multiple different malware campaigns and makes them inaccessible. It also closes any open ports that are vulnerable to its campaigns. It also changes the Image File Execution Options, making it impossible to run the malware again.
Removal Steps – Sogou.exe
Sogou.exe installs 2 tasks during installation, which will need to be stopped, favorably before the free.bat task is allowed to run. The tasks, known as “AutoKMSK” and “AutoKKMSK”, can be located by opening the Windows tool “Task Scheduler”. These tasks will need to be stopped and deleted, however, note what files are executed by the tasks in the “Actions” tab of the task description. In this case, it would be “C:%Windows%Installerconhost.exe” and “C:%Windows%Installerfree.bat”
In C:%Windows%, you’ll want to locate a folder known as “Installer”. For Sogou.exe, this is the main installation folder. Inside Installer, you’ll want to locate both “Conhost.exe” and “free.bat”. Delete them.
In C:Program Files, you’ll want to locate a folder known as “Windowsd”. This is where Sogou.exe installs FileFTP.exe and all subsequent files dropped by FileFTP.exe. If the file deletion script hasn’t already come through and removed them, you’ll want to remove this entire folder. Note: Windowsd may or may not contain over 70 different files for propagation to other systems.
Removal Steps – 360Safe.exe
360Safe.exe appears to install more files into registry than Sogou.exe. First, as 360Safe.exe installs several services, those will need to be stopped using the Service manager, and then deleted from registry.
Service Name: Eventlog
Regkey: HKLMSYSTEMCurrentControlSetServicesEventLog
Image Location: C:%windows%Fontssvchost.exe
Service Name: ServiceMaims
Regkey: HKLMSYSTEMCurrentControlSetServicesServiceMaims
Image Location: C:%windows%Fontsconhost.exe
Service Name: ServiceMais
Regkey: HKLMSYSTEMCurrentControlSetServicesServiceMais
Image Location: C:%windows%Fontsrundllhost.exe
360Safe saves itself to C:%Windows% as makes.exe, which will need to be deleted as well.
Removal Steps – Install.exe (x64)
As the x64 version is a near identical miner to the x86 and x64 versions of mask.exe, the only things that have changed are the services installed. Removal steps are below however (order is respective. RpcEptManger = ServiceMaims, and Samserver = ServiceMais)
Service Name: Eventlog
Regkey: HKLMSYSTEMCurrentControlSetServicesEventLog
Image Location: C:%windows%Fontssvchost.exe
Service Name = RpcEptManger
RegKey = SYSTEM/CurrentControlSet/Services/RpcEptManger/
Image Location = C:%WindowsDirectory%Fontswininit.exe
Service Name = Samserver
RegKey = SYSTEM/CurrentControlSet/Services/Samserver/
Image Location = C:%WindowsDirectory%Fontsrundllhost.exe
Removal – DemC Has Been Run
In the case that DemC is run, removal becomes more complex. DemC’s purpose is to hide MadoMiner from analysis and thus makes directories/takes ownership of current directories in order to hide.
Specifically
- Removes the %Windows%SpeechsTracing directory (if it exists)
- Removes the %Windows%SecureBootThemes directory (If It exists)
- Removes the %Windows%sysprepthemes directory (if it exists)
- Makes a new directory at %Windows%SpeechsTracingMicrosoft and then proceeds to make that directory inaccessible for everyone
- Makes a new directory at %Windows%SecureBootThemes and then proceeds to make that directory inaccessible for everyone.
- Makes a new directory at %Windows%sysprepthemes and then proceeds to make that directory inaccessible for everyone
- Makes the file C:ProgramDataNatihialsvshostr.exe inaccessible for everyone
- Makes the file C:ProgramDatanewcsrss inaccessible for everyone
- Makes the file C:ProgramDataMicrosoftNatihialcmd.exe inaccessible for everyone
- Makes the file C:ProgramDataexpl0rer.exe inaccessible for everyone
- Makes the file C:windowssvchost.exe inaccessible for everyone
- Makes the directory C:%windows%svchost.exe and then proceeds to make that directory inaccessible for everyone
- Makes the directory C:%windows%tasksche.exe and then proceeds to make that directory inaccessible for everyone
- Makes the directory C:program files (x86)stormiiserver.exe and then proceeds to make that directory inaccessible for everyone
For the files made inaccessible, you’ll need to take ownership of them, either by using the built in security manager GUI, or by using the sysinternals suite TakeOwn.
Indicators of Compromise
Samples
|
Md5
|
Size
|
IP
|
IOC
|
Mask.exe
|
4ae31911c1ef2ca4eded1fdbaa2c7a49
|
741.4 KB
|
bmw.hobuff[dot]info:3/
|
C:%Windows%tem.vbs
C:%Windows%demc.bat
|
360Safe.exe
|
ce606d80b44ea2aae81056b9088ba1e4
|
3.6 MB
|
pool.minexmr[dot]com:443
|
Services:
EventLog
ServiceMaims
ServiceMais
Regkeys:
+HKLMSYSTEMCurrentControlSetServicesEventLog
+ HKLMSYSTEMCurrentControlSetServicesServiceMaims
+ HKLMSYSTEMCurrentControlSetServicesServiceMais
Executables:
+ C:%windows%Fontssvchost.exe
+ C:%windows%Fontsconhost.exe
+ C:%windows%Fontsrundllhost.exe
Connection to pool.minexmr.com:443
Scripts:
C:%Windows%tem.vbs
|
360Safe_svchost_x86.exe
|
0a7d7ed55c4202f5106824f11ecb22fa
|
299 KB
|
–
|
Regkeys:
+HKLMSYSTEMCurrentControlSetServicesEventLog
Executables:
+ C:%windows%Fontssvchost.exe
|
360Safe_svchost_x64.exe
|
081f10718d76c9b3b19901f0ee630960
|
292KB
|
–
|
Services
EventLog
Regkeys:
+HKLMSYSTEMCurrentControlSetServicesEventLog
Executables:
+ C:%windows%Fontssvchost.exe
|
360Safe_conhost.exe
|
9c59ea0f58c5143b0860ec434d646780
|
2.3 MB
|
–
|
Services
ServiceMaims
Regkeys:
+ HKLMSYSTEMCurrentControlSetServicesServiceMaims
Executables:
+ C:%windows%Fontsconhost.exe
|
360Safe_rundllhost_x86.exe
|
467d7dfe3a1fe82d12b38d997df5cfbe
|
1.6 MB
|
pool.minexmr[dot]com:443
|
Services:
ServiceMais
Regkeys:
+ HKLMSYSTEMCurrentControlSetServicesServiceMais
Executables:
+ C:%windows%Fontsrundllhost.exe
Connection to pool.minexmr.com:443
|
360Safe_rundllhost_x64.exe
|
e41f5e79400c985e8d8a25f0711095f15302e8dd
|
481 KB
|
pool.minexmr[dot]com:443/
|
Regkeys:
+ HKLMSYSTEMCurrentControlSetServicesServiceMais
Executables:
+ C:%windows%Fontsrundllhost.exe
Connection to pool.minexmr.com:443
|
Sogou.exe
|
edfa66accd958eb87a6e8ef1eb708d2f
|
3.9 MB
|
–
|
Folder:
C:%Program Files%Windowsd
Tasks:
AutoKMSK
AutoKKMSK
Executables:
C:%Windows%Installerconhost.exe
C:%Windows%WindowsdFileFtp.exe
Assorted executables needed for spreading found in Windowsd
Scripts:
C:%Windows%free.bat
|
FileFtp.exe
|
1188f935979806545cbf118e22416be5
|
8.9 MB
|
–
|
C:%Windows%WindowsdFileFtp.exe
Assorted executables needed for spreading found in Windowsd
|
Installx64.exe
|
d8470f5c12f5a5fee89de4d4c425d614
|
1.3 MB
|
x.alibuff[dot]com
|
Services:
EventLog
RpcEptManger
Samserver
RegKey:
HKLMSYSTEMCurrentControlSetServicesEventLog
HKLMSYSTEMCurrentControlSetServicesRpcEptManger
HKLMSYSTEMCurrentControlSetServicesSamserver
Executables: C:%windows%Fontssvchost.exe
C:%WindowsDirectory%Fontswininit.exe
C:%WindowsDirectory%Fontsrundllhost.exe
|
Installx64_svchost.exe
|
081f10718d76c9b3b19901f0ee630960
|
299 KB
|
–
|
Services:
EventLog
RegKey:
HKLMSYSTEMCurrentControlSetServicesEventLog
Executables:
C:%windows%Fontssvchost.exe
|
Installx64_wininit.exe
|
081f10718d76c9b3b19901f0ee630960
|
490 KB
|
–
|
Services:
RpcEptManger
RegKey:
HKLMSYSTEMCurrentControlSetServicesRpcEptManger
Executables:
C:%WindowsDirectory%Fontswininit.exe
|
Installx64_rundllhost.exe
|
e41f5e79400c985e8d8a25f0711095f15302e8dd
|
481 KB
|
x.alibuff[dot]com
|
Services:
Samserver
RegKey:
HKLMSYSTEMCurrentControlSetServicesSamserver
Executables:
C:%WindowsDirectory%Fontsrundllhost.exe
|
MadoMiner_New_445.exe
|
d4d8f87c61051c28ca3cee7e38bf839d
|
2.1 MB
|
a.f2pool[dot]info:13531
|
Task named “GooglePingInCongifs” executing C:windowslsass.exe
C:%WindowsDirectory%Install.exe
C:%WindowsDirectory%lsass.bat
Mining at a.f2pool[dot]info
|
MadoMiner_New_445_Lsass.exe
|
1dd1550f2586411766cba953badf76f7
|
4.5 MB
|
a.f2pool[dot]info:13531
|
C:%WindowsDirectory%lsass.exe
|
MadoMiner_New_Dst.exe
|
4ace52693bdeace5b285d35e47be6cfc
|
102.4 kb
|
qq.honker[dot]info
|
Service:
Jklmno
Regkey:
HKLMSYSTEMCurrentControlSetServicesJklmno
Executable:
C:%Windows%svchost.exe
|
MadoMiner_New_Dst_DecryptedRAT.exe
|
01374ea3c48b69876d9375a2baba76ce
|
51.6 kb
|
qq.honker[dot]info
|
Service:
Jklmno
Regkey:
HKLMSYSTEMCurrentControlSetServicesJklmno
Executable:
C:%Windows%svchost.exeds
|
MadoMiner_New_Mask.exe
|
345239f58ddfd522ff04ad67009d15e9
|
4.5 MB
|
l.f2pool[dot]info:443/
|
C:%WindowsDirectory%Fontslsass.exe
C:%WindowsDirectory%Fontssvchost.exe
C:%WindowsDirectory%Fontsrunhost.exe
|
MadoMiner_New_Mask_lsass.exe
|
0ef0a7198444a43be51948e10cc15c53
|
3.5 MB
|
l.f2pool[dot]info:443/
|
C:%WindowsDirectory%Fontslsass.exe
|
MadoMiner_New_Mask_svchost.exe
|
8a44626c2ca26a84764e7ad771143d44
|
89.1 kb
|
–
|
C:%WindowsDirectory%Fontssvchost.exe
|
The post MadoMiner Part 2 – Mask appeared first on Cybersecurity Insiders.
October 30, 2018 at 09:09AM