A Malware Strain Uses the Windows Installer and Self Destructs to Elude Detection

cageymaru

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,086
A new strain of malware detected as Coinminer.Win32.MALXMR.TIAOODAM, will install a cryptocurrency miner on a victim's system uses a Windows Installer MSI file to avoid detection and security filters. It will then hide in the AppData folder which is normally hidden. It password protects some of the folders it uses to further obfuscate its purpose. It then copies some Windows files to the miner's installation folder make the folder structure look official. It can redownload itself if deleted and it comes with a self destruct mechanism to limit analysis of the malware files. It even uses Windows Installer builder WiX as an additional anti-detection layer.

To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism. First, it creates and executes the following file: {Random Characters}.cmD <- self-delete command-line script. It then deletes every file under its installation directory and removes any trace of installation in the system.
 
Last edited:
yup quote list wrong malware, see below or follow the link in the article.
"The prodigious ascent of cryptocurrency-mining malware was not only brought about by its high profit potential, but also due to its ability to remain undetected within a system, especially when combined with various obfuscation routines. The concept of a stealthy, difficult-to-detect malware operating behind the scenes has proven to be an irresistible proposition for many threat actors, and they’re evidently adding even more techniques, as seen in a cryptocurrency miner (detected as Coinminer.Win32.MALXMR.TIAOODAM) we discovered that includes uses multiple obfuscation and packing as part of its routine."
 
Just wait till the NSA gets a hold on this software, they'll improve on it and when it gets leaked back into the wild it's gonna be a doozie. o_O
 
dTKNNCI.jpg
 
All crypto mining involves some form of avx instruction sequence. Maybe looking for this key signature would help. Or look for a sequence that modifies the dsx and csx:ip pointers during the obfusicate stage.
 
nutzo said:
So when are we going to have the death penalty for malware writers?
Click to expand...
Hehe. I would rather keep the malware developers around to keep the rest of the developers on their toes and in check.

An ecosystem needs wolves and fires.
 
cageymaru said:
A new strain of malware detected as Trojan.BAT.TASKILL.AA, will install a cryptocurrency miner on a victim's system uses a Windows Installer MSI file to avoid detection and security filters. It will then hide in the AppData folder which is normally hidden. It password protects some of the folders it uses to further obfuscate its purpose. It then copies some Windows files to the miner's installation folder make the folder structure look official. It can redownload itself if deleted and it comes with a self destruct mechanism to limit analysis of the malware files. It even uses Windows Installer builder WiX as an additional anti-detection layer.

To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism. First, it creates and executes the following file: {Random Characters}.cmD <- self-delete command-line script. It then deletes every file under its installation directory and removes any trace of installation in the system.
Click to expand...
hey just a friendly nudge nudge but that virus name in the description is still wrong...
 
pendragon1 said:
hey just a friendly nudge nudge but that virus name in the description is still wrong...
Click to expand...

It said this at the end of the article. Are they the same or different?

Indicators of Compromise (IoCs)

Detected as Trojan.BAT.TASKILL.AA

File: f.bat_
  • 90ae20b30866bc6dbffd41869ccb642b3802f03d18df19e6c1dcab260bbeba7d
Detected as Coinminer.Win32.MALXMR.TIAOODAM

File: sup.msi_
  • 8de725e349bb8d373763470ca6bcfd45e0b86839519f216ff436d3b8452d2248
File: [68E256]
  • 95bdcfb385acd09029e93f2d0024a4c8e9b3c0be8e5091b63d98e9d88b9cc33b
File: _01700000.mem_
  • ccd609dc059a7bed7bf33c6d7dbd155fb40cdfd7d0091a9809f7f158ecd181bc
File: [61580]
  • a3f34851af892bc0d257f911dd325ebbb959c26533a3c68f15773a633f6c4d38
File: ex.exe_
  • 8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
File: icon.ico
  • 34d1ba59bc22c0b1c1ce46327efdf3286dec4c54e2482986a0478b27bb3cf48b
File: default.ocx_
  • 8be47acf7e9ce316d0b39b65363fc154a83f6946233eebf494216f01e52c44f5
File: unpacked_data.bin_
  • 9a2eaaba3357f4addbc56bc7eaa2288e813fdcd1cb086efb3ad20d912968a251
 
cageymaru said:
It said this at the end of the article. Are they the same or different?

Indicators of Compromise (IoCs)

Detected as Trojan.BAT.TASKILL.AA

File: f.bat_
  • 90ae20b30866bc6dbffd41869ccb642b3802f03d18df19e6c1dcab260bbeba7d
Detected as Coinminer.Win32.MALXMR.TIAOODAM

File: sup.msi_
  • 8de725e349bb8d373763470ca6bcfd45e0b86839519f216ff436d3b8452d2248
File: [68E256]
  • 95bdcfb385acd09029e93f2d0024a4c8e9b3c0be8e5091b63d98e9d88b9cc33b
File: _01700000.mem_
  • ccd609dc059a7bed7bf33c6d7dbd155fb40cdfd7d0091a9809f7f158ecd181bc
File: [61580]
  • a3f34851af892bc0d257f911dd325ebbb959c26533a3c68f15773a633f6c4d38
File: ex.exe_
  • 8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
File: icon.ico
  • 34d1ba59bc22c0b1c1ce46327efdf3286dec4c54e2482986a0478b27bb3cf48b
File: default.ocx_
  • 8be47acf7e9ce316d0b39b65363fc154a83f6946233eebf494216f01e52c44f5
File: unpacked_data.bin_
  • 9a2eaaba3357f4addbc56bc7eaa2288e813fdcd1cb086efb3ad20d912968a251
Click to expand...
huh. the BAT.TASKILL one is old, from '08 but the Coinminer.Win32.MALXMR.TIAOODAM is new so idk whats up with the page.
 
Jim Kim said:
Just wait till the NSA gets a hold on this software, they'll improve on it and when it gets leaked back into the wild it's gonna be a doozie. o_O
Click to expand...
You mean the CIA. the CIA lost the tools, the NSA ratted them out they did it. CIA enthralled media sources confound the two events and blame the NSA.
 
All we need to do is find out what triggers the self-destruct, and then publicize that info so that everybody can easily make it remove itself. May even be allow to automate it with a powershell script.
 
You must log in or register to reply here.
Back
Top