A Malware Strain Uses the Windows Installer and Self Destructs to Elude Detection

Discussion in '[H]ard|OCP Front Page News' started by cageymaru, Nov 8, 2018.

  1. cageymaru

    cageymaru [H]ard|News

    Messages:
    19,420
    Joined:
    Apr 10, 2003
    A new strain of malware detected as Coinminer.Win32.MALXMR.TIAOODAM, will install a cryptocurrency miner on a victim's system uses a Windows Installer MSI file to avoid detection and security filters. It will then hide in the AppData folder which is normally hidden. It password protects some of the folders it uses to further obfuscate its purpose. It then copies some Windows files to the miner's installation folder make the folder structure look official. It can redownload itself if deleted and it comes with a self destruct mechanism to limit analysis of the malware files. It even uses Windows Installer builder WiX as an additional anti-detection layer.

    To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism. First, it creates and executes the following file: {Random Characters}.cmD <- self-delete command-line script. It then deletes every file under its installation directory and removes any trace of installation in the system.
     
    Last edited: Nov 9, 2018
    mhd and msshammy like this.
  2. mhd

    mhd [H]Lite

    Messages:
    87
    Joined:
    Feb 13, 2009
  3. raz-0

    raz-0 [H]ardness Supreme

    Messages:
    4,436
    Joined:
    Mar 9, 2003
  4. viivo

    viivo Gawd

    Messages:
    838
    Joined:
    Sep 7, 2005
  5. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    13,485
    Joined:
    Oct 7, 2000
    yup quote list wrong malware, see below or follow the link in the article.
    "The prodigious ascent of cryptocurrency-mining malware was not only brought about by its high profit potential, but also due to its ability to remain undetected within a system, especially when combined with various obfuscation routines. The concept of a stealthy, difficult-to-detect malware operating behind the scenes has proven to be an irresistible proposition for many threat actors, and they’re evidently adding even more techniques, as seen in a cryptocurrency miner (detected as Coinminer.Win32.MALXMR.TIAOODAM) we discovered that includes uses multiple obfuscation and packing as part of its routine."
     
  6. Jim Kim

    Jim Kim 2[H]4U

    Messages:
    2,848
    Joined:
    May 24, 2012
    Just wait till the NSA gets a hold on this software, they'll improve on it and when it gets leaked back into the wild it's gonna be a doozie. o_O
     
  7. viper1152012

    viper1152012 Gawd

    Messages:
    965
    Joined:
    Jun 20, 2012
  8. nutzo

    nutzo [H]ardness Supreme

    Messages:
    7,148
    Joined:
    Feb 15, 2004
    So when are we going to have the death penalty for malware writers?
     
    trandoanhung1991 and Oldmodder like this.
  9. Twisted Kidney

    Twisted Kidney 2[H]4U

    Messages:
    3,279
    Joined:
    Mar 18, 2013
    Just like your Windows 10 install...
     
    Last edited: Nov 8, 2018
    masquap and Elios like this.
  10. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    You have no idea how true this is.
     
  11. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,152
    Joined:
    Mar 4, 2013
    How do you know that this isn't NSA fund raising system V0.46b? Since the CIA has drug running fund raising locked up, the NSA has to diversify.
     
  12. All crypto mining involves some form of avx instruction sequence. Maybe looking for this key signature would help. Or look for a sequence that modifies the dsx and csx:ip pointers during the obfusicate stage.
     
  13. velusip

    velusip [H]ard|Gawd

    Messages:
    1,496
    Joined:
    Jan 24, 2005
    Hehe. I would rather keep the malware developers around to keep the rest of the developers on their toes and in check.

    An ecosystem needs wolves and fires.
     
    Jim Kim likes this.
  14. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,107
    Joined:
    Jul 11, 2005
    giphy.gif

    Seriously, that's some #2600 shit right there.
     
  15. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    13,485
    Joined:
    Oct 7, 2000
    hey just a friendly nudge nudge but that virus name in the description is still wrong...
     
  16. cageymaru

    cageymaru [H]ard|News

    Messages:
    19,420
    Joined:
    Apr 10, 2003
    It said this at the end of the article. Are they the same or different?

    Indicators of Compromise (IoCs)

    Detected as Trojan.BAT.TASKILL.AA

    File: f.bat_
    • 90ae20b30866bc6dbffd41869ccb642b3802f03d18df19e6c1dcab260bbeba7d
    Detected as Coinminer.Win32.MALXMR.TIAOODAM

    File: sup.msi_
    • 8de725e349bb8d373763470ca6bcfd45e0b86839519f216ff436d3b8452d2248
    File: [68E256]
    • 95bdcfb385acd09029e93f2d0024a4c8e9b3c0be8e5091b63d98e9d88b9cc33b
    File: _01700000.mem_
    • ccd609dc059a7bed7bf33c6d7dbd155fb40cdfd7d0091a9809f7f158ecd181bc
    File: [61580]
    • a3f34851af892bc0d257f911dd325ebbb959c26533a3c68f15773a633f6c4d38
    File: ex.exe_
    • 8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
    File: icon.ico
    • 34d1ba59bc22c0b1c1ce46327efdf3286dec4c54e2482986a0478b27bb3cf48b
    File: default.ocx_
    • 8be47acf7e9ce316d0b39b65363fc154a83f6946233eebf494216f01e52c44f5
    File: unpacked_data.bin_
    • 9a2eaaba3357f4addbc56bc7eaa2288e813fdcd1cb086efb3ad20d912968a251
     
  17. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    13,485
    Joined:
    Oct 7, 2000
    huh. the BAT.TASKILL one is old, from '08 but the Coinminer.Win32.MALXMR.TIAOODAM is new so idk whats up with the page.
     
  18. cageymaru

    cageymaru [H]ard|News

    Messages:
    19,420
    Joined:
    Apr 10, 2003
    I'll change it in a few. I saw that at the end and just chose the first name because it was first. :)
     
    pendragon1 likes this.
  19. Thanks cagey
     
  20. Jagger100

    Jagger100 [H]ardness Supreme

    Messages:
    7,255
    Joined:
    Oct 31, 2004
    You mean the CIA. the CIA lost the tools, the NSA ratted them out they did it. CIA enthralled media sources confound the two events and blame the NSA.
     
  21. PaulP

    PaulP Gawd

    Messages:
    705
    Joined:
    Oct 31, 2016
    All we need to do is find out what triggers the self-destruct, and then publicize that info so that everybody can easily make it remove itself. May even be allow to automate it with a powershell script.