Threat Research

Binary Managed Object File (BMOF) Distributing XMRig CoinMiner Detected by MDS

Ahnlab

Short Summary:

This article discusses Binary Managed Object Files (BMOFs) and their use in distributing the XMRig CoinMiner malware. BMOFs, while not inherently malicious, can be exploited for persistence in malware attacks through Permanent Event Subscriptions in Windows Management Instrumentation (WMI).

Key Points:

  • BMOFs are compiled versions of Managed Object Files (MOFs) used in Windows Management Instrumentation (WMI).
  • They can execute JScript and VBScript, making them a potential vector for malware.
  • Permanent Event Subscription allows BMOFs to maintain persistence even after reboots.
  • XMRig CoinMiner is distributed through malicious BMOFs, which are executed via “mofcomp.exe”.
  • Attackers can create guest accounts, delete the hosts file, and configure RDP connections using BMOFs.
  • AhnLab MDS detects this malware under various names, indicating its behavior and file detection capabilities.

MITRE ATT&CK TTPs – created by AI

  • Execution (T1203)
    • Malicious BMOFs are executed through “mofcomp.exe”.
  • Defense Evasion (T1070)
    • Deleting the hosts file to evade detection.
  • Persistence (T1547)
    • Using Permanent Event Subscription to maintain persistence.
  • Credential Access (T1078)
    • Creating guest accounts to gain unauthorized access.

This blog post introduces Binary Managed Object Files (BMOFs) and cases where XMRig CoinMiner is distributed through them.

Binary Managed Object File (BMOF) is a compiled version of Managed Object File (MOF), which is used for defining and managing information related to Windows Management Instrumentation (WMI). The file itself is not malicious: hundreds of such files exist in the “C:WindowsSystem32wbem” path by default. However, it can be used for malicious purposes due to its feature that allows the execution of JScript and VBScript. Thus threat actors use BMOF with “Permanent Event Subscription” to maintain persistence for the malware.

Permanent Event Subscription is a structure used for receiving notifications on changes to certain events or data. It refers to the rule that sends a notification when the defined event occurs.

An example configuration of MOF is shown below.

Figure 1. MOF configuration example

#pragma namespace(“\.rootsubscription”)” in the 1st line indicates the intent to register Permanent Event Subscription. Because MOF is always included even upon system reboot or WMI Repository reconfiguration, the rule can be used permanently.

The rest of the configuration consists of Event Filter, Consumer, and Binding. Event Filter in the 3rd line designates the “event filtering conditions”. For example, threat actors can make it so that only the events that start up a certain process are monitored.

Consumer in the 11th line defines the “actions to perform when the event occurs”. This part enables a certain program to run when the event occurs.

Lastly, binding in the 18th line creates a subscription by “connecting the event filter and the consumer.” This line sets the consumer to run when an event that satisfies the event filter occurs. Based on the analysis, the example above can be described as the MOF that runs the Notepad app when Calculator is run.

Figure 2. The process tree upon executing the MOF example

As you can see in Figure 2, running Calculator executes Notepad as a subprocess of the Windows program “scrcons.exe”. Since the program is executed with admin privileges, serious issues might arise if the executed program is a malware strain.

The first case of attack is presumed to be the self-propagation method used by Stuxnet in the attack on Iranian nuclear facilities in 2010. Currently, BMOF is being used for the distribution of XMRig CoinMiner by BondNet, which is a malware strain that first appeared in 2017. The initial access method is known to be using an exploit or a brute force attack on the SQL server SA account.

When the intrusion is successful, a malicious BMOF is created and executed. As the BMOF cannot be executed as a single file, it is executed through the Windows default program “mofcomp.exe”.

Figure 3. Execution example

When the BMOF is executed, it deletes the “hosts” file, creates guest accounts, downloads additional VBE files, and configures the RDP connection if the system has high performance. It then creates XMRig CoinMiner in the “C:WindowsTemp” subpath before executing it. The process tress is as follows.

Figure 4. The final process tree

AhnLab MDS detects this malware type under the name “DefenseEvasion/MDP.Delete.M11648” in sandbox environments.

Figure 5. MDS detection screen

[File Detection]
CoinMiner/Win.XMRig.R649143 (2024.05.23.01)
CoinMiner/Win.XMRig.R636370 (2024.02.25.00)
Downloader/FOMB.Agent (2024.02.27.00)
Trojan/BAT.RUNNER.SC203192 (2024.08.20.03)
Trojan/VBS.Agent.SC199715 (2024.06.08.02)
Trojan/Win.Proxy.R661576 (2024.08.20.02)

[Behavior Detection]
DefenseEvasion/MDP.Delete.M11648
Execution/MDP.Event.M12052
Execution/MDP.Event.M12053

MD5

0c8622c4871541e89d0173d5be0db8aa
2407c4ef1588fa67dd5bd7c64f419abd
2513eb59c3db32a2d5efbede6136a75d
561cadadc4aebc67e6186a009aea8943
914857733785f39647f6081c3c5d2048
FQDN

d[.]mymst[.]top
m[.]mymst[.]top
mst[.]my03[.]com
mst2[.]mymst007[.]info

Source : https://asec.ahnlab.com/en/83081/

Tags: TROJAN, WINDOWS, INITIAL ACCESS, PERSISTENCE, CREDENTIAL, DEFENSE EVASION, PROXY, EXPLOIT