XMRig CoinMiner Installed through Game Emulator

AhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through a game emulator. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below.

1. Distribution Channel

The CoinMiner was found to be distributed on a website that provides a game emulator for a well-known gaming console. When a user clicks the download button on the right side of the webpage, a compressed file containing the game emulator is downloaded.

Figure 1. The homepage of the website that provides the game emulator
Figure 2. The download page for the game emulator

Searching the game emulator on search engines shows that many blog posts introduce this emulator without realizing that it contains malware.

Figure 3. A blog post introducing the game emulator – 1
Figure 4. A blog post introducing the game emulator – 2

2. CoinMiner Installed via Game Emulator

The game emulator is downloaded as a compressed file as shown in Figure 5. Inside it is Readme.txt, which contains the password to emulator_installer.zip and a troubleshooting guide.

Figure 5. The compressed game emulator file
Figure 6. Readme.txt

Decompressing emulator_installer.zip reveals an installation guide and the program to install the emulator. When the installation file is run, a progress bar for the installation of the game emulator appears, as shown in Figure 8. However, the emulator is not actually being installed. In reality, a CoinMiner that exists in the resources of the installation file gets created.

Figure 7. Decompressed emulator_installer.zip
Figure 8. The installation progress bar for the game emulator
Figure 9. The code that creates CoinMiner
Figure 10. The created CoinMiner

After the CoinMiner is created, it is executed through PowerShell commands. Afterward, it self-duplicates and adds itself to the registry and the Task Scheduler, ultimately executing the self-duplicated file to perform as a CoinMiner.

Self-duplicated File Name
– “pckcache.exe”

Path to Registry
– Path:  HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
– Value Name: Package Cache Cleaner
– Value Data: C:Users[user name]AppDataRoamingPackageCachepckcache.exe

Registering to Task Scheduler:
– Name: Package Cache Cleaner
– Trigger: When the user logs on
– Task: %AppData%PackageCachepckcache.exe

Figure 11. PowerShell execution commands
Figure 12. Self-duplication
Figure 13. Adding to the registry
Figure 14. Registering to the Task Scheduler

As malware strains are being distributed actively via games or game emulators, users need to take caution. As such, caution is advised when running executables downloaded from unreliable file-sharing websites. It is recommended that users download programs from the official websites of developers. This type of malware is diagnosed by AhnLab as follows.

[File Detection]
Trojan/Win.Agent.C5623899 (2024.05.21.02)
Trojan/Win.Generic.R603077 (2023.09.03.03)

[IOCs]
– Installer_x64_v531: ccbd43912387346590f48944278c9d5a
– plugin_t4: d029e44eb41900e78818f9666528a3c9

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post XMRig CoinMiner Installed via Game Emulator appeared first on ASEC BLOG.