AhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through a game emulator. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below.
- Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack
- Monero CoinMiner Being Distributed via Webhards
- XMRig CoinMiner Installed via Game Hacks
1. Distribution Channel
The CoinMiner was found to be distributed on a website that provides a game emulator for a well-known gaming console. When a user clicks the download button on the right side of the webpage, a compressed file containing the game emulator is downloaded.
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/%EC%82%AC%EC%9D%B4%ED%8A%B8-%EB%A9%94%EC%9D%B8.png?resize=1024%2C494&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/%EB%8B%A4%EC%9A%B4%EB%A1%9C%EB%93%9C-%ED%8E%98%EC%9D%B4%EC%A7%803.png?resize=1024%2C494&ssl=1)
Searching the game emulator on search engines shows that many blog posts introduce this emulator without realizing that it contains malware.
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/%EB%B8%94%EB%A1%9C%EA%B7%B8-%ED%8F%AC%ED%8C%85.png?resize=1024%2C498&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/%EB%B8%94%EB%A1%9C%EA%B7%B8-%ED%8F%AC%ED%8C%852.png?resize=1024%2C495&ssl=1)
2. CoinMiner Installed via Game Emulator
The game emulator is downloaded as a compressed file as shown in Figure 5. Inside it is Readme.txt, which contains the password to emulator_installer.zip and a troubleshooting guide.
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/%EB%8B%A4%EC%9A%B4%EB%A1%9C%EB%93%9C-%EB%90%98%EB%8A%94-zip-%ED%8C%8C%EC%9D%BC-1.png?resize=1024%2C777&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/readme.png?resize=1024%2C482&ssl=1)
Decompressing emulator_installer.zip reveals an installation guide and the program to install the emulator. When the installation file is run, a progress bar for the installation of the game emulator appears, as shown in Figure 8. However, the emulator is not actually being installed. In reality, a CoinMiner that exists in the resources of the installation file gets created.
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/20240522_092613.png?resize=1024%2C575&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/20240520_145022.png?w=864&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/plugin_t4-%EC%83%9D%EC%84%B1.png?resize=1024%2C344&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/20240520_161502.png?resize=1024%2C576&ssl=1)
After the CoinMiner is created, it is executed through PowerShell commands. Afterward, it self-duplicates and adds itself to the registry and the Task Scheduler, ultimately executing the self-duplicated file to perform as a CoinMiner.
Self-duplicated File Name
– “pckcache.exe”
Path to Registry
– Path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
– Value Name: Package Cache Cleaner
– Value Data: C:Users[user name]AppDataRoamingPackageCachepckcache.exe
Registering to Task Scheduler:
– Name: Package Cache Cleaner
– Trigger: When the user logs on
– Task: %AppData%PackageCachepckcache.exe
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/%ED%8C%8C%EC%9B%8C%EC%89%98-%EC%8B%A4%ED%96%89.png?resize=1024%2C177&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/20240522_092733.png?resize=1024%2C576&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/run%ED%82%A4-%EB%93%B1%EB%A1%9D-1.png?w=625&ssl=1)
![](https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2024/05/image-33.png?w=1024&ssl=1)
As malware strains are being distributed actively via games or game emulators, users need to take caution. As such, caution is advised when running executables downloaded from unreliable file-sharing websites. It is recommended that users download programs from the official websites of developers. This type of malware is diagnosed by AhnLab as follows.
[File Detection]
Trojan/Win.Agent.C5623899 (2024.05.21.02)
Trojan/Win.Generic.R603077 (2023.09.03.03)
[IOCs]
– Installer_x64_v531: ccbd43912387346590f48944278c9d5a
– plugin_t4: d029e44eb41900e78818f9666528a3c9
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post XMRig CoinMiner Installed via Game Emulator appeared first on ASEC BLOG.