AhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through a game emulator. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below.
- Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack
- Monero CoinMiner Being Distributed via Webhards
- XMRig CoinMiner Installed via Game Hacks
1. Distribution Channel
The CoinMiner was found to be distributed on a website that provides a game emulator for a well-known gaming console. When a user clicks the download button on the right side of the webpage, a compressed file containing the game emulator is downloaded.
Searching the game emulator on search engines shows that many blog posts introduce this emulator without realizing that it contains malware.
2. CoinMiner Installed via Game Emulator
The game emulator is downloaded as a compressed file as shown in Figure 5. Inside it is Readme.txt, which contains the password to emulator_installer.zip and a troubleshooting guide.
Decompressing emulator_installer.zip reveals an installation guide and the program to install the emulator. When the installation file is run, a progress bar for the installation of the game emulator appears, as shown in Figure 8. However, the emulator is not actually being installed. In reality, a CoinMiner that exists in the resources of the installation file gets created.
After the CoinMiner is created, it is executed through PowerShell commands. Afterward, it self-duplicates and adds itself to the registry and the Task Scheduler, ultimately executing the self-duplicated file to perform as a CoinMiner.
Self-duplicated File Name
– “pckcache.exe”
Path to Registry
– Path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
– Value Name: Package Cache Cleaner
– Value Data: C:Users[user name]AppDataRoamingPackageCachepckcache.exe
Registering to Task Scheduler:
– Name: Package Cache Cleaner
– Trigger: When the user logs on
– Task: %AppData%PackageCachepckcache.exe
As malware strains are being distributed actively via games or game emulators, users need to take caution. As such, caution is advised when running executables downloaded from unreliable file-sharing websites. It is recommended that users download programs from the official websites of developers. This type of malware is diagnosed by AhnLab as follows.
[File Detection]
Trojan/Win.Agent.C5623899 (2024.05.21.02)
Trojan/Win.Generic.R603077 (2023.09.03.03)
[IOCs]
– Installer_x64_v531: ccbd43912387346590f48944278c9d5a
– plugin_t4: d029e44eb41900e78818f9666528a3c9
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post XMRig CoinMiner Installed via Game Emulator appeared first on ASEC BLOG.