Threat Research

Fake Windows Explorer Installs Crypto Miner

CTI

Threat researchers from SonicWall Capture Labs found a sample masquerading as Windows Explorer that, when run, installs and runs a crypto miner by dropping files in the Windows Fonts directory and modifying registry entries. It uses legitimate Windows components (cmd, regedit) to start mining and persist configuration, with SonicWall offering protections against the threat. #MinerXMR1 #SonicWallCaptureLabs

Keypoints

  • Sample purports to be Windows Explorer, displaying a legitimate icon and Microsoft file properties to evade initial suspicion.
  • On execution, malicious files are dropped to the /Windows/Fonts/ directory, including the miner, a batch file, and registry scripts.
  • The malware spawns the Windows command shell to run the batch file (1.bat) that starts the mining process.
  • Attrib is used to set the Fonts directory attributes to read-only and archive, aiding persistence/defense evasion.
  • Two registry files (server.reg and restart.reg) are imported via regedit.exe to modify the system registry, with the files subsequently deleted.
  • Static analysis notes another mining configuration with a different mining pool address and wallet, observed but not used during runtime.

MITRE Techniques

  • [T1036] Masquerading – The attacker uses the Windows Explorer icon and Microsoft file properties to appear legitimate. Quote: “…purporting to be Windows Explorer. At a glance, everything checks out – it uses the legitimate Windows Explorer icon and the file properties say Microsoft…”
  • [T1059.003] Windows Command Shell – The batch file is executed by spawning the Windows command interpreter. Quote: “spawns the Windows command interpreter to execute the batch file.”
  • [T1112] Modify Registry – The batch flow imports registry keys/values via regedit.exe using server.reg and restart.reg. Quote: “…inserted into the system registry using regedit.exe.”
  • [T1222.001] File and Directory Permissions Modification – The attrib command sets the Fonts directory to read-only and archive. Quote: “runs the attrib command to set attributes of the entire %fonts% directory as a read-only (+r) and archive (+a).”
  • [T1070.004] File Deletion – The malware deletes the registry files after importing them to hinder analysis. Quote: “Next, it deletes these registry files…”

Indicators of Compromise

  • [File name] Dropped in Windows/Fonts directory – svchost.exe, 1.bat, server.reg, restart.reg
  • [Directory] Windows/Fonts – /Windows/Fonts directory where malicious artifacts are placed and attributes are changed
  • [Process] regedit.exe – Used to import the registry scripts server.reg and restart.reg

Read more: https://blog.sonicwall.com/en-us/2024/04/fake-windows-explorer-installs-a-crypto-miner/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint