Threat Research

XMRig CoinMiner Installed through Game Emulator

Ahnlab

ASEC Intelligence Center reports XMRig CoinMiner being distributed through a game emulator website, where a downloadable compressed package hides the miner within a bogus emulator installer. The malware persists via registry Run keys and Task Scheduler after being executed through PowerShell, with explicit anti-analysis and self-duplication steps.
#XMRig #CoinMiner #GameEmulator #ASEC #ASECBlog

Keypoints

  • The CoinMiner is distributed on a site offering a game emulator for a popular gaming console; clicking the download button initiates a compressed file delivery.
  • The downloaded archive contains emulator_installer.zip and a Readme.txt that provides a password to the archive.
  • Decompressing emulator_installer.zip reveals an installation guide and the program that installs the emulator, but the emulator itself isn’t installed—a CoinMiner is created instead.
  • After creation, the CoinMiner is executed via PowerShell commands and then self-duplicates to persist.
  • Persistence is achieved by adding a startup entry in the Registry Run key and by registering a Scheduled Task to run on user logon.
  • The self-duplicated file is named pckcache.exe, masquerading as a legitimate component and ensuring re-execution.
  • Users are advised to download software only from official sources, with AhnLab’s detections noted for Trojan/Win.Agent and Trojan/Win.Generic families.

MITRE Techniques

  • [T1204] User Execution – Malicious file downloaded after user action; the site prompts a download when the user clicks the button on the emulator page. Bracketed content: “…When a user clicks the download button on the right side of the webpage, a compressed file containing the game emulator is downloaded.”
  • [T1560.001] Decompress/Unarchive Files – The game emulator is delivered as a compressed file and decompressed to reveal components. Bracketed content: “Decompressing emulator_installer.zip reveals an installation guide and the program to install the emulator.”
  • [T1059.001] PowerShell – The CoinMiner is executed through PowerShell commands. Bracketed content: “Afterward, it self-duplicates and adds itself to the registry and the Task Scheduler” (implied PowerShell execution pathway).
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via the Run key: “Path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun – Value Data: C:Users[user name]AppDataRoamingPackageCachepckcache.exe”. Bracketed content: “Path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun – Value Data: …”
  • [T1053.005] Scheduled Task – Persistence via Task Scheduler: “Trigger: When the user logs on” and “Task: %AppData%PackageCachepckcache.exe”. Bracketed content: “Registering to Task Scheduler… Name: Package Cache Cleaner… Trigger: When the user logs on.”
  • [T1036] Masquerading – Self-duplicated file named pckcache.exe and use of a seemingly legitimate registry value name. Bracketed content: “Self-duplicated File Name – “pckcache.exe””

Indicators of Compromise

  • [File Hash] ccbd43912387346590f48944278c9d5a, d029e44eb41900e78818f9666528a3c9 – Hashes associated with installer components inside emulator_installer.zip (Installer_x64_v531) and plugin_t4.
  • [File Name] emulator_installer.zip, pckcache.exe – Files involved in the download/installation chain and the self-duplicating coinminer.

Read more: https://asec.ahnlab.com/en

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint