Threat Research

Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea

Ahnlab
Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea

AhnLab Security Intelligence Center has identified ongoing attacks targeting Korean Internet cafés, where threat actors use Gh0st RAT and T-Rex CoinMiner to compromise systems with management software. The attackers employ memory patching and downloaders to maintain persistence and mine cryptocurrency on infected machines. #Gh0stRAT #TRexCoinMiner #KoreanInternetCafes

Keypoints

  • The attacks have been ongoing since the second half of 2024, targeting Korean Internet cafés using management programs.
  • The threat actor uses Gh0st RAT and its droppers to gain remote control over infected systems.
  • Patcher malware is utilized to modify memory of Internet café management software for persistence.
  • T-Rex CoinMiner is deployed to mine cryptocurrency using the GPU capabilities of café PCs.
  • Downloaders install additional malware including Gh0st RAT, CoinMiners, and KillProc which terminates competing mining processes.
  • The threat actor’s initial access method remains unknown but involves malware installation in the management program’s installation paths.
  • Administrators are advised to keep management software and OS updated and use file name indicators of compromise to detect infections.

MITRE Techniques

  • [T1071] Application Layer Protocol – Gh0st RAT uses network communication with the signature string “Level” to control infected systems through C&C servers (‘…signature string used in communication with the C&C server is “Level” instead of “Gh0st”…’)
  • [T1059] Command and Scripting Interpreter – Patcher malware manipulates memory of the internet café management program, possibly via memory reading and patching (‘…reads the memory pattern and compares it with the available pattern…memory is patched…’)
  • [T1105] Ingress Tool Transfer – Downloaders are used to install Gh0st RAT, CoinMiners, and other malware onto infected systems (‘Downloaders are simple in form and responsible for installing CoinMiner, Gh0st RAT, droppers…’)
  • [T1027] Obfuscated Files or Information – Gh0st RAT droppers are packed using Themida or MPRESS to evade detection (‘The dropper is usually packed with packers like Themida or MPRESS…’)
  • [T1543] Create or Modify System Process – Gh0st RAT registers as a service to operate and maintain control over the system (‘…Gh0st RAT loaded in the memory registers itself as a service to operate…’)

Indicators of Compromise

  • [MD5 Hashes] Malware file hashes detected – 04840bb2f22c28e996e049515215a744, 0b05b01097eec1c2d7cb02f70b546fff, and others
  • [URLs] Download sources for malware – http://112.217.151.10/config.txt, http://112.217.151.10/mm.exe, and others
  • [IP Addresses] Command and control or hosting IPs – 103.25.19.32, 113.21.17.102, 115.23.126.178, and others
  • [File Names] Malware and related executables – cmd.exe (used for patcher and Gh0st RAT dropper), mmc.exe, mtn.exe, syc.exe, and tnt.exe (T-Rex CoinMiner installation paths)

 

Read more: https://asec.ahnlab.com/en/88245/