Threat Research

BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool – ASEC BLOG

Securonix

ASEC’s analysis shows BitRAT and XMRig CoinMiner being distributed as a Windows license verification tool, with the payloads deployed via a MediaFire-hosted 7z SFX bundle and downloader chains that depend on the victim’s environment. The campaign uses Defender exclusions, Run registry persistence, anti-VM checks, and Telegram-based exfiltration, delivering BitRAT or XMRig based on whether V3 is present. #BitRAT #XMRig #KMSTools #MediaFire #TelegramAPI

Keypoints

  • The malware distribution targets Windows users by disguising the payload as a KMS Windows license verification tool and hosting it on MediaFire, later shared on Korean community sites.
  • A compressed 7z SFX wrapper (KMS Tools Unpack.exe) is used to install the payload, enabling installer-like execution with potential to run embedded commands during installation.
  • PowerShell is used to download MSI payloads and to configure Defender exclusions, while a RUN key is used for persistence across reboots.
  • Antivirus/anti-malware evasion includes anti-VM/anti-sandbox checks and environment-dependent payload selection (ASDSvc check for V3 presence).
  • The environment determines whether BitRAT or XMRig CoinMiner is installed; V3 presence leads to XMRig mining, while absence leads to BitRAT deployment.
  • BitRAT provides remote control features and can host extra modules like coin mining, proxies, and info-stealing; XMRig miner runs under svchost.exe to blend in with system processes.
  • Telegram’s API is used to exfiltrate basic system information before the malware cleans up, and C2 communications point to a BitRAT server at a specific IP.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – Initial distribution occurs via a MediaFire-hosted compressed file disguised as a KMS Windows license verification tool. ‘The malware has currently been uploaded as a compressed file disguised as a KMS Windows license verification tool on a file hosting website called MediaFire.’
  • [T1027] Obfuscated/Compressed Files and Information – A 7z SFX bundle is used to deliver the executable; ‘KMS Tools Unpack.exe’ is disguised as malware. “KMS Tools Unpack.exe” is a 7z SFX, in other words, a compressed executable file.’
  • [T1059.001] PowerShell – Downloader uses PowerShell to fetch payloads and to configure exclusions; ‘The powershell command makes it appear as if the MSI format malware… but the downloaded malware is actually an executable.’
  • [T1562.001] Impair Defenses – The malware excludes its download path and processes from Windows Defender scans; ‘Add-MpPreference -ExclusionPath…’ and ‘Add-MpPreference -ExclusionProcess…’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence is achieved by registering a Run key to launch at startup; ‘…registered under a RUN key to run even after rebooting.’
  • [T1055] Process Injection – BitRAT injects into legitimate processes to conceal execution; ‘BitRAT will disguise itself as a normal process by operating within the InstallUtil process memory.’
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM/Anti-Sandbox checks determine whether to download subsequent payloads; ‘Anti VM and Anti Sandbox feature that scans to see if the process “vmtoolsd” and “asdmon” are active.’
  • [T1496] Resource Hijacking – XMRig CoinMiner is installed in environments with V3 present; ‘XMRig CoinMiner is installed instead of a BitRAT in environments where V3 is present.’
  • [T1071.001] Application Layer Protocol – Telegram-based C2/exfiltration channel; ‘Telegram API used to send infected system information: hxxps://api.telegram[.]org/bot5538205016:AAH7S9IGtFpb6RbC8W2TfNkjD7Cj_3qxCnI/sendMessage’

Indicators of Compromise

  • [IP] C2 – 147.189.161[.]248:80 (BitRAT)
  • [MD5] 74120cfeca3b003c6dbf81707216c22c (Installer – KMS Tools Unpack.exe), ce985a31420169f002706fb46d5e8cd0 (Downloader – KMS.msi), d6cb1c1dd51917214ff41b76e904769e (BitRAT – obieznne.msi), 4e5cb75c3c99f30c7a22b940fd107505 (XMRig CoinMiner – wniavctm.msi)
  • [URL] hxxp://purposedesigns[.]net:443/KMS.msi, hxxp://purposedesigns[.]net:443/obieznne.msi, hxxp://purposedesigns[.]net:443/wniavctm.msi
  • [Domain] MediaFire – used as the hosting platform for the initial compressed payload
  • [Domain] purposedesigns.net – the download domain for KMS/obieznne/wniavctm MSI payloads
  • [Domain] api.telegram.org – Telegram API used to send infected system information
  • [FileName] KMS Tools Unpack.exe, KMS.msi, obieznne.msi, wniavctm.msi – payload components
  • [FileName] Googlesoftware_reporter_tool.exe – download target path for the miner/loader
  • [Credential] coinzz88.test – mining pool username; Pass: “” (empty)
  • [FilePath] C:Users[User Name]AppDataLocalGooglesoftware_reporter_tool.exe – путь where downloader saves the malware

Read more: https://asec.ahnlab.com/en/37939/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint