Threat Research

Catching CoinLoader: Decrypting the Malware Hijacking Networks for Cryptomining Operations | Darktrace Blog

DarkTrace

Darktrace observed widespread CoinLoader loader infections in late 2023 that established encrypted C2 channels, used DNS tunnelling and DLL search-order hijacking, and in many cases led to cryptocurrency mining activity. Darktrace DETECT identified anomalous C2 and mining behavior while RESPOND autonomously blocked connections to MivoCloud-hosted infrastructure, preventing further payload delivery and cryptomining. #CoinLoader #MivoCloud

Keypoints

  • CoinLoader acted as a first-stage loader across multiple regions in late 2023, infecting endpoints primarily via trojanized software archives (RAR/ZIP) and likely phishing or drive-by downloads.
  • The malware employs DLL search-order hijacking, junk code, variable obfuscation, and encrypted shellcode/URL schemes to evade detection and disable endpoint protections.
  • Command-and-control used encrypted HTTPS (port 443) to rare external endpoints with self-signed certificates and hosting tied to MivoCloud (AS39798), largely within 185.225.0.0/19 IP ranges.
  • CoinLoader leveraged DNS tunnelling and MinerGate protocol connections (credential “x”) to carry out cryptomining on infected devices; ~15% of observed connections related to mining activity.
  • Darktrace DETECT models flagged anomalous SSL, rare endpoints, beaconing, and high-priority crypto-mining behaviors; RESPOND autonomously blocked suspicious connections to contain compromises.
  • Associated infrastructure included domain patterns like ams-update*.info and ucmetrix*.info, numerous IPs in 185.225.x.x and 194.180.x.x ranges, and TLS certs with OU=IT,O=MyCompany LLC issuer fields.
  • Additional observed post-compromise activity included connections to other malware families (e.g., Andromeda, ViperSoftX), though attribution of secondary drops was not always confirmed.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used as a potential initial access vector in observed compromises (‘Exploit Public-Facing Application – T1190’).
  • [T1566.002] Spearphishing Link – Phishing links are cited as a likely delivery method alongside trojanized downloads (‘Spearphishing Link – T1566.002’).
  • [T1189] Drive-by Compromise – Drive-by downloads from trojanized software repositories are noted as an infection route (‘Drive-by Compromise – T1189’).
  • [T1574.001] DLL Search Order Hijacking – CoinLoader “relies on dynamic-link library (DLL) search order hijacking to load malicious DLLs” (‘relies on dynamic-link library (DLL) search order hijacking to load malicious DLLs’).
  • [T1095] Non-Application Layer Protocol – Use of non-standard or covert channels (e.g., DNS tunnelling) for C2 communication (‘DNS tunnelling in order to covertly exchange information with attacker-controlled infrastructure’).
  • [T1571] Non-Standard Port – C2 observed over uncommon/rare external ports and repeated unusual SSL ports (‘Repeated Rare External SSL Self-Signed’ / ‘Unusual SSL Port’).
  • [T1090.002] External Proxy – Use of third-party hosting (MivoCloud) to proxy or host C2 infrastructure (‘All observed CoinLoader C2 servers were associated with the ASN of MivoCloud’).
  • [T1573] Encrypted Channel – C2 used encrypted HTTPS with self-signed certificates to hide traffic (‘encrypted C2 connections over port 433 to rare external endpoints using self-signed certificates’).
  • [T1071.001] Web Protocols – C2 and data exchange conducted over web protocols (HTTPS) (‘encrypted C2 connections … over port 433’).
  • [T1071.004] DNS – DNS tunnelling used to covertly exchange information with attacker-controlled infrastructure (‘uses DNS tunnelling in order to covertly exchange information with attacker-controlled infrastructure’).
  • [T1008] Fallback Channels – Use of multiple channels and domain patterns to maintain connectivity (‘Multi-Stage Channels’ and repeated domain naming patterns across C2 servers).
  • [T1104] Multi-Stage Channels – Loader behavior enables staged payload delivery and multiple communication phases (‘multi-phase nature of such compromises poses a significant threat … before delivering subsequent malicious payloads’).
  • [T1176] Browser Extensions – Listed under persistence techniques observed in mapping (‘Browser Extensions T1176’).
  • [T1583.006] Web Services – Use of web hosting and VPS services (MivoCloud) to develop and host attacker infrastructure (‘All observed CoinLoader C2 servers were associated with the ASN of MivoCloud’).
  • [T1588.001] Malware Resource Development – Creation/maintenance of malware infrastructure and trojanized installers used to distribute loader (‘CoinLoader is generally propagated through trojanized popular software or game installation archive files’).
  • [T1185] Man in the Browser – Collection technique mapping indicates web-based interception/stealing potential (‘Man in the Browser – T1185’).
  • [T1496] Resource Hijacking – Impact observed as cryptomining that consumes device resources (‘Compromise/High Priority Crypto Currency Mining’ and descriptions of cryptomining effects).

Indicators of Compromise

  • [Domain] C2 / DNS tunnelling domains – ams-updatea[.]info, ams-updateb[.]info, and other domain patterns like ucmetrix*.info (and ~20 more domains)
  • [IP Address] C2 servers (MivoCloud-associated) – 185.225[.]16.192, 185.225[.]17.108, and other IPs in 185.225.0.0/19 (and other listed addresses)
  • [IP Address] Cryptocurrency mining endpoints – 185.225[.]17.114, 185.225[.]17.118 (mining-related endpoints identified by MinerGate protocol)
  • [Certificate] SSL/TLS issuer fields used by C2 – emailAddress=admin@example[.]ltd,CN=example[.]ltd,OU=IT,O=MyCompany LLC,L=San Francisco,ST=California,C=US; CN=ucmetrixd[.]info,OU=IT,O=MyCompany LLC (examples)
  • [ASN / Hosting] Hosting provider – AS39798 MivoCloud SRL (all observed C2 servers associated with this ASN)
  • [Credential] Mining credential – MinerGate credential “x” observed in cryptomining connections (seen in prior cryptojacking compromises)

CoinLoader was delivered primarily via trojanized RAR/ZIP installers and likely phishing or drive-by downloads, then executed multi-stage behaviors to establish persistence and evade analysis. The loader employs DLL search-order hijacking to load malicious DLLs into legitimate processes, applies junk code and obfuscation, encrypts shellcode and URL schemes, and includes sandbox-evasion checks dependent on DNS cache records. These techniques reduce forensic visibility and complicate automated analysis.

After gaining a foothold, infected hosts established encrypted HTTPS C2 channels (notably over port 443) to VPS infrastructure hosted by MivoCloud (AS39798), often using self-signed certificates with OU=IT,O=MyCompany LLC issuer fields and domain patterns like ams-update*.info and ucmetrix*.info; CoinLoader also used DNS tunnelling for covert data exchange. Following C2 establishment, devices connected to MinerGate endpoints using the credential “x” and engaged in cryptomining (resource hijacking), and in some environments were observed contacting infrastructure related to other malware families.

Network detection focused on anomalous SSL/self-signed certificates, rare external endpoints, beaconing and repeated connections, DNS tunnelling, and high-volume/mining-specific traffic. Darktrace DETECT models flagged these behaviors and, where RESPOND was enabled, autonomously blocked device connections to the MivoCloud-hosted C2 servers, shutting down mining activity and preventing further payload retrievals—buying time for remediation.

Read more: https://darktrace.com/blog/catching-coinloader-decrypting-the-malware-hijacking-networks-for-cryptomining-operations

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint