Threat Research

Cryptominer Masquerades as Fake Java Utility

CTI

A malicious Windows installer masquerading as Java Access Bridge (JavaAccessBridge-64.msi) drops certificate files, a batch script, and an XMRig binary (JavaAccessBridge-64.exe) which is launched with settings from a dropped config.json to mine cryptocurrency. SonicWall detects the threat with signatures such as GAV: Malagent.JAV and GAV: XMRig.XMR_4 and provides protections via Capture ATP w/RTDMI and Capture Client. #XMRig #JavaAccessBridge #SonicWall

Keypoints

  • Attackers distribute a malicious MSI named JavaAccessBridge-64.msi that pretends to be the Java Access Bridge installer but installs XMRig.
  • The installer drops multiple files under user public folders, including ContentStore.bat, certificate .tmp files (DMIDD*.tmp), the miner executable JavaAccessBridge-64.exe, config.json, and WinRing0x64.sys driver.
  • Execution is performed by spawning cmd.exe to run ContentStore.bat, which then launches the XMRig executable using the dropped config.json settings.
  • The .tmp files are certificate files included by the installer, likely used to support execution or evade detection.
  • SonicWall provides detection signatures (GAV: Malagent.JAV and GAV: XMRig.XMR_4) and notes the threat is detected by Capture ATP w/RTDMI and Capture Client.
  • Operators should obtain software only from official sources and audit unexpected installers and scheduled tasks to detect persistence mechanisms.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Delivery via a malicious MSI masquerading as a legitimate installer (‘The sample arrives as a Windows installer package (msi) file, pretending to be a legitimate Java Access Bridge installer.’).
  • [T1204.002] User Execution: Malicious File – The infection requires the user to run the fake installer which executes the miner (‘user initiates the infection process by executing the fake Java Access Bridge installer, leading to the installation and execution of the XMRig cryptominer.’).
  • [T1053.005] Scheduled Task/Job: Scheduled Task – A batch file (ContentStore.bat) is created and used to run commands for persistence via scheduled execution (‘The malware creates a batch file, ContentStore.bat, and uses scheduled tasks to ensure the persistence of the cryptominer on the infected system.’).
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – The malware spawns the Windows command prompt to execute elevated commands possibly bypassing UAC (‘spawning the Windows command prompt utility and executing commands through a batch file…’).
  • [T1140] Deobfuscate/Decode Files or Information – The installer drops .tmp certificate files which may be used to obfuscate or validate components (‘The .tmp files created are all certificate files’).
  • [T1027] Obfuscated Files or Information – The campaign hides the miner behind a legitimate-sounding Java utility installer to evade detection (‘uses a seemingly legitimate Java utility installer as a cover for the cryptominer installation.’).
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – While not directly observed, analysis notes cryptominers can be paired with components to harvest stored credentials (‘cryptominers like XMRig can be configured or paired with additional components to steal credentials…’).
  • [T1496] Resource Hijacking – The installed XMRig mines cryptocurrency using host CPU/GPU resources without consent (‘By installing XMRig, the malware hijacks the system’s resources…’).

Indicators of Compromise

  • [File name] Installer and executable – JavaAccessBridge-64.msi, JavaAccessBridge-64.exe
  • [Batch file] Persistence script – ContentStore.bat
  • [Config file] Miner configuration – config.json (used to run XMRig)
  • [Certificate files] Dropped .tmp certs – DMIDD11.tmp, DMIDD14.tmp, and 2 more files
  • [Driver] Kernel driver used by miner – WinRing0x64.sys

The attacker delivers a malicious MSI named JavaAccessBridge-64.msi that masquerades as Java Access Bridge. When executed by the user, the installer drops a set of artifacts into public user directories: a batch script (ContentStore.bat), several .tmp certificate files (DMIDD11.tmp–DMIDD14.tmp), the main miner binary (JavaAccessBridge-64.exe) under /User/Public/Videos, a miner configuration file (config.json), and a WinRing0x64.sys driver required by XMRig.

Execution is automated by spawning cmd.exe to run ContentStore.bat, which issues command-line invocations to install and start the XMRig binary using settings from the dropped config.json. The .tmp files are present as certificate files, and the miner runs in the background, consuming system CPU/GPU resources to mine cryptocurrency.

Detection is available via SonicWall signatures (GAV: Malagent.JAV and GAV: XMRig.XMR_4) and by Capture ATP w/RTDMI and Capture Client; defenders should validate installer sources, audit scheduled tasks and unexpected binaries, and inspect the listed IOC filenames and locations to identify compromised hosts.

Read more: https://blog.sonicwall.com/en-us/2024/04/cryptominer-poses-as-fake-java-utility/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint