Threat Research

Monero CoinMiner Being Distributed via Webhards – ASEC BLOG

Securonix

Attackers distribute XMRig Monero CoinMiner via Korean webhards by disguising the miner as a game installer and bundling it with cracked software. The payload downloads xmrig.exe, config.json, and MsDtsServer.exe, installs a startup shortcut for persistence, and runs the actual game from Resources to mask mining activity. #XMRig #Monero #Webhards #AhnLab

Keypoints

  • Webhards are used as the primary distribution vector for malware targeting Korean users.
  • The malware is packaged with illegal programs and game installers, then installed as a RAT-type or miner payload.
  • The XMRig CoinMiner is dropped as xmrig.exe along with config.json and MsDtsServer.exe to a local path.
  • A startup shortcut NewStartUp.lnk is created to ensure mining runs after reboot.
  • The actual game is executed from the Resources folder to appear legitimate.
  • The XMRig config contains the mining pool address gulf.moneroocean.stream:10128 and a Monero wallet address, tying activity to the attacker.
  • AhnLab provides file detections and MD5 IOCs and lists download URLs for the involved components.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The malware downloads Monero mining components (xmrig.exe), XMRig config file (config.json), and XMRig launcher malware (MsDtsServer.exe) in the path “c:Xcrcure”. ‘…downloads the Monero mining malware (xmrig.exe), XMRig config file (config.json), and XMRig launcher malware (MsDtsServer.exe) in the path “c:Xcrcure”.’
  • [T1547.001] Boot or Logon Autostart Execution – A startup shortcut called “NewStartUp.lnk” is created in the startup folder to execute the XMRig launcher. ‘…creates a shortcut called “NewStartUp.lnk” in the startup folder that executes the XMRig launcher.’
  • [T1036] Masquerading – The file is disguised as the game icon (raksasi.exe) and presented as a legitimate game installer while actually installing XMRig CoinMiner. ‘the file is actually a malware strain that installs XMRig CoinMiner’ and ‘raksasi.exe program that is disguised as the game icon.’
  • [T1496] Resource Hijacking – The malware performs mining using the system resources after installation (‘to perform the mining process’ within the config). ‘reads the config.json file in the same path whenever the computer is rebooted to perform the mining process.’

Indicators of Compromise

  • [Domain] gulf.moneroocean.stream – mining pool host for Monero; example in config.json
  • [Domain] scmm.netlify.app – download host for miner components (xmrig.exe, config.json, MsDtsServer.exe)
  • [FileName] raksasi.exe – disguised game launcher that installs the miner
  • [FileName] xmrig.exe – Monero miner binary
  • [FileName] MsDtsServer.exe – XMRig launcher component
  • [FileName] config.json – XMRig configuration with pool and wallet details
  • [MD5] 35370cd5222ade95f77c8db5e39bcd64, d5d51ebb4ab6dc97d7e5557476526547 – sample hashes for malware components
  • [Wallet Address] 438wFRXdmiEQfgfhK4XhSMSNaFNd8EdJzPhj5PcXtomEaKcNJuBoZaC32TSdGpnFUxRANRiQdsWxGdvM7bDgLJHZR9FKFSF
  • [Mining Pool] gulf.moneroocean.stream:10128 – embedded in config.json

Read more: https://asec.ahnlab.com/en/37526/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint