Keypoints
- Initial access is attributed to exploitation of vulnerabilities on servers and workstations, leading to script execution (start.cmd, runxm1.cmd).
- start.cmd modifies the registry to disable Windows Defender and runxm1.cmd adds multiple files to Defender exceptions.
- Scripts escalate privileges and rename folders of security products to prevent them from running.
- Payloads are downloaded from a remote domain (now offline) and include RtkAudio.exe (miner), View.exe (dropper), IntelSvc.exe (backdoor), and Systemfont.exe (keylogger).
- RtkAudio.exe is launched with config.txt, which contains Monero mining configuration; View.exe drops copies including IntelSvc and Systemfont into C:UsersPublic.
- Systemfont.exe records keystrokes and writes them into tempfont.rar; IntelSvc.exe contacts C2 roughly once per minute, writes log.json, and accepts remote commands.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The report states the scripts “penetrate the target infrastructure mainly as a result of exploiting vulnerabilities on servers and workstations.”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Actors use batch scripts (start.cmd, runxm1.cmd) to perform the attack chain; e.g., “‘start.cmd tries to run RtkAudio.exe’”.
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – Scripts attempt to disable Defender via registry changes and add exceptions; “‘attempts to disable protection through the registry’” and “‘tries to add several files to exceptions.’”
- [T1105] Ingress Tool Transfer – Scripts download multiple executable and configuration files from a remote domain: “‘attempt to download various executable and configuration files’”.
- [T1056.001] Input Capture: Keylogging – Analysis shows Systemfont.exe “tracks keystrokes and has a typical keylogger structure” and saves captured input to an archive.
- [T1071.001] Application Layer Protocol: Web Protocols – IntelSvc.exe “sends a request to C2 approximately once a minute” to receive commands and configuration (log.json).
Indicators of Compromise
- [MD5 hashes] hashes of observed payloads – 0BEFB96279DA248F6D49169E047EE7AB, 769BC25454799805E83612F0F896E03F, and 40+ more hashes listed in the report.
- [File names] dropped/executed files – start.cmd, runxm1.cmd, RtkAudio.exe (miner), View.exe (dropper), Systemfont.exe (keylogger), IntelSvc.exe (backdoor), config.txt, log.json, tempfont.rar, web.ttf.
- [Domain] hosting payloads (now offline) – a domain serving a real-time cryptocurrency exchange rates platform was used to host and deliver executables and configs.
- [IP address] C2 indicator embedded in file – the C2 IP is stored in web.ttf (shown in the article’s artifact images) and used by IntelSvc.exe to contact the server.
The attack chain begins with exploitation of vulnerable servers/workstations to drop and execute two batch scripts (start.cmd and runxm1.cmd). start.cmd modifies Windows Defender settings via the registry and launches payloads, while runxm1.cmd adds several files to Defender exceptions; both scripts attempt to gain administrative rights and rename folders of known security solutions to prevent them from running. The scripts reach out to a remote domain (now offline) to download multiple executables and configuration files, then verify and execute those payloads silently.
One downloaded component, RtkAudio.exe, is run with config.txt as an argument; that configuration contains mining settings that connect the binary to a Monero mining pool. Another dropper, View.exe, writes multiple executables into C:UsersPublic, including IntelSvc and Systemfont. Systemfont.exe exhibits classic keylogger behavior: it records keystrokes and mouse activity, immediately packaging captured input into tempfont.rar for later retrieval. IntelSvc.exe acts as a backdoor, creating a folder for configs/logs, polling a C2 roughly once per minute, writing/reading log.json for operational parameters, and exposing commands extractable from its binary.
For detection and response, look for the batch scripts and their registry modifications that disable Defender, unexpected Defender exclusion entries, presence of the listed executables in public profiles, creation of tempfont.rar archives after user input, regular outbound connections to the C2 IP embedded in web.ttf, and the MD5 hashes reported. Triage should include isolating infected hosts, collecting the noted artifacts (config.txt, log.json, web.ttf, tempfont.rar), and blocking the delivering domain and C2 IP at network perimeter controls.
Read more: https://securelist.com/miner-keylogger-backdoor-attack-b2b/110761/