Coin Miner and Mozi Botnet

Coin Miner and Mozi Botnet

Published on

Published on

Published on

Mar 28, 2024

Mar 28, 2024

Mar 28, 2024

Coin Miner and Mozi Botnet
Coin Miner and Mozi Botnet
Coin Miner and Mozi Botnet
TABLE OF CONTENTS

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation into one such directory revealed a network of tricks and possible security risks.

Observation:

In this open directory, we found 53 potentially malicious files hosted on a web server in China. Let's uncover what kind of files this Open Directory hosts.

httpshuntioimagesblogscoin-mainerimg-1-4xwebp

Currently, there are two hosts with open directories containing duplicate files on each of them.

httpshuntioimagesblogscoin-mainerimg-2-4xwebp
Figure 2: Our two open directories of interest for this post

When we observed the files from Hunt, we found that files with the extension ".m3u" and modified "apk" could be used to target mobile devices. Additionally, several files were flagged as coin miners.

httpshuntioimagesblogscoin-mainerimg-3-4xwebp
Figure 3: Filenames and sizes within the directory
httpshuntioimagesblogscoin-mainerimg-4-4xwebp
Figure 4: Continued screenshot of files

The APK file named "TiviMate-2.8.0_CMist_Premium.apk" exhibits characteristics that warrant a closer examination due to its potentially malicious nature.

httpshuntioimagesblogscoin-mainerimg-5-4xwebp
Figure 5: Results of the APK file in VirusTotal

Here's a detailed analysis of the suspicious permissions and actions associated with this APK:

Suspicious Permissions:

  • android.permission.INTERNET: This permission allows the app to access the internet, a common requirement for many apps. However, in a potentially malicious context, it could be used to communicate with command and control servers or exfiltrate data.
  • android.permission.ACCESS_NETWORK_STATE: This permission enables the app to access information about the network state. While often used for legitimate purposes, such as optimizing network usage, malware can also exploit it to monitor network connectivity and adjust its behavior accordingly.
  • android.permission.ACCESS_WIFI_STATE: Similar to the previous permission, the app can access information about Wi-Fi networks. In a malicious context, it could gather information about the user's Wi-Fi connections to conduct surveillance or target them.
  • android.permission.WAKE_LOCK: This permission allows the app to prevent the device from sleeping. While it can be used legitimately, for example, to keep the screen on during video playback, it can also be abused by malware to keep a device awake for continuous operation.
  • android.permission.RECEIVE_BOOT_COMPLETED: As mentioned earlier, this permission allows the app to start automatically after the device boots. Malware commonly uses this tactic to maintain persistence on the device.

The presence of Linux executables in "TiviMate-2.8.0_CMist_Premium.apk," as identified by VirusTotal, suggests potential cross-platform malicious activities and advanced persistence techniques. This raises concerns about the APK's ability to target a wider range of systems beyond Android devices.

The modified version of the TiviMate APK file, "TiviMate-2.8.0_CMist_Premium.apk," has been traced to a GitHub repository. Caution is advised when exploring or downloading files from this repository, as the modifications may include malicious code or unauthorized features.

GitHub Repository: https://github.com/skysolf/iptv/blob/main/README.md

Suspicious Actions:

  • Autostart: The app's use of the RECEIVE_BOOT_COMPLETED permission suggests that it can autostart, which could maintain persistence and ensure continuous operation without the user's consent.
  • Background Operations: The combination of internet access and wake lock permissions indicates that the app might perform operations in the background, potentially without the user's knowledge. This could include activities like data exfiltration or communication with remote servers.
  • Network Monitoring: The permissions to access the network and Wi-Fi state could be used to monitor the user's network activity, potentially for malicious purposes such as intercepting sensitive information or determining the best time to perform specific actions.

Next, we have several files with the extension ".scr," namely "AV.scr," "Photo.scr," and "Video.scr." Overall, the files in the directory have two different SHA256 hashes, which indicates that the behavior of both files must be different but is the same, as explained in the analysis below.

Initially, we searched for the threat score from Virustotal for one file and observed that 55 Antivirus vendors flagged the file as malicious.

httpshuntioimagesblogscoin-mainerimg-6-4xwebp
Figure 6: VirusTotal results for AV.scr

Dynamic Analysis:

Upon execution, each ".scr" file drops a file named "HelpPane.exe" and executes it with various commands, indicating a multi-stage infection process. The "HelpPane.exe" file exhibits the following suspicious behaviors:

Dropping Multiple Files: It drops various executable files, C-runtime libraries, and other components into the C:\Windows\TEMP_MEI18602 directory, suggesting a complex payload.

httpshuntioimagesblogscoin-mainerimg-7-4xwebp
Figure 7: Screenshot of dropped executable files

Network Activity:

The executable file makes FTP connections to 172.240.108[.]178 on ports 21 and 2121 and communicates with the domain xmr.crypto-pool[.]fr, associated with a Monero cryptocurrency mining pool. Additionally, the program connects to the IP address 141.95.206[.]77 on port 3333, which is also associated with a cryptocurrency mining pool, further indicating its involvement in unauthorized mining activities.

httpshuntioimagesblogscoin-mainerimg-8-4xwebp
Figure 8: List of processes and network connections

Command Execution:

The file uses cmd.exe to execute commands, including copying files and killing processes, indicating control over the infected system.

Firewall Manipulation:

netsh.exe is used to add itself as an allowed program in the firewall, effectively bypassing network security measures.

httpshuntioimagesblogscoin-mainerimg-9-4xwebp
Figure 9: Executable using netsh to modify Windows Firewall rules

Cryptocurrency Mining:

The malware copies and executes xmrig.exe, a well-known cryptocurrency mining software, to hijack the system's resources. The connection to 141.95.206[.]77 on port 3333 confirms that the malware is mining Monero (XMR), exploiting the infected machine's computational power for the attackers' benefit.

httpshuntioimagesblogscoin-mainerimg-10-4xwebp
Figure 10: Executable using netsh to modify Windows Firewall rules

DNS Requests and Mozi Botnet Connection:

The malware's DNS requests show connections to several domains, including dht.transmissionbt.com, router.bittorrent.com, router.utorrent.com,bttracker.debian.org, and xmr.crypto-pool.fr. These requests suggest that the malware may use the BitTorrent Distributed Hash Table (DHT) for communication or distribution, a tactic used by the Mozi botnet.

httpshuntioimagesblogscoin-mainerimg-11-4xwebp
Figure 11: Network results in Any Run

The Mozi botnet is known for targeting IoT devices and using them for distributed denial-of-service (DDoS) attacks, spam campaigns, and cryptocurrency mining. The presence of DNS requests to BitTorrent-related domains and the use of the Mozi botnet's DHT configuration in the threat alerts indicate that the HelpPane.exe file may be a part of the Mozi botnet or is using similar techniques for its operations.

Conclusion:

Our journey through an open directory on the internet has shown us a hidden world of trickery. We found files like "AV.scr", "Photo.scr", and "Video.scr" that looked harmless but were part of a scheme to secretly mine cryptocurrency and possibly even take over networks. The above should serve as a reminder that cyber threats are constantly changing.

Join the Hunt community and learn more about these threats and countless others. Hunt provides a platform for security researchers, defenders, and enthusiasts to stay ahead of threats, whether in open directories or well-known frameworks. Get started by applying for an account today, and explore the world of open directories and more!

Indicators:

AV.scr
md5a9d4007c9419a6e8d55805b8f8f52de0
sha19f9d47ec6dd80bfcb4c3e0a1530b89d2d587c230
sha2565d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca
Dropped executable files
sha256C:\Users\admin\AppData\Local\Temp_MEI21242\back.jpg\
ed551536ff22587cdf7701a279e088eb370a4121e7a3fa1f3c8b121e767318a2
sha256C:\Users\admin\AppData\Local\Temp_MEI21242\xmrig.exe\
4bf737b29ff521bc263eb1f2c1c5ea04b47470cccd1beae245d98def389929bd
sha256C:\Users\admin\HelpPane.exe\
5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca
DNS requests
Domain:xmr.crypto-pool.fr
Domain:bttracker.debian.org
Domain:router.bittorrent.com
Domain:dht.transmissionbt.com
Connections
IP141.95.206.77
IP45.235.49.49
Photo.scr.__rev7
md55616a3471565d34d779b5b3d0520bb70
sha142df726156bee4a54ea328bd72a659602ab7d03e
sha25642df726156bee4a54ea328bd72a659602ab7d03e
Dropped executable files
sha256C:\Users\admin\AppData\Local\Temp_MEI39562\Crypto.Cipher._AES.pyd\
c1a900615c9500c46b9602c30c53f299290b03632208ef1152af8830ab73ad17
sha256C:\Users\admin\AppData\Local\Temp_MEI39562\back.jpg\
1de815d23e82a3a94c42f5e5ac1c5dfc690a585ca495c57d2e4a283ab4008208
sha256C:\Users\admin\AppData\Local\Temp_MEI39562\xmrig.exe\
4bf737b29ff521bc263eb1f2c1c5ea04b47470cccd1beae245d98def389929bd
sha256C:\Users\admin\HelpPane.exe\
9194b57673209c8534888f61b0cdefa34f463ae50cd78f72ab2b3348220baaf9
DNS requests
Domain:bttracker.debian.org
Domain:xmr.crypto-pool.fr
Domain:router.bittorrent.com
Domain:dht.transmissionbt.com
Connections
IP141.95.206.77
IP130.239.18.158
IP82.221.103.244
IP67.215.246.10
IP87.98.162.88
IP212.129.33.59

AV.scr: 

Photo.scr: 

Video.scr: 

IPTVChecker: 

TABLE OF CONTENTS

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation into one such directory revealed a network of tricks and possible security risks.

Observation:

In this open directory, we found 53 potentially malicious files hosted on a web server in China. Let's uncover what kind of files this Open Directory hosts.

httpshuntioimagesblogscoin-mainerimg-1-4xwebp

Currently, there are two hosts with open directories containing duplicate files on each of them.

httpshuntioimagesblogscoin-mainerimg-2-4xwebp
Figure 2: Our two open directories of interest for this post

When we observed the files from Hunt, we found that files with the extension ".m3u" and modified "apk" could be used to target mobile devices. Additionally, several files were flagged as coin miners.

httpshuntioimagesblogscoin-mainerimg-3-4xwebp
Figure 3: Filenames and sizes within the directory
httpshuntioimagesblogscoin-mainerimg-4-4xwebp
Figure 4: Continued screenshot of files

The APK file named "TiviMate-2.8.0_CMist_Premium.apk" exhibits characteristics that warrant a closer examination due to its potentially malicious nature.

httpshuntioimagesblogscoin-mainerimg-5-4xwebp
Figure 5: Results of the APK file in VirusTotal

Here's a detailed analysis of the suspicious permissions and actions associated with this APK:

Suspicious Permissions:

  • android.permission.INTERNET: This permission allows the app to access the internet, a common requirement for many apps. However, in a potentially malicious context, it could be used to communicate with command and control servers or exfiltrate data.
  • android.permission.ACCESS_NETWORK_STATE: This permission enables the app to access information about the network state. While often used for legitimate purposes, such as optimizing network usage, malware can also exploit it to monitor network connectivity and adjust its behavior accordingly.
  • android.permission.ACCESS_WIFI_STATE: Similar to the previous permission, the app can access information about Wi-Fi networks. In a malicious context, it could gather information about the user's Wi-Fi connections to conduct surveillance or target them.
  • android.permission.WAKE_LOCK: This permission allows the app to prevent the device from sleeping. While it can be used legitimately, for example, to keep the screen on during video playback, it can also be abused by malware to keep a device awake for continuous operation.
  • android.permission.RECEIVE_BOOT_COMPLETED: As mentioned earlier, this permission allows the app to start automatically after the device boots. Malware commonly uses this tactic to maintain persistence on the device.

The presence of Linux executables in "TiviMate-2.8.0_CMist_Premium.apk," as identified by VirusTotal, suggests potential cross-platform malicious activities and advanced persistence techniques. This raises concerns about the APK's ability to target a wider range of systems beyond Android devices.

The modified version of the TiviMate APK file, "TiviMate-2.8.0_CMist_Premium.apk," has been traced to a GitHub repository. Caution is advised when exploring or downloading files from this repository, as the modifications may include malicious code or unauthorized features.

GitHub Repository: https://github.com/skysolf/iptv/blob/main/README.md

Suspicious Actions:

  • Autostart: The app's use of the RECEIVE_BOOT_COMPLETED permission suggests that it can autostart, which could maintain persistence and ensure continuous operation without the user's consent.
  • Background Operations: The combination of internet access and wake lock permissions indicates that the app might perform operations in the background, potentially without the user's knowledge. This could include activities like data exfiltration or communication with remote servers.
  • Network Monitoring: The permissions to access the network and Wi-Fi state could be used to monitor the user's network activity, potentially for malicious purposes such as intercepting sensitive information or determining the best time to perform specific actions.

Next, we have several files with the extension ".scr," namely "AV.scr," "Photo.scr," and "Video.scr." Overall, the files in the directory have two different SHA256 hashes, which indicates that the behavior of both files must be different but is the same, as explained in the analysis below.

Initially, we searched for the threat score from Virustotal for one file and observed that 55 Antivirus vendors flagged the file as malicious.

httpshuntioimagesblogscoin-mainerimg-6-4xwebp
Figure 6: VirusTotal results for AV.scr

Dynamic Analysis:

Upon execution, each ".scr" file drops a file named "HelpPane.exe" and executes it with various commands, indicating a multi-stage infection process. The "HelpPane.exe" file exhibits the following suspicious behaviors:

Dropping Multiple Files: It drops various executable files, C-runtime libraries, and other components into the C:\Windows\TEMP_MEI18602 directory, suggesting a complex payload.

httpshuntioimagesblogscoin-mainerimg-7-4xwebp
Figure 7: Screenshot of dropped executable files

Network Activity:

The executable file makes FTP connections to 172.240.108[.]178 on ports 21 and 2121 and communicates with the domain xmr.crypto-pool[.]fr, associated with a Monero cryptocurrency mining pool. Additionally, the program connects to the IP address 141.95.206[.]77 on port 3333, which is also associated with a cryptocurrency mining pool, further indicating its involvement in unauthorized mining activities.

httpshuntioimagesblogscoin-mainerimg-8-4xwebp
Figure 8: List of processes and network connections

Command Execution:

The file uses cmd.exe to execute commands, including copying files and killing processes, indicating control over the infected system.

Firewall Manipulation:

netsh.exe is used to add itself as an allowed program in the firewall, effectively bypassing network security measures.

httpshuntioimagesblogscoin-mainerimg-9-4xwebp
Figure 9: Executable using netsh to modify Windows Firewall rules

Cryptocurrency Mining:

The malware copies and executes xmrig.exe, a well-known cryptocurrency mining software, to hijack the system's resources. The connection to 141.95.206[.]77 on port 3333 confirms that the malware is mining Monero (XMR), exploiting the infected machine's computational power for the attackers' benefit.

httpshuntioimagesblogscoin-mainerimg-10-4xwebp
Figure 10: Executable using netsh to modify Windows Firewall rules

DNS Requests and Mozi Botnet Connection:

The malware's DNS requests show connections to several domains, including dht.transmissionbt.com, router.bittorrent.com, router.utorrent.com,bttracker.debian.org, and xmr.crypto-pool.fr. These requests suggest that the malware may use the BitTorrent Distributed Hash Table (DHT) for communication or distribution, a tactic used by the Mozi botnet.

httpshuntioimagesblogscoin-mainerimg-11-4xwebp
Figure 11: Network results in Any Run

The Mozi botnet is known for targeting IoT devices and using them for distributed denial-of-service (DDoS) attacks, spam campaigns, and cryptocurrency mining. The presence of DNS requests to BitTorrent-related domains and the use of the Mozi botnet's DHT configuration in the threat alerts indicate that the HelpPane.exe file may be a part of the Mozi botnet or is using similar techniques for its operations.

Conclusion:

Our journey through an open directory on the internet has shown us a hidden world of trickery. We found files like "AV.scr", "Photo.scr", and "Video.scr" that looked harmless but were part of a scheme to secretly mine cryptocurrency and possibly even take over networks. The above should serve as a reminder that cyber threats are constantly changing.

Join the Hunt community and learn more about these threats and countless others. Hunt provides a platform for security researchers, defenders, and enthusiasts to stay ahead of threats, whether in open directories or well-known frameworks. Get started by applying for an account today, and explore the world of open directories and more!

Indicators:

AV.scr
md5a9d4007c9419a6e8d55805b8f8f52de0
sha19f9d47ec6dd80bfcb4c3e0a1530b89d2d587c230
sha2565d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca
Dropped executable files
sha256C:\Users\admin\AppData\Local\Temp_MEI21242\back.jpg\
ed551536ff22587cdf7701a279e088eb370a4121e7a3fa1f3c8b121e767318a2
sha256C:\Users\admin\AppData\Local\Temp_MEI21242\xmrig.exe\
4bf737b29ff521bc263eb1f2c1c5ea04b47470cccd1beae245d98def389929bd
sha256C:\Users\admin\HelpPane.exe\
5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca
DNS requests
Domain:xmr.crypto-pool.fr
Domain:bttracker.debian.org
Domain:router.bittorrent.com
Domain:dht.transmissionbt.com
Connections
IP141.95.206.77
IP45.235.49.49
Photo.scr.__rev7
md55616a3471565d34d779b5b3d0520bb70
sha142df726156bee4a54ea328bd72a659602ab7d03e
sha25642df726156bee4a54ea328bd72a659602ab7d03e
Dropped executable files
sha256C:\Users\admin\AppData\Local\Temp_MEI39562\Crypto.Cipher._AES.pyd\
c1a900615c9500c46b9602c30c53f299290b03632208ef1152af8830ab73ad17
sha256C:\Users\admin\AppData\Local\Temp_MEI39562\back.jpg\
1de815d23e82a3a94c42f5e5ac1c5dfc690a585ca495c57d2e4a283ab4008208
sha256C:\Users\admin\AppData\Local\Temp_MEI39562\xmrig.exe\
4bf737b29ff521bc263eb1f2c1c5ea04b47470cccd1beae245d98def389929bd
sha256C:\Users\admin\HelpPane.exe\
9194b57673209c8534888f61b0cdefa34f463ae50cd78f72ab2b3348220baaf9
DNS requests
Domain:bttracker.debian.org
Domain:xmr.crypto-pool.fr
Domain:router.bittorrent.com
Domain:dht.transmissionbt.com
Connections
IP141.95.206.77
IP130.239.18.158
IP82.221.103.244
IP67.215.246.10
IP87.98.162.88
IP212.129.33.59

AV.scr: 

Photo.scr: 

Video.scr: 

IPTVChecker: 

Related Posts:

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.