Coin Miner and Mozi Botnet

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation into one such directory revealed a network of tricks and possible security risks.

Observation:

In this open directory, we found 53 potentially malicious files hosted on a web server in China. Let’s uncover what kind of files this Open Directory hosts.

Figure 1: Screenshot of open directory in Hunt

Currently, there are two hosts with open directories containing duplicate files on each of them.

Figure 2: Our two open directories of interest for this post

When we observed the files from Hunt, we found that files with the extension “.m3u” and modified “apk” could be used to target mobile devices. Additionally, several files were flagged as coin miners.

Figure 3: Filenames and sizes within the directory

Figure 4: Continued screenshot of files

The APK file named "TiviMate-2.8.0_CMist_Premium.apk" exhibits characteristics that warrant a closer examination due to its potentially malicious nature.

Figure 5: Results of the APK file in VirusTotal

Here's a detailed analysis of the suspicious permissions and actions associated with this APK:

Suspicious Permissions:

• android.permission.INTERNET: This permission allows the app to access the internet, a common requirement for many apps. However, in a potentially malicious context, it could be used to communicate with command and control servers or exfiltrate data.
• android.permission.ACCESS_NETWORK_STATE: This permission enables the app to access information about the network state. While often used for legitimate purposes, such as optimizing network usage, malware can also exploit it to monitor network connectivity and adjust its behavior accordingly.
• android.permission.ACCESS_WIFI_STATE: Similar to the previous permission, the app can access information about Wi-Fi networks. In a malicious context, it could gather information about the user's Wi-Fi connections to conduct surveillance or target them.
• android.permission.WAKE_LOCK: This permission allows the app to prevent the device from sleeping. While it can be used legitimately, for example, to keep the screen on during video playback, it can also be abused by malware to keep a device awake for continuous operation.
• android.permission.RECEIVE_BOOT_COMPLETED: As mentioned earlier, this permission allows the app to start automatically after the device boots. Malware commonly uses this tactic to maintain persistence on the device.

The presence of Linux executables in "TiviMate-2.8.0_CMist_Premium.apk," as identified by VirusTotal, suggests potential cross-platform malicious activities and advanced persistence techniques. This raises concerns about the APK's ability to target a wider range of systems beyond Android devices.

The modified version of the TiviMate APK file, "TiviMate-2.8.0_CMist_Premium.apk," has been traced to a GitHub repository. Caution is advised when exploring or downloading files from this repository, as the modifications may include malicious code or unauthorized features.

GitHub Repository: https://github.com/skysolf/iptv/blob/main/README.md

Suspicious Actions:

• Autostart: The app's use of the RECEIVE_BOOT_COMPLETED permission suggests that it can autostart, which could maintain persistence and ensure continuous operation without the user's consent.
• Background Operations: The combination of internet access and wake lock permissions indicates that the app might perform operations in the background, potentially without the user's knowledge. This could include activities like data exfiltration or communication with remote servers.
• Network Monitoring: The permissions to access the network and Wi-Fi state could be used to monitor the user's network activity, potentially for malicious purposes such as intercepting sensitive information or determining the best time to perform specific actions.

Next, we have several files with the extension “.scr,” namely “AV.scr,” “Photo.scr,” and “Video.scr.” Overall, the files in the directory have two different SHA256 hashes, which indicates that the behavior of both files must be different but is the same, as explained in the analysis below.

Initially, we searched for the threat score from Virustotal for one file and observed that 55 Antivirus vendors flagged the file as malicious.

Figure 6: VirusTotal results for AV.scr

Dynamic Analysis:

Upon execution, each “.scr” file drops a file named “HelpPane.exe” and executes it with various commands, indicating a multi-stage infection process. The “HelpPane.exe” file exhibits the following suspicious behaviors:

Dropping Multiple Files: It drops various executable files, C-runtime libraries, and other components into the C:\Windows\TEMP\_MEI18602 directory, suggesting a complex payload.

Figure 7: Screenshot of dropped executable files

Network Activity:

The executable file makes FTP connections to 172.240.108[.]178 on ports 21 and 2121 and communicates with the domain xmr.crypto-pool[.]fr, associated with a Monero cryptocurrency mining pool. Additionally, the program connects to the IP address 141.95.206[.]77 on port 3333, which is also associated with a cryptocurrency mining pool, further indicating its involvement in unauthorized mining activities.

Figure 8: List of processes and network connections

Command Execution:

The file uses cmd.exe to execute commands, including copying files and killing processes, indicating control over the infected system.

Firewall Manipulation:

netsh.exe is used to add itself as an allowed program in the firewall, effectively bypassing network security measures.

Figure 9: Executable using netsh to modify Windows Firewall rules

Cryptocurrency Mining:

The malware copies and executes xmrig.exe, a well-known cryptocurrency mining software, to hijack the system's resources. The connection to 141.95.206[.]77 on port 3333 confirms that the malware is mining Monero (XMR), exploiting the infected machine's computational power for the attackers' benefit.

Figure 10: Executable using netsh to modify Windows Firewall rules

DNS Requests and Mozi Botnet Connection:

The malware's DNS requests show connections to several domains, including dht.transmissionbt.com, router.bittorrent.com, router.utorrent.com,bttracker.debian.org, and xmr.crypto-pool.fr. These requests suggest that the malware may use the BitTorrent Distributed Hash Table (DHT) for communication or distribution, a tactic used by the Mozi botnet.

Figure 11: Network results in Any Run

The Mozi botnet is known for targeting IoT devices and using them for distributed denial-of-service (DDoS) attacks, spam campaigns, and cryptocurrency mining. The presence of DNS requests to BitTorrent-related domains and the use of the Mozi botnet's DHT configuration in the threat alerts indicate that the HelpPane.exe file may be a part of the Mozi botnet or is using similar techniques for its operations.

Conclusion:

Our journey through an open directory on the internet has shown us a hidden world of trickery. We found files like "AV.scr", "Photo.scr", and "Video.scr" that looked harmless but were part of a scheme to secretly mine cryptocurrency and possibly even take over networks. The above should serve as a reminder that cyber threats are constantly changing.

Join the Hunt community and learn more about these threats and countless others. Hunt provides a platform for security researchers, defenders, and enthusiasts to stay ahead of threats, whether in open directories or well-known frameworks. Get started by applying for an account today, and explore the world of open directories and more!

Indicators:

AV.scr: https://app.any.run/tasks/fcf9499a-eec7-4f03-83c4-0f6b4ae2d4e5

Photo.scr: https://app.any.run/tasks/ec72f83f-2ef0-4201-9f74-7e75e071bbbf

Video.scr: https://app.any.run/tasks/1608c81c-5cd9-4392-b353-68d07464fab2

IPTVChecker: https://app.any.run/tasks/dbde80d2-9582-4198-ae65-4d953377fbd5