Coin Miner and Mozi Botnet

March 28, 2024
https://hunt.io/images/blogs/coin_mainer_lg.webp

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation into one such directory revealed a network of tricks and possible security risks.

Observation:

In this open directory, we found 53 potentially malicious files hosted on a web server in China. Let’s uncover what kind of files this Open Directory hosts.

httpshuntioimagesblogscoin-mainerimg-1-4xwebp

Figure 1: Screenshot of open directory in Hunt

Currently, there are two hosts with open directories containing duplicate files on each of them.

httpshuntioimagesblogscoin-mainerimg-2-4xwebp

Figure 2: Our two open directories of interest for this post

When we observed the files from Hunt, we found that files with the extension “.m3u” and modified “apk” could be used to target mobile devices. Additionally, several files were flagged as coin miners.

httpshuntioimagesblogscoin-mainerimg-3-4xwebp

Figure 3: Filenames and sizes within the directory


httpshuntioimagesblogscoin-mainerimg-4-4xwebp

Figure 4: Continued screenshot of files

The APK file named "TiviMate-2.8.0_CMist_Premium.apk" exhibits characteristics that warrant a closer examination due to its potentially malicious nature.

httpshuntioimagesblogscoin-mainerimg-5-4xwebp

Figure 5: Results of the APK file in VirusTotal

Here's a detailed analysis of the suspicious permissions and actions associated with this APK:

Suspicious Permissions:

  • android.permission.INTERNET: This permission allows the app to access the internet, a common requirement for many apps. However, in a potentially malicious context, it could be used to communicate with command and control servers or exfiltrate data.
  • android.permission.ACCESS_NETWORK_STATE: This permission enables the app to access information about the network state. While often used for legitimate purposes, such as optimizing network usage, malware can also exploit it to monitor network connectivity and adjust its behavior accordingly.
  • android.permission.ACCESS_WIFI_STATE: Similar to the previous permission, the app can access information about Wi-Fi networks. In a malicious context, it could gather information about the user's Wi-Fi connections to conduct surveillance or target them.
  • android.permission.WAKE_LOCK: This permission allows the app to prevent the device from sleeping. While it can be used legitimately, for example, to keep the screen on during video playback, it can also be abused by malware to keep a device awake for continuous operation.
  • android.permission.RECEIVE_BOOT_COMPLETED: As mentioned earlier, this permission allows the app to start automatically after the device boots. Malware commonly uses this tactic to maintain persistence on the device.

The presence of Linux executables in "TiviMate-2.8.0_CMist_Premium.apk," as identified by VirusTotal, suggests potential cross-platform malicious activities and advanced persistence techniques. This raises concerns about the APK's ability to target a wider range of systems beyond Android devices.

The modified version of the TiviMate APK file, "TiviMate-2.8.0_CMist_Premium.apk," has been traced to a GitHub repository. Caution is advised when exploring or downloading files from this repository, as the modifications may include malicious code or unauthorized features.

GitHub Repository: https://github.com/skysolf/iptv/blob/main/README.md

Suspicious Actions:

  • Autostart: The app's use of the RECEIVE_BOOT_COMPLETED permission suggests that it can autostart, which could maintain persistence and ensure continuous operation without the user's consent.
  • Background Operations: The combination of internet access and wake lock permissions indicates that the app might perform operations in the background, potentially without the user's knowledge. This could include activities like data exfiltration or communication with remote servers.
  • Network Monitoring: The permissions to access the network and Wi-Fi state could be used to monitor the user's network activity, potentially for malicious purposes such as intercepting sensitive information or determining the best time to perform specific actions.

Next, we have several files with the extension “.scr,” namely “AV.scr,” “Photo.scr,” and “Video.scr.” Overall, the files in the directory have two different SHA256 hashes, which indicates that the behavior of both files must be different but is the same, as explained in the analysis below.

Initially, we searched for the threat score from Virustotal for one file and observed that 55 Antivirus vendors flagged the file as malicious.

httpshuntioimagesblogscoin-mainerimg-6-4xwebp

Figure 6: VirusTotal results for AV.scr

Dynamic Analysis:

Upon execution, each “.scr” file drops a file named “HelpPane.exe” and executes it with various commands, indicating a multi-stage infection process. The “HelpPane.exe” file exhibits the following suspicious behaviors:

Dropping Multiple Files: It drops various executable files, C-runtime libraries, and other components into the C:\Windows\TEMP\_MEI18602 directory, suggesting a complex payload.

httpshuntioimagesblogscoin-mainerimg-7-4xwebp

Figure 7: Screenshot of dropped executable files

Network Activity:

The executable file makes FTP connections to 172.240.108[.]178 on ports 21 and 2121 and communicates with the domain xmr.crypto-pool[.]fr, associated with a Monero cryptocurrency mining pool. Additionally, the program connects to the IP address 141.95.206[.]77 on port 3333, which is also associated with a cryptocurrency mining pool, further indicating its involvement in unauthorized mining activities.

httpshuntioimagesblogscoin-mainerimg-8-4xwebp

Figure 8: List of processes and network connections

Command Execution:

The file uses cmd.exe to execute commands, including copying files and killing processes, indicating control over the infected system.

Firewall Manipulation:

netsh.exe is used to add itself as an allowed program in the firewall, effectively bypassing network security measures.

httpshuntioimagesblogscoin-mainerimg-9-4xwebp

Figure 9: Executable using netsh to modify Windows Firewall rules

Cryptocurrency Mining:

The malware copies and executes xmrig.exe, a well-known cryptocurrency mining software, to hijack the system's resources. The connection to 141.95.206[.]77 on port 3333 confirms that the malware is mining Monero (XMR), exploiting the infected machine's computational power for the attackers' benefit.

httpshuntioimagesblogscoin-mainerimg-10-4xwebp

Figure 10: Executable using netsh to modify Windows Firewall rules

DNS Requests and Mozi Botnet Connection:

The malware's DNS requests show connections to several domains, including dht.transmissionbt.com, router.bittorrent.com, router.utorrent.com,bttracker.debian.org, and xmr.crypto-pool.fr. These requests suggest that the malware may use the BitTorrent Distributed Hash Table (DHT) for communication or distribution, a tactic used by the Mozi botnet.

httpshuntioimagesblogscoin-mainerimg-11-4xwebp

Figure 11: Network results in Any Run

The Mozi botnet is known for targeting IoT devices and using them for distributed denial-of-service (DDoS) attacks, spam campaigns, and cryptocurrency mining. The presence of DNS requests to BitTorrent-related domains and the use of the Mozi botnet's DHT configuration in the threat alerts indicate that the HelpPane.exe file may be a part of the Mozi botnet or is using similar techniques for its operations.

Conclusion:

Our journey through an open directory on the internet has shown us a hidden world of trickery. We found files like "AV.scr", "Photo.scr", and "Video.scr" that looked harmless but were part of a scheme to secretly mine cryptocurrency and possibly even take over networks. The above should serve as a reminder that cyber threats are constantly changing.

Join the Hunt community and learn more about these threats and countless others. Hunt provides a platform for security researchers, defenders, and enthusiasts to stay ahead of threats, whether in open directories or well-known frameworks. Get started by applying for an account today, and explore the world of open directories and more!

Indicators:

AV.scr
md5a9d4007c9419a6e8d55805b8f8f52de0
sha19f9d47ec6dd80bfcb4c3e0a1530b89d2d587c230
sha2565d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca

Dropped executable files
sha256 C:\Users\admin\AppData\Local\Temp\_MEI21242\back.jpg
ed551536ff22587cdf7701a279e088eb370a4121e7a3fa1f3c8b121e767318a2
sha256 C:\Users\admin\AppData\Local\Temp\_MEI21242\xmrig.exe
4bf737b29ff521bc263eb1f2c1c5ea04b47470cccd1beae245d98def389929bd
sha256 C:\Users\admin\HelpPane.exe
5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca

DNS requests
Domain: xmr.crypto-pool.fr
Domain: bttracker.debian.org
Domain: router.bittorrent.com
Domain: dht.transmissionbt.com

Connections
IP 141.95.206.77
IP 45.235.49.49

Photo.scr.__rev7
md55616a3471565d34d779b5b3d0520bb70
sha142df726156bee4a54ea328bd72a659602ab7d03e
sha25642df726156bee4a54ea328bd72a659602ab7d03e

Dropped executable files
sha256 C:\Users\admin\AppData\Local\Temp\_MEI39562\Crypto.Cipher._AES.pyd
c1a900615c9500c46b9602c30c53f299290b03632208ef1152af8830ab73ad17
sha256 C:\Users\admin\AppData\Local\Temp\_MEI39562\back.jpg
1de815d23e82a3a94c42f5e5ac1c5dfc690a585ca495c57d2e4a283ab4008208
sha256 C:\Users\admin\AppData\Local\Temp\_MEI39562\xmrig.exe
4bf737b29ff521bc263eb1f2c1c5ea04b47470cccd1beae245d98def389929bd
sha256 C:\Users\admin\HelpPane.exe
9194b57673209c8534888f61b0cdefa34f463ae50cd78f72ab2b3348220baaf9

DNS requests
Domain: bttracker.debian.org
Domain: xmr.crypto-pool.fr
Domain: router.bittorrent.com
Domain: dht.transmissionbt.com

Connections
IP 141.95.206.77
IP 130.239.18.158
IP 82.221.103.244
IP 67.215.246.10
IP 87.98.162.88
IP 212.129.33.59

AV.scr: https://app.any.run/tasks/fcf9499a-eec7-4f03-83c4-0f6b4ae2d4e5

Photo.scr: https://app.any.run/tasks/ec72f83f-2ef0-4201-9f74-7e75e071bbbf

Video.scr: https://app.any.run/tasks/1608c81c-5cd9-4392-b353-68d07464fab2

IPTVChecker: https://app.any.run/tasks/dbde80d2-9582-4198-ae65-4d953377fbd5


Get a Free Demo Today