A look at the analysis of AV malicious mining behavior

A look at the analysis of AV malicious mining behavior 

Recently, some users appear high computer GPU occupancy, computer temperature, fan noise increase and so on. Specific phenomenon for the computer C disk can use space dips, and in the C-Disk Ethash folder, found that there is a large number of 1G of junk files; When the computer is idle, the fan speed increases, the computer heats up, and the GPU usage reaches 100%. When it is not idle, it returns to normal. After remote debugging analysis found that the video in the background secretly using the computing resources of the user's computer for the ether coin (a bitcoin-like digital currency) mining caused.

[Look at the video version and Company Information]

After installing the video, you will register the component%app_data%\video legend\rbc\program\ RBCShellExternal.dll to the registry's Explorer add-on to load the run, then control through LUA scripting, download the mining module to local use GPU mining, the entire process as shown:

[Look at the whole process diagram of AV mining behavior]

RBCShellExternal.dll Analysis

The component is a commercial function module and RBC is the abbreviation for Remote Bussiness control. As the name implies, this module can be remotely configured to control the user's computer running different modules, such as upgrade, repair, advertising window, promotion installation, etc., also including mining.

The RBCShellExternal.dll will load the module RBCEntry.dll through rundll32.exe and test the Debug tool with command-line arguments.

[Loading RBCEntry.dll's command line]

The complete command line is as follows:

rundll32.exe"%APP_DATA%\Video Legend\RBC\Program\RbcEntry.dll", Control_RunDLL/thread /src ..\\..\\Xar\\Rbc.xar /killex /priority 0 /checktime /delay 1 /idle%d /busy %d  /debug /bkwndlist"Microsoft Visual;HTTPAnalyzer;WinDBG;OllyDebug;fiddler;SmartSniff;\t\t\t\t\t\t\t\tSpy++;Spy;ATL/MFC;任务管理器;DebugView;Process    Explorer;File Monitor;RegistryMonitor;Wireshark;OllyICE;OllyDBG;Sysinternals" /bkprocesslist"fiddler.exe;windbg.exe;devenv.exe;taskmgr.exe;wireshark.exe;\t\t\t\t\t\t\t\t\thttpanalyzer.exe;smsniff.exe;filemon.exe;regmon.exe;procmon.exe;ollydbg.exe;softice.exe;cis.exe;\t\t\t\t\t\t\t\t\ttasklist.exe;procexp.exe;ollyice.exe;processspy.exe;spyxx.exe;winspy.exe;cv.exe"

The parameter/src specifies the Lua script module to be loaded (packaged in Xar format), controls the task through Lua scripting, the parameter/bkwndlist specifies the window caption to find, the parameter/bkprocesslist specifies the name of the process to find, and, once enumerated to the specified window or process name, End the process immediately to prevent user discovery.

LUA Scripting Analysis

RbcEntry.dll encapsulates the LUA engine, parses Rbc.xar first after loading, and then invokes the Onload.lua in it, starting the entire script. Rbc.xar is the Task Scheduler module, the core function is to download the task control script from the cloud and load the run.

Rbc.xar after unpacking the directory tree as follows:

Rbc.xar

│

└─layout

│onload.lua

│

└─luacode

Kkp.curl.lua

Rbc.base.lua

Rbc.eventsource.lua

Rbc.filter.lua

Rbc.helper.lua

Rbc.lua

Rbc.scheduler.lua

Rbc.setting.lua

Rbc.task.lua

Rbc.version.lua

Onload.lua main function is to load each script, the code is as follows:

[Onload.lua Load Script]

The last loaded Rbc.scheduler.lua contains a remote-configured task script Url:http:/***.kankan.com/rbc/taskschedule_v1.2.dat

[Rbc.scheduler.lua Dispatch Script]

As you can see from each function name, the script is the primary feature that dispatches the task to run. The script taskschedule_v1.2.dat is the real task script.

The parameters of various tasks are configured in Taskschedule_v1.2.dat, where the parameter configuration block of the mining task is as follows:

[Parameter configuration block of mining task script]

Link is the task module, usually the Xar package; frequency is the frequency of execution; Googleid and Cnzzid are active statistical identities. Configurl is the remote configuration used in the script, mainly the mining DLL module and MD5, the specific contents see below.

The task module is downloaded and saved in the%app_data%\videolegend\rbc\task directory:

[Each task directory generated under%app_data%\videolegend\rbc\task]

Organize all the task URLs as follows:

HTTP/***.kankan.com/rbc/fixrbclaunch_v1.2.cab

Http://***.kankan.com/rbc/startip_v3.2.cab

Http://***.kankan.com/rbc/upkkp_v1.20.cab

Http://***.kankan.com/rbc/uprbc_v1.11.cab

Http://***.kankan.com/rbc/uprbcxar_v1.1.cab

Http://***.kankan.com/rbc/checkintegrity_v1.9.xar

Http://***.kankan.com/rbc/arkkp_v5.2.cab

Http://***.kankan.com/rbc/aikkp_v6.1.xar

Http://***.kankan.com/rbc/arfix_v1.0.xar

Http://***.kankan.com/rbc/dc_fixplugin_v4.2.lua

Http://***.kankan.com/rbc/fixplugin_v12.0.cab

Http://***.kankan.com/rbc/fixplugin_v11.5.cab

Http://***.kankan.com/rbc/launchkkp_v10.1.xar

Http://***.kankan.com/rbc/launchkkp_v20.1.cab

Http://***.kankan.com/rbc/rbctip_v5.10.cab

Http://***.kankan.com/rbc/newstip_v2.21.cab

Http://***.kankan.com/rbc/rbcbiz_v3.3.cab

Http://***.kankan.com/rbc/rbcbizlite_v1.3.cab

Http://***.kankan.com/rbc/biztask_v2.1.cab

Http://***.kankan.com/rbc/fixpusher_v1.3.cab

Http://***.kankan.com/rbc/dc_task_v5.3.xar

Http://***.kankan.com/rbc/partnerlink_v2.2.cab

Http://***.kankan.com/rbc/partnerdll_v2.11.xar

Http://***.kankan.com/rbc/arbrowserlink_v2.9.xar

Http://***.kankan.com/rbc/dc_arbrowserlink_v2.3.xar

Http://***.kankan.com/rbc/arbrowserlinkq_v1.6.xar

Http://***.kankan.com/rbc/dc_arbrowserlinkq_v1.2.xar

where Http://***.kankan.com/rbc/partnerdll_ V2.11.xar is a mining task control script, MD5 for 8EF1948C5EA9B8113706CBFF1EBB8CF5; After unpacking there is only one script Onload.lua, the main function is Configurl download Deploy64.dll to the configuration parameters according to The%temp% directory and load run. And Deploy64.dll is the main module of mining.

The script contents of the Configurl configuration are as follows:

[DLL for mining task script configuration]

It is configured with Deploy.dll 3 Caburl, Caburl_without, Caburl_withoutwithdll, where Caburl is compiled OpenCL, Caburl_without is not compiled OpenCL, Caburl_withoutwithdll is not compiled OpenCL but packaged with OpenCl.dll. But the script always goes to download Caburl, and finally calls Rundll32.exe load Deploy64.dll to run:

[Script call rundll32.exe load Deploy64.dll]

The complete command line is as follows:

c:\windows\system32\rundll32.exe“%TEMP%\Deploy64.dll” ,Control_RunDLL index_class_d=%d

Where the parameter index_class_d is specified in the task parameter configuration block in Taskschedule_v1.2.dat.

The real mining code is executed after the Deploy64.dll is loaded, which is the real culprit of the high GPU usage, the overheating of the computer, and the smaller available space of the C disk.

Deploy64.dll Analysis

Deploy64.dll will create 2 threads after loading: Csafert::monitorthread and Eththread. Where Csafert::monitorthread is the monitoring thread, and Eththread is the mining thread.

Csafert::monitorthread

The thread creates a window, the window class is named __deploy_csafertimpl, the window name is __deploy_csafertimpl_i_1_5, and the debugger and enumeration window are detected in the window procedure function. Exits if it detects a debug or a detection tool window exists.

[Exit when detection is being debugged]

[The above window caption is detected to exit]

Eththread

Ethread is the main thread that executes the mining, first download the mining configuration file Http://***.kankan.com/deploy/dtask%d_.ini, where%d is specified by the incoming parameter index_class_d, currently 0-7 valid. The configuration file reads as follows:

[Mining configuration file]

After reading the configuration field, using the AES128 algorithm to decrypt, get

p = "http://eth-asia1.nanopool.org:8888"; US = "0x7016df7c2d2acf0dac218a410e61002a66837151;

0xeaabaf0384ee73bca43c2a698e240d64de09081b;

0x0af856fbed6e93a01b3c4557d64edc99c5a5d46b;

0X669F588F103764F98B94CEBFB6FB93BBD5DF2CFC;

0xedc148759dfdffa3eeff01ea64b2abf20642799f;

0XFE7C793ED4F16B6D05EC763D98389590B0C812E1;

0xc556d14247a59d1e0886bb21b4fae1481c744191;

0xb1d42965f539eaf688938a16be47558053d57a52;

0x6563b8a0a6238edc8c3bbd7e23ab6174ded92165;

0x9c3dc3bc89a0f16b1cbc2ba8b35427d286f783ec;

0xffb6faef01a41330425ae1795601f6d3f7c1d762 "

[Decrypt the mining parameters obtained]

Then splicing to get http://eth-asia1.nanopool.org:8888/0xFfB6faEF01A41330425ae1795601f6D3F7c1d762.

[Start mining parameters]

Pass the parameters to their own process, began to dig mine. Where parameter-g specifies the mine URL using GPU mining, parameter-F. Mining begins after the Ethash directory is generated in the user directory, where the mining data file format is as follows, a single file size of more than 1.5GB. At the same time caused the user's computer GPU occupancy rate soared, computer fever and so on.

[Mining files generated by Deploy64.dll]

The above is to see the audio-visual use of User computer computing resources for the entire process of mining analysis. Because the video itself belongs to the normal software, it is usually trusted directly by the security software, which makes it difficult to find the malicious behavior. At present, the poison can be killing the malicious behavior.

[Poison to intercept the mining virus]

[Poison pa Clean Mining data file]

* This article Fishing village Security (Enterprise account), reproduced please specify from freebuf.com

A look at the analysis of AV malicious mining behavior