A precise mining Botnet is constructed to construct mining botnets.

A precise mining Botnet is constructed to construct mining botnets.
0 × 1 Preface

Recently, the 360 Internet Security Center found a mining botnet spreading through an attack weapon exploiting the "eternal blue" vulnerability. The botnet uses the CPU and GPU computing power of the botnet to dig for a profit. An important part of this botnet is a file named NrsDataCache that is delivered to each botnet. Therefore, we name it "NrsMiner ".

After the last WannaCry incident, many machines have repaired or immune to the "Eternal Blue" vulnerability. The attack weapon is far less powerful than the previous one, but the structure of NrsMiner is more precise, it can effectively complete multiple functions, such as persistence, centralized management, and self-update, and its harm cannot be underestimated.

This article analyzes the structure of NrsMiner in detail and sorts out the development process of NrsMiner botnet.

0 × 2 NrsMiner Analysis

NrsMiner consists of the main control module, update module, attack module, and mining module. The PE files involved in each module contain both 32-bit and 64-bit versions to adapt to operating systems of different architectures. Figure 1 shows the overall structure of NrsMiner.

 

 

Figure 1 Overall structure of NrsMiner

In NrsMiner, the master control module exists as a service to start other modules. The update module downloads the update package NrsDataCache from the control end. tlb and updates other modules. The attack module is responsible for attacking other computers in the intranet and other computers connected to the computer with the "Blue forever" vulnerability. The mining module is responsible for extracting the Monroe currency. Each module is analyzed one by one.

(1) Main Control Module

The master control module is the foundation of the botnet and is responsible for scheduling other modules. The NrsMiner's main control module vmichapagentsrv. dll is used as the servicedllof the service "Hyper-VAccess Protection Agent service2. at the same time, the service is added to the netsvcsservice group to help start svchost.exe. Figure 2 shows the 32-bit payloadx86.dll code snippet for creating the service and specifying ServiceDll.

 

 

Figure 2 x86.dll: Create the service and specify the ServiceDll code snippet

Each execution of the main control module deletes the components of the NrsMiner in the computer and ends the corresponding process. Then, it downloads new files and starts the corresponding process through the update module, to keep NrsMiner up to date. Figure 3 shows that the master module deletes the old NrsMiner component and ends the code snippet of the corresponding process.

 

 

Figure 3 the master module deletes the old NrsMiner component and ends the code snippet of the corresponding process

After cleaning up the old component, the main control module starts its work. The first step is to send the hitting data of the local machine to the control end. The hitting data includes the MAC address, IP address, and computer name of the local machine. The hitting server domain name is vpp. jdi1diejs. club. Figure 4 shows the code snippet of the main control module for hitting.

 

 

Figure 4 code snippet for logging in the main control module

And start the program for mining. The main control module determines the number of threads used by the mining machine based on the number of processors. Table 1 shows the number of threads used by mining machines with different processor numbers.

Table 1 Number of threads used by the mining machine corresponding to the number of processors

Number of processors Number of threads 8 3 12 4 16 6 Others Equal to the number of processors

Table 1

It can be seen that NrsMiner intends to reduce the number of mining threads in a multi-core processor environment, so as to reduce the possibility of computer abnormalities. NrsMiner's rigor is not only reflected in this, but also in its real-time record and return of the mining machine status. The main control module records the status of the mining machine when it starts the mining machine and returns it to the control end. Table 2 shows the status codes used by NrsMiner to record the mining machine status.

Table 2 Status codes used by NrsMiner to record the mining machine status

Mining Machine status Status Code The old mining machine process is successfully completed. 0 The new mining machine process is started successfully. 1 An error occurred while finishing the old mining machine process. 2 The mining machine program file does not exist. 3 An error occurred while starting the new mining machine process. 4

Table 2

In addition to the mining machine, the main control machine downloads the update kit taskhostex.exe from the control terminal, which is dlr. noilwut0vv. club/d/msdownload/others/BtnProtocol.exe. The content of the update module is described in detail below. In the same case, the master node is also responsible for the acquisition and startup of the attacker. The attacker program file spoolsv.exe is extracted and executed from nrsdatacache.tlb.

In addition to the above features, we also found an interesting feature of the main control module-the master module embedded a mongoose-based lightweight WebServer. The main control module of other computers in the LAN can access the WebServer to download the corresponding components. Figure 5 shows the WebServer initialization code segment embedded in the master module. The 'webserver is bound to port 26397.

 

 

Figure 5 WebServer initialization code segment embedded in the master module

WebServer provides the NrsDataCache. tlb download function. Other computers in the LAN can access WebServer over HTTP to download NrsDataCache. tlb, while WebServer will process HTTP requests from other computers. If NrsDataCache. tlb does not exist, the WebServer returns the 404 status code. By converting a botnet into a WebServer, you can easily transfer and update files between different computers in the LAN. The update module mentioned below uses this method to update botnet components. Figure 6 shows the code snippet used by the WebServer to process HTTP requests.

 

 

Figure 6 code snippet of WebServer processing HTTP requests

The main control module directs other modules to work as the initiator, which can be called "the backbone of a botnet ". A stable and flexible master control module is the foundation for botnets to stabilize themselves and continue to expand, the NrsMiner master program ensures the stability of the botnet by means of real-time hitting, replacement of old and new files, and module Status feedback, and improves the flexibility of the botnet by embedding WebServer.

(2) Attack Module

 

Attacks are composed of two groups. One is the spoolsv.exe, the other is the "Eternal Blue" payloadx86.dll and x64.dll of the attack. Spoolsv.exe Attack Process 7.

 

 

Figure 7spoolsv.exe Attack Process

Before the attack, spoolsv.exe performs a hitting operation, which includes the local IP address, computer name, and GPU model. After hitting this point, spoolsv.exe extracts the "eternal blue" attack component crypt from NrsDataCache. tlb, which is also a compressed package. After decompression, spoolsv.exe is a complete set of "eternal blue" vulnerability attack weapons. Figure 8 shows the extracted content of crypt.

 

 

Figure 8crypt extracted content

X86.dll and x64.dll are two versions of the "Eternal Blue" vulnerability attack payload. Spoolsv.exe does not exist in the target computer, but directly starts the attack program svchost.exe to attack other computers in the LAN and other computers connected to the local machine. After the attack succeeds, the corresponding payload will be executed on the target computer.

To minimize the volume of payload, NrsMiner does not directly hand over the function execution to payload. Instead, it binds payload to port 57220 of the computer and listens to it. Figure 9 shows the corresponding code snippet.

 

 

Figure 9 code snippet of payload binding and listening to this port

And spoolsv.exe will send NrsDataCache to the target computer port 57220. tlb, the target computer receives the NrsDataCache. after the tlb is decompressed, extract the file named srv, that is, the main control module File vmichapagentsrv. dll installation service, the entire attack has been completed. Figure 10 shows the code snippet in which spoolsv.exe sends a file to port 57220 of the target computer.

 

 

Figure 10 spoolsv.exe code snippet of a file sent to the target computer

During the attack, the attack module stops the Task Manager process to reduce the possibility of being discovered. Figure 11 shows the code snippet used to terminate the Task Manager Process of the Attack Module.

 

 

Figure 11 code snippet of the Attack Module ending the Task Manager Process

The attacker downloads the file named taskhostservices.exe from log.oiwcvbnc2e.streamand runs the file. However, log. oiwcvbnc2e. stream cannot be accessed and the Attack Module cannot download the file.

(3) Update Module

The update module updates the NrsMiner component. Nrsminerdownloads different files from different addresses, and the new component taskhostex.exe is the master module downloaded from dlr. noilwut0vv. club/d/msdownload/others/BtnProtocol.exe.

Taskhostex.exe is a loader used to load other components of the update module. When loading, it performs the BypassUAC operation as needed. Taskhostex.exe determines whether the UAC level is the lowest by checking whether the tcpiplocationviews. dll file is successfully released in the system32 directory. When the UAC level is not the lowest, writing files to the system32 directory will trigger a pop-up window, and the operation will fail if there is no user interaction. The UAC level of the computer is sent back to the hitting server together with the network status and GPU model.

If the uaclevel is incorrect, taskhostex.exewill help spoolsv.exe start the update component TrustServicesHost32/64.exe. The source of the spoolsv.exe process is from the "Eternal Blue" payload, and the process permission is system, so that BypassUAC can be used. Figure 12 shows the code snippet of taskhostex.exe byPassUAC. We can find that taskhostex.exe will perform 45 BypassUAC attempts.

 

 

Figure 12 taskhostex.exe byPassUAC code snippet

Taskhostex.exe start the update module component TrustServicesHost32/64.exe( 32-bit and 64-bit versions have different file names, which are called TrustServicesHost ). TrustServicesHost downloads the update package NrsDataCache. tlb through LocalDown or vps. LocalDown is preferred for both.

LocalDown refers to downloading the update package through a WebServer built on an infected computer in the LAN. TrustServicesHost.exe downloads the update package NrsDataCache. tlb by accessing port 26397 of WebServer. Figure 13 shows the code implementation of LocalDown.

 

 

Figure 13 code of LocalDown

Vps refers to downloading the update package through the remote server deployed by the author. The download link is http://vpp.jdi1diejs.club/nrsdatacache.tlb. Figure 14 shows the vps code implementation.

 

 

Figure 14 vps code implementation

After the update package is downloaded, trustserviceshost.exe replaces the existing files in the computer with the files in the update package, and restarts the service of the master module. Figure 15 shows the extracted content of NrsDataCache. tlb.

 

 

Figure 15 content extracted by NrsDataCache. tlb

It is worth mentioning that trustserviceshost.exe hardcoded some strings that have passed the exclusive or encrypted operation. The exclusive or key value is 0 × 33. TrustServicesHost.exe decrypts these strings and encodes them and stores them in the Registry key HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ ServicesPixels. Figure 16 shows unencoded strings after decryption. These strings may be used as the standby mining pool address. In the mining module, they are spliced with other strings to form the mining machine command line. Figure 17 shows the string content written to the registry entry.

 

 

Figure 16 unencoded string content after decryption

 

 

Figure 17 string content written to the registry key

(4) mining module

Mining is the ultimate goal of the NrsDataCache botnet. The currency of NrsDataCache is Monroe. Nrsdatache's Mining function is completed by tasksynchost.exe. The file is extracted by NrsDataCache. tlb and the original file name is hash or hash64.

Unlike other well-known mining botnets such as minexmr and supportxmr, NrsDataCache uses a self-built ore pool and the first ore pool address is mg. jdi1diejs. club: 45560. the address is hardcoded in the form of a string in the main control module, and spliced with other strings into the mining machine command line. Figure 18 shows the contents of the mining machine command line.

 

 

Figure 18 Mining Machine command line

We can see from the above that the update module stores some strings containing the mine pool address through the registry key, which may be the backup mine pool address and login account name of the mining machine, however, these mining pools and account names are not enabled. Based on the stored strings, we can sort out the addresses and account combinations of the mining pool used or to be used by the mining module, as shown in table 3.

Table 3 Mining pool addresses and account combinations used or to be used by the mining module

Mine pool address Account Mg. jdi1diejs. club: 45560 A3raf3ea@protonmail.com Mg. jdi1diejs. club: 45560 Wb333@protonmail.com P2.jdi1diejs. club: 45560 Akiofe1a@protonmail.com P3.jdi1diejs. club: 45560 Toyetrqw@protonmail.com P4.jdi1diejs. club: 45560 S50ghksf@protonmail.com P5.jdi1diejs. club: 45560 A4gqr09i@protonmail.com P6.jdi1diejs. club: 45560 Fa09efka@protonmail.com P7.jdi1diejs. club: 45560 Dske59jg@protonmail.com P8.jdi1diejs. club: 45560 Fgk9w4fk@protonmail.com

Table 3

In addition to tasksynchost.exe, NrsDataCache. tlb has another mining machine named gpu, which uses GPU for mining. However, no behaviors related to the mining machine were found in the captured samples.

0 × 3 NrsMiner Development Process

The earliest appearance of NrsMiner variants can be traced back to May 2017, which is similar to the outbreak time of "WannaCry. That is, a month after the "Blue forever" vulnerability attack weapon appeared, NrsMiner began to use it for attacks. The original NrsMiner variant did not have the mining function. Instead, it turned the target computer into a "zombie" through the leaked "Eternal Blue" vulnerability attack tool and backdoor DoublePulsar ". Figure 19 shows the computer trend of NrsMiner variant control from May 2017 to June 2017.

 

 

Figure 19 computer trend of NrsMiner Variant Control in May to June 2017

Since July 2017, NrsMiner has been planted with mining machines in affected computers, and more computers are controlled by NrsMiner. Figure 20 shows the number of affected computers implanted with the NrsMiner mining machine since July 2017.

 

 

Figure 20 change in the number of affected computers implanted by NrsMiner into the mining machine since July 2017

The early NrsMiner variants only contained the Attack Module and the mining module. After the attack module uses the "Blue forever" vulnerability attack weapon to intrude into the target computer, the target computer downloads the mining machine and Attack Module components through the WebServer embedded in the attacker's attack module. Because of its simple structure and lack of effective confrontation with anti-virus software, the early NrsMiner variant does not last long on controlled computers. Figure 21 shows the early NrsMiner variant attack process.

 

 

Figure 21 early NrsMiner variant Attack Process

Due to the slow growth of NrsMiner in the early days, the author began to update NrsMiner in November 2017, and continuously modified the location of the NrsMiner component to combat soft removal. Table 4 shows the paths used to store NrsMiner components.

Table 4 paths used to store NrsMiner Components

Path C: \ Windows \ IME C: \ windows \ SysprepThemes C: \ windows \ Sysnative C: \ windows \ securebootthemes

Table 4

The scale of NrsMiner grew slowly in November 2017. At the end of December 2017, the author updated it again and added the main control module to NrsMiner. This update makes NrsMiner more robust in structure and a botnet in a strict sense. Thanks to this update, the number of NrsMiner botnets increased dramatically from the end of December 2017 to January 2018, and the number of controlled botnets increased by 400. In addition, the NrsMiner mining machine abandoned the public mining pool minergate and switched to a private mining pool after this update.

However, this update still has some problems, such as the failure to update botnet components in real time. Therefore, the author of NrsMiner updated the update module again on April 9, January 31, 2018. The NrsMiner can start to download the update package from a remote server. The updated NrsMiner is the variant analyzed in this article.

0 × 4 Summary

This type of botnet is powerful and can be lurking in victim computers for a long time and actively attack other machines in the network. It is recommended that the majority of Internet users promptly upgrade the software, patch the patch, and regularly check the system security status. In addition, the 360 security guard has launched the anti-mining function to comprehensively defend against mining trojans from various channels. After you enable this function, 360 security guard will immediately intercept all types of mining Trojan attacks to protect your computer security.

 

 

Figure 22

0 × 5 IOC

531aec8627cd8e55f59c302991838417

011d6ce51b7806dca26c300e8d26f9bb

A55a69992f8e40686d3e350a9514a847

3e5a34e4f520bad2c25fc3ebe3ac4a2b

Aee376f0c693fae922cd33415d2f9dd9

7d75c0b4cd956233518c81a7aacfaeeb

D7b65143cf713011fdc7f6ea0000f0340

9bc26cf32e5f27ead23a16867e049e85

Log. oiwcvbnc2e. stream

Dlr. noilwut0vv. club

Vpp. jdi1diejs. club