Shulou(Shulou.com)05/31 Report--

This article is about what kind of software WebCobra is. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Preface

Recently, researchers at McAfee Lab have discovered a new type of Russian malware called "WebCobra" that uses the computing power of the target device to mine cryptocurrency.

In fact, malicious mining software is very difficult to detect. When the device is infected, the malware will run quietly in the background of the system, and the only sign that may be exposed is the decline in the performance of the device. Because malware will increase the consumption of the computing power of the device, the running speed of the device will be significantly reduced, followed by not only the disgust of users, but also the "astronomical" on the electricity bill. after all, the cost of digging up a bitcoin is between $531 and $26170.

There is no doubt that the increase in the value of encrypted currencies is attracting more and more cyber criminals to join the ranks of malicious mining.

The following figure shows the relationship between the Monroe currency price trend and the development trend of malicious mining software:

Prior to this, McAfee Lab has analyzed the cryptocurrency file injection tool CoinMiner. Interested students can browse the [Analysis report].

After infecting the target device, the malware WebCobra will quietly implant the Zcash Miner of Cryptonight Miner or Claymore in the background, which needs to be determined according to the architecture of the target device scanned by WebCobra. We believe that this malware is mainly spread through the PUP rogue installer and has been affected worldwide, with the largest number of infected users in Brazil, South Africa and the United States.

Unlike other malicious mining software, WebCobra chooses to implant different mining tools based on the configuration and architecture of the infected device.

Malicious behavior analysis

Malware Dropper is a Windows installer that detects the operating environment of the system. On x86 systems, it injects Cryptonight Miner code into the running process and then enables process monitoring. On x64 systems, it detects the GPU configuration, then downloads and executes Claymore's Zcash Minner from a remote server.

After startup, the malware downloads and decompresses a password-protected Cabinet zip file using the following command:

This CAB file contains the following two files:

1. LOC: the DLL file used to decrypt data.bin

2. Bin: contains encrypted malicious Payload

The CAB file uses the following script to execute ERDNT.LOC:

ERDNT.LOC decrypts the data.bin and passes the execution stream to it using the following path:

[PlainText_Byte] = (([EncryptedData_Byte] + 0x2E) ^ 0x2E) + 0x2E

The program starts the corresponding Miner after detecting the current running environment, as shown in the following figure:

When data.bin is decrypted and executed, it will try to implement some anti-debugging, anti-simulation and anti-sandboxing techniques, and detect other security products running on the current system, which are some of the basic ways for the malware to protect itself from detection.

Most security products monitor malware behavior by hooking up the API function. To avoid detection, WebCobra loads ntdll.dll and user32.dll in memory as data files, and then rewrites the first eight bytes of these functions (remove API hook).

Ntdll.dll APILdrLoadDllZwWriteVirtualMemoryZwResumeThreadZwQueryInformationProcessZwOpenSemaphoreZwOpenMutantZwOpenEventZwMapViewOfSectionZwCreateUserProcessZwCreateSemaphoreZwCreateMutantZwCreateEventRtlQueryEnvironmentVariableRtlDecompressBuffer without setting hook user32.dll APISetWindowsHookExWSetWindowsHookExA infecting x86 system without setting hook

The malware injects malicious code into svchost.exe and uses an infinite loop to detect all open windows, and then uses the strings in the list below to match the title bar of the window. This is another detection mechanism adopted by WebCobra, which determines whether the current environment is a quarantined environment specifically for malware analysis.

Adwemsiavzfarbarglaxdelfixrogueexeasw_av_popup_wndclasssnxhk_border_mywndAvastCefWindowAlertWindowUnHackMeesethackerAnVirRogueuVSmalware

The malware determines the running environment based on the title bar of the open window:

After the process monitoring is executed, it creates an instance of svchost.exe using Miner's configuration file and injects Cryptonignt Miner code:

Finally, the malware causes Cryptonight Miner to run silently in the background and uses all the CPU resources of the target host to mine:

Infect x64 system

The malware first detects whether Wireshark is running:

Then check the GPU brand and model, and it will run only if the following GPU is detected:

RadeonNvidiaAsus

If the detection is successful, the malware creates the following hidden folder, then downloads and executes the Zcash Miner from the remote server:

C:\ Users\ AppData\ Local\ WIXToolset 11.2

Finally, the malware will insert a batch file in% temp%\-xxxxx.cMD to delete the Dropper ([WindowsFolder]\ {DE03ECBA-2A77-438C-8243-0AF592BDBB20}\ *. *):

The configuration file for Miner is as follows:

The configuration file contains:

Pool address: 5.149.254.170 user name: 49YfyE1xWHG1vywX2xTV8XZzbzB1E2QHEF9GtzPhSPRdK5TEkxXGRxVdAq8LwbA2Pz7jNQ9gYBxeFPHcqiiqaGJM2QyW64C password: soft-net

This profile contains:

Pool address: eu.zec.slushpool.com username: pavelcom.nln password: zzz summary

There is no doubt that malicious mining software will continue to evolve, because cybercriminals will certainly not let go of this relatively easy way to make money. And compared with ransomware, malicious mining software is less risky and does not require the target user to "pay a fee" directly. As long as the concealment is high enough, as long as it is not discovered, cyber criminals can lie down and make money.

Intrusion threat indicator IP address 5.149.249 [.] 13comminer.fee.xmrig 22245.149.254 [.] 170comminer.fee.xmrig 2223104.31.92 [.] 212 domain name emergency.fee.xmrig [.] com saarnio [.] rueu.zec.slushpool [.] com hash (SHA-256) 5E14478931E31CF804E08A09E8DFFD091DB9ABD684926792DBEBEA9B827C9F372ED8448A833D5BBE72E667A4CB311A88F94143AA77C55FBDBD36EE235E2D9423F4ED5C03766905F8206AA3130C0CDEDEC24B36AF47C2CE212036D6F9045693501BDFF1F068EB619803ECD65C4ACB2C742718B0EE2F462DF795208EA913F3353BD4003E6978BCFEF44FDA3CB13D618EC89BF93DEBB75C0440C3AC4C1ED247274206AD9DDC92869E989C1DF8E991B1BD18FB47BCEB8ECC9806756493BA3A1A17D6615BFE5A8AE7E0862A03D183E661C40A1D3D447EDDABF164FC5E6D4D183796E0F31285AE705FF60007BF48AEFBC7AC75A3EA507C2E76B01BA5F478076FA5D1B3AA0DBF77D5AA985EEA52DDDA522544CA0169DCA4AB8FB5141ED2BDD2A5EC16CE thank you for reading! This is the end of the article on "what kind of software WebCobra is". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.