FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.BtcMine.1978

Added to the Dr.Web virus database: 2018-01-19

Virus description added:

SHA1:

  • 916f82f365bf5f8bc3e2f87422ddb10303b7a4d6

A Trojan designed to mine cryptocurrency. It is installed on servers that run on Microsoft Windows Server using a vulnerability in Cleverence Mobile SMARTS Server.

It is launched as a critically important process with a displayed name “Plug-and-Play Service”. If one tries to shut down this process, Windows performs an emergency shutdown and displays the “blue screen of death” (BSOD). It attempts to delete the following system services:

WinDefend

MsMpSvc

SepMasterService

DrWebEngine

DrWebAVService

AVP

AVP18.0.0

AVP17.0.0

AVP15.0.2

KAVFS

ekrn

a2AntiMalware

ZAMSvc

AntiVirService

QHActiveDefense

It attempts to detect and shut down the following running processes:

anvir

msmpeng

dwengine

dwservice

ekrn

avp

kavfs

ccsvchst

cmdagent

a2service

ZAM

avguard

QHActiveDefense

If at least one of the indicated processes is detected, the Trojan decrypts its resource Service.x64.dat, which stores the Process Hacker driver, saves it to a disk called x64.sys and loads it. It uses this driver to shut down the detected running processes.

It obtains the following port list from the configuration:

8100

9100

10100

11100

12100

Then the malicious program launches a service SSDPSRV and attempts to detect a router in its network. For each port from the obtained list, the Trojan uses the UPnP protocol to redirect the TCP port of the router to the infected server. Then it starts tracking ports from the list thus waiting for the incoming HTTP connection.

To define operating command and control servers, whose list of IP addresses is stored in the Trojan’s configuration, it sends them the following string:

"{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"0\",\"pass\":\"x\",\"agent\":\"Test/1.0\"}}\r\n"

The malicious program stores settings required for its operation in the Windows system registry.

[HKEY_CLASSES_ROOT]\\datfile

Then the Trojan configures proxy servers on the infected machine. The following servers will be used to mine cryptocurrencies:

8080

8081

8082

9080

9081

9082


8083

8084

8085

9083

9084

9085

The Trojan tracks the status of the port 51515. When a remote user connects to it, the Trojan waits for a command “deadbeef”. Once it receives the command, it launches the command shell PowerShell and redirects an input-output to a socket of the connected user.

Once these actions are executed, the Trojan embeds a module into all running processes. It is designed to mine cryptocurrencies. For each process the Trojan:

  1. extracts its resource "Service.rmxi.dat”, decrypts it using the XOR algorithm and saves with an arbitrary name and extension;
  2. embeds this module to a process using the functions WinAPI VirtualAllocEx, WriteProcessMemory, RtlCreateUserThread and LoadLibrary.

Instead of receiving tasks/sending results to a pool, the decrypted "Service.rmxi.dat" is a miner which does these actions via called pipes created by the Trojan service.

For the miner’s operation, the Trojan:

  • creates an event "Global\\{F2B06D4B-01B0-4F5C-B0FF-DC9F73696E63}” — for the XMR cryptocurrency;
  • creates an event "Global\\{9D91E9F3-F27B-44F7-8A9D-4D67BEFB5D08}" — for the Aeon cryptocurrency;
  • creates FileMapping "Global\\{CCE2F35E-0F38-413A-B118-EDF75722B8E4}” to store configuration.

The Trojan creates two called pipes:

  • "{29F248DD-592B-48AF-B9F3-1596AA1BB280}" — for XMR
  • "{111A00F9-3BF6-49D2-9A19-5FB4A50D68AF}" — for Aeon

IPC is used to exchange tasks with the miner and to obtain results of its work.

Also the malicious program can scan the network for servers with the installed Cleverence software.

To process the incoming HTTP connections, the Trojan receives a full path and parameters of a request, divides the obtained string into substrings with a divider ' / ‘ and goes through the obtained substrings. If a substring concurs with "result”, the Trojan decrypts base64, extracts data and parses XML. XML must contain two fields — Address and Port. If a substring concurs with “proxy”, the Trojan sends a list of IP addresses from the configuration after collecting them into a string with a divider ' | ‘. After this, it adds to its configuration the received addresses of other infected hosts (also divided with ' | ').

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play