The AhnLab Security Intelligence Center (ASEC) has recently identified a sophisticated new strain of backdoor malware that operates in conjunction with a Monero coin miner. This malware utilizes the PyBitmessage library, a Python-based implementation of the Bitmessage protocol, to facilitate covert peer-to-peer (P2P) communications.
Unlike conventional methods reliant on HTTP or IP protocols, PyBitmessage employs encryption to secure data exchanges while anonymizing the identities of both sender and receiver. This effectively obscures any traces of a central server, complicating detection efforts by antivirus software and network security solutions. By blending malicious communications with legitimate user traffic on the Bitmessage network, the malware creates a challenging environment for security tools.
Backdoor Malware Linked to Monero Mining
The operational mechanics of this malware commence with the decryption of encrypted resources stored within its primary file using XOR operations. This process leads to the deployment of two distinct payloads: a Monero coin miner and a backdoor component. The Monero miner takes advantage of the cryptocurrency’s inherent anonymity, commandeering the resources of infected systems to generate illicit mining profits. Key files such as config.json and idle_maintenance.exe are subsequently placed in a temporary directory.
Concurrently, the backdoor, crafted through PowerShell, installs PyBitmessage to manage POST requests on local port 8442. It attempts to retrieve necessary files from GitHub’s release page or, as a contingency, from a suspected personal drive hosted on a Russian-based file-sharing platform, hinting at the possible origins of the threat actor. Once operational, the backdoor, constructed with PyInstaller, deploys various modules and modified libraries like QtGui4.dll, potentially patched to disable normal functionality as a means of concealment. It then awaits commands from the attacker.
These commands, received as encrypted messages via PyBitmessage, are executed as PowerShell scripts, showcasing a fileless attack vector that further evades traditional detection mechanisms.
Dissecting the Malware’s Dual Threat
The seamless integration of legitimate P2P network functions into malicious workflows highlights the challenges in tracing and analyzing such threats. The distribution method of this malware remains ambiguous, but its ability to masquerade as legitimate software suggests it could be bundled with seemingly harmless files or circulated as cracked software through torrent sites.
ASEC recommends that users exercise caution by avoiding files from unverified sources and prioritizing official distribution channels. Additionally, ensuring that security solutions are updated is crucial to countering these sophisticated threats. The malware’s exploitation of legitimate protocols for malicious purposes underscores a growing trend in cybercrime, necessitating increased vigilance and advanced behavioral monitoring of P2P communications to protect systems.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| MD5 | 17909a3f757b4b31ab6cd91b3117ec50 |
| MD5 | 29d43ebc516dd66f2151da9472959890 |
| MD5 | 36235f722c0f3c71b25bcd9f98b7e7f0 |
| MD5 | 498c89a2c40a42138da00c987cf89388 |
| MD5 | 604b3c0c3ce5e6bd5900ceca07d587b9 |
| URL | http://krb.miner.rocks:4444/ |
| URL | http://krb.sberex.com:3333/ |
| URL | http://pool.karbowanec.com:3333/ |
| URL | http://pool.supportxmr.com:3333/ |
| URL | https://spac1.com/files/view/bitmessage-6-3-2-80507747/ |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
