Looking to get the jump on Bitvote (BTV), a forked version of Bitcoin that launched just last January, attackers recently distributed a trojanized calculator app that downloads a cryptominer targeting the new cryptocurrency.
However, despite its technical sophistication, the malware managed to create only about 2,500 infected bots and earn around 4,400 BTV (roughly $1,300 as of Apr. 24) while it was operational in February and March, according to researchers from Cisco Systems who discovered the threat.
A Monday blog post from Cisco Systems' Talos division reports that the short-lived campaign impacted systems in India, Indonesia, Vietnam and several other countries. Its most notable feature was the use of a malicious driver that was responsible for not only payload protection, but also command-and-control configuration management, and the downloading and execution of various functions. This driver also introduces the final payload, which Talos identified as a slightly modified version of an open-source cpuminer application, which is programmed to connect to a mining pool site via TCP port 5700.
A group of developers launched Bitvote last January as a Bitcoin alternative that makes it more feasible to mine digital coins using standard desktop CPUs. "As cybercriminals move farther away from ransomware, and closer to cryptocurrency mining, it comes as no surprise to find out that a malicious actor decided to take a gamble on Bitvote, and developed a malicious campaign that resulted in the infection of hundreds of systems with a modified version of the cpuminer mining software," the Talos blog post states.
Talos further reports that the aforementioned malicious calculator app was actually a driver dropper that was first spotted in the wild on Feb. 6, likely as "part of a (potentially) unwanted application installer published on sites hosting an alleged version of Microsoft Toolkit, which should allow the user to activate different versions of Microsoft Office and Windows without owning a valid license."
If the dropper determines that the infected device is not operating in a virtualized environment used by researchers, it will install a 32- or 64-bit version of the kernel-mode driver, depending on the OS involved. Otherwise, it simply offers the advertised calculator functionality.
The driver lays the groundwork for the implementation of the cryptominer, managing the command-and-control infrastructure by parsing configuration files hosted on blogging platforms whose URLs are hardcoded into the dropper, and by decrypting C2 location information that's concealed within animated GIF files downloaded from a hardcoded URL.
In a step that is rare among malware downloader families, the driver itself then downloads and executes the Bitvote pool miner agent. "This indicates an increased level of proficiency of the author of the driver, who might also be the actor behind this Bitvote mining operation," the blog post explains.
Talos notes that the driver is signed with a certificate belonging to "Jiangsu innovation safety assessment Co., Ltd." Due to the certificate's expired validity period, Windows Vista and newer versions of 64-Windows that enforce valid driver signatures will not download the driver. However, this could be a feature and not a bug.
"On the one hand, this seems like a failure of the attacker's process, as the attack can only target older Windows versions, likely executing on less capable CPUs," Talos states in the blog post. "On the other hand, it may prove to be an advantage for the attacker, as it is more likely that older systems are not fully up to date and protected with the latest security software. Therefore, this attack is less likely to be discovered if only older CPUs are affected."
Another possibility, Talos continues is that the driver was created by a generic third-party toolkit, "which would allow an actor to specify configuration and payload URLs in a simple way. Once the configuration is specified, the toolkit might be used to build and sign the driver, which could also explain the fact that the driver samples were signed with an expired certificate."