Several FireEye Labs researchers have uncovered a new methodology being used by criminals utilizing the NSCpuCNMiner32.exe mining malware where the infection vector is an HTML document embedded inside another HTML document.
The new version was spotted after FireEye observed that 60 top line domains, all registered on April 7, 2016 by the same entity and resolving to the same IP, started serving coin mining malware targeting the BitMonero digital currency. Dr. Fahim Abbasi, from FireEye's Advanced Malware Threat Research Team, told SCMagazine.com in an email what caught their attention was how this malware functioned.
“Firstly, it uses an embedded HTML iFRAME and secondly the original binary file (Photo.scr) is primarily a container for the known malware binary NSCpuCNMiner32.exe with the MD5 hash 3afeb8e9af02a33ff71bf2f6751cae3a, a binary we first saw in the wild in July 2014,” he said in an email to SCMagazine.com.
Additionally, Abbasi said the malware can disable security settings in Internet Explorer to hide file extensions, added a reboot survival mechanism, contacts the mining server for instructions and propagates through FTP servers and connected media.
Using the domains is also a major departure for this coin mining software. Traditionally, it used social engineering through Skype, email, removable media and by using phishing campaigns; where it has masqueraded as a legitimate application.
Now, the malware is downloaded when the victim visits one of the infected domains, but the person has to click on the downloaded application for it to execute. To encourage this action the criminals use a bit of social engineering by naming the file Photo.scr, Abbasi said.
Once fully installed the malware does not directly swipe the digital currency from the infected computer.
“The mining malware enslaves the victim's computing resources (CPU/Memory etc) to start mining coins. Bitcoins are generated or “mined” after processing a “block” of data. A Bitcoin or BitMonero block is a cryptographic challenge that is solved by intensive computing power,” he said.
FireEye noted that the increased use of digital currencies like Bitcoin and BitMonero will only encourage further this type of action.