Full Report
AhnLab SEcurity intelligence Center (ASEC) has recently identified cases of attacks installing CoinMiners in Korean Internet cafés. The threat actor is believed to have been active since 2022, and the attacks against Internet cafés have been occurring since the second half of 2024. The method of initial access is unknown, and most attacks targeted systems […]
Analysis Summary
# Incident Report: South Korean Internet Café Cryptomining Operation via Gh0st RAT
## Executive Summary
Threat actors have been actively targeting South Korean Internet cafés since the second half of 2024, leveraging vulnerabilities related to installed internet café management software. The primary goal was to install T-Rex CoinMiners for cryptocurrency mining. Access was primarily established via unknown vectors, leading to the deployment of Gh0st RAT for system control, followed by memory patching of legitimate software to ensure persistence for the mining operation.
## Incident Details
- **Discovery Date:** Not explicitly stated, but analysis is recent based on ongoing threat intelligence (ASEC identified cases).
- **Incident Date:** Ongoing since the second half of 2024.
- **Affected Organization:** South Korean Internet Cafés (PC Rooms).
- **Sector:** Retail/Amusements (Internet Cafés).
- **Geography:** South Korea.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, ongoing since H2 2024.
- **Vector:** Unknown. Focus was on systems with Korean Internet café management programs installed.
- **Details:** The exact method of initial intrusion is still under investigation.
### Lateral Movement
- **Details:** Implied by the installation and use of Gh0st RAT to establish control and download further malicious modules (Patcher, Downloader). A minority of successful infections involved a client process installed on a guest PC installing the dropper.
### Data Exfiltration/Impact
- **Details:** The ultimate impact was unauthorized resource consumption via the installation and execution of T-Rex CoinMiner, utilizing the systems' GPUs for cryptocurrency mining. Memory patching of management software likely aimed to achieve persistence and evade detection.
### Detection & Response
- **How it was discovered:** Identified by the AhnLab Security intelligence Center (ASEC).
- **Response actions taken:** The management software manufacturer had reportedly released updates blocking known malicious processes, suggesting detection and defense updates occurred during the attack lifecycle.
## Attack Methodology
- **Initial Access:** Unknown.
- **Persistence:** Achieved potentially by using malware (like "Patcher") to patch the memory of the running management software, and by installing Gh0st RAT droppers in specific program paths.
- **Privilege Escalation:** Not explicitly detailed, but necessary to install RATs and system-level miners on managed PCs.
- **Defense Evasion:** The threat actor analyzed or manipulated the management software, suggested by the use of "Patcher" malware to alter process memory, and the termination of other security/mining processes via "KillProc."
- **Credential Access:** Not specifically detailed.
- **Discovery:** Not specifically detailed beyond targeting systems with specific management software.
- **Lateral Movement:** Gh0st RAT utilized for remote control across the network.
- **Collection:** Gh0st RAT included features for keylogging and screen capturing, though the primary goal appeared to be cryptomining.
- **Exfiltration:** Not the primary goal; resource hijacking was the main objective.
- **Impact:** Cryptocurrency mining via T-Rex CoinMiner.
## Impact Assessment
- **Financial:** Costs associated with remediation, reputation damage, and loss of electricity/resource usage due to mining activity.
- **Data Breach:** Potential collection of sensitive operational data via Gh0st RAT keylogging/capturing, though not explicitly confirmed as the primary outcome.
- **Operational:** Compromise of secure management environments; potential slowdowns on customer PCs due to resource-intensive mining.
- **Reputational:** Negative impact on the affected Internet cafés.
## Indicators of Compromise
- **Network indicators (Defanged):**
- `http[:]//112[.]217[.]151[.]10/config[.]txt`
- `http[:]//112[.]217[.]151[.]10/mm[.]exe`
- `http[:]//112[.]217[.]151[.]10/pms[.]exe`
- `http[:]//112[.]217[.]151[.]10/statx[.]exe`
- `http[:]//121[.]67[.]87[.]250/3[.]exe`
- **File indicators:**
- Dropper/RAT payloads often packed with Themida or MPRESS.
- Droppers created DLLs in paths like `C:\map1800000.dll`.
- Suspicious files like `cmd.exe` appearing in management software paths (`%ProgramFiles% (x86)\********\**\*****\cmd.exe` or `...sound\cmd.exe`).
- T-Rex CoinMiner executable files in paths such as `%ProgramFiles% (x86)\Windows NT\syc.exe`, `syn.exe`, `tnt.exe`.
- MD5 Hashes: `04840bb2f22c28e996e049515215a744`, `0b05b01097eec1c2d7cb02f70b546fff`, `142b976d89400a97f6d037d834edfaaf`, `15ba916a57487b9c5ceb8c76335b59b7`, `15d6f2a36a4cd40c9205e111a7351643`.
- **Behavioral indicators:**
- Gh0st RAT communicating with C&C servers using the signature string "Level".
- Processes like `Invoker.exe`, `phoenixminer.exe`, and various variations of `svchost.exe` (e.g., `scvhost.exe`, `svvhost.exe`) being terminated by KillProc malware.
## Response Actions
- **Containment Measures:** Not explicitly detailed, but likely involved isolating infected management servers and potentially reinstalling managed clients.
- **Eradication Steps:** Removing Gh0st RAT droppers, the Patcher, Downloader, and the T-Rex CoinMiner/PhoenixMiner payloads from affected systems.
- **Recovery Actions:** Updating management software and OS to patch vulnerabilities exploited by the memory patching mechanism.
## Lessons Learned
- **Key takeaways:** Internet café management systems are highly attractive targets due to their centralized control over many endpoints, making them ideal for mass malware deployment (RATs and CoinMiners).
- **What could have been done better:** Proactive memory integrity monitoring of critical management application processes would be essential, given the attacker's technique of patching running memory to maintain persistence.
## Recommendations
- **Prevention measures for similar incidents:**
1. Ensure the Internet café management program and the underlying Operating Systems are kept updated to the latest versions to mitigate known vulnerabilities.
2. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring and alerting on unauthorized memory patching of critical processes.
3. Implement strict application control policies to prevent executables (especially those disguised as system files like `cmd.exe`) from running in unusual directories.
4. Regularly audit configuration files and network traffic from management servers for unusual C&C communications.