Full Report
Overview AhnLab SEcurity intelligence Center (ASEC) has recently identified a case in which cryptocurrency-mining malware was being distributed via USB in South Korea. Lately, malware that mines cryptocurrencies by utilizing PC resources without user consent has been actively distributed as cryptocurrency prices surge. While cryptocurrency mining itself is not illegal, the act of installing […]
Analysis Summary
# Tool/Technique: Cryptocurrency-Mining Malware Distributed via USB
## Overview
This describes a specific case of cryptocurrency-mining malware identified by ASEC, distributed rapidly through removable USB drives in South Korea. The primary goal of the malware is to secretly utilize the host system's CPU and GPU resources to mine Monero (XMR) for the threat actor's profit, while implementing several evasion and persistence techniques.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Unauthorized cryptocurrency mining (Monero), propagation via USB, security solution evasion (disabling Windows Defender exceptions, disabling HVCI), system configuration changes for mining optimization, C2 communication via PostgreSQL database.
- First Seen: Active around February 2025 (based on profit reporting date).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1020 - Automated Collection (Implied, via initial execution on connected USB)
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File (Via shortcut file on USB)
- T1574.001 - DLL Side-Loading (Used for execution bypass)
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Windows Service (Downloader registers and executes a service)
- TA0005 - Defense Evasion
- T1562.001 - Impair Defenses: Disable or Modify Antivirus or Endpoint Protection (Adding exception to Windows Defender)
- T1490 - Inhibit System Recovery (Disabling HVCI)
- TA0011 - Command and Control
- T1071.004 - Application Layer Protocol: Custom Protocols (Implied usage of PostgreSQL DB for C2)
- TA0008 - Lateral Movement
- T1021.001 - Remote Desktop Protocol (Implied rapid spreading mechanism, explicitly linked to USB propagation)
## Functionality
### Core Capabilities
- **Infection Vector:** Spreading rapidly through automatic propagation features on infected USB drives.
- **Resource Exploitation:** Unauthorized use of CPU and GPU resources for Monero mining.
- **Persistence:** Installation as a service (`Downloader registers and executes service`).
- **Evasion:** Modifying Windows Defender settings to create exceptions.
### Advanced Features
- **Security Bypass:** Disabling Hypervisor Protected Code Integrity (HVCI).
- **Mining Optimization:** Changing system power management settings (e.g., disabling hibernation) to maximize mining efficiency.
- **C2 Communication:** Utilizing a PostgreSQL database for Command and Control (C2) communication.
- **Execution Bypass:** Employing DLL Sideloading to execute components and bypass detection.
## Indicators of Compromise
- File Hashes:
- `0b9a4d59dacfe88f2046c8128275cf24`
- `0c0195c48b6b8582fa6f6373032118da`
- `101b0a40228752f533e95d0bb2371a71`
- `1ab2548e89e865f83bce578b8aff8512`
- `1c138d300c371dac1241f67a5cc496a1`
- File Names: (Implied names for downloader/coinminer are present in URLs, requiring further analysis based on the report's Figure 2 flow).
- Registry Keys: (Not explicitly listed, but system settings modifications suggest registry changes related to Defender exceptions, HVCI, and power management).
- Network Indicators:
- `http://rootunvdwl[.]com/un1/uhard[.]dat`
- `http://rootunvdwl[.]com/un1/unvurestorehard[.]dat`
- `http://unvdwl[.]com/un1/uhard[.]dat`
- `http://unvdwl[.]com/un1/unvurestorehard[.]dat`
- `https://github[.]com/unvcosmos/dw/raw/refs/heads/main/cmn/uamd[.]dat`
- Behavioral Indicators: Execution stemming from shortcut files on removable media, creation of a new service, modification of core security settings (Defender, HVCI).
## Associated Threat Actors
- Unspecified threat actors generating profit (profit noted as over 1 million won per day as of Feb 6, 2025). Specific actor groups are not named in the provided context.
## Detection Methods
- Signature-based detection: Necessary for known malware hashes and specific C2 domains/URLs.
- Behavioral detection: Critical for detecting unauthorized system changes (HVCI/Defender disabling), service creation, and unusual CPU/GPU load patterns associated with mining.
- YARA rules: Applicable for identifying specific strings or structures within the downloaded files (e.g., configuration related to the PostgreSQL DB or Monero miners).
## Mitigation Strategies
- Prevention: Ensure anti-malware solutions are kept up-to-date.
- Hardening: Disable Autorun/Autoplay functionality for removable media to prevent the execution of shortcut files upon insertion.
- Hardening: Regularly audit Windows Defender exceptions, HVCI status, and system services for unauthorized modifications.
- Network Monitoring: Monitor outbound connections for anomalous traffic patterns, particularly database protocols used in unexpected contexts (e.g., PostgreSQL used for C2).
## Related Tools/Techniques
- Other Cryptocurrency Miners (e.g., XMRig variants).
- Malware utilizing DLL Sideloading for initial execution evasion.
- Portable storage infection techniques (USB propagation malware).