Full Report
The AhnLab SEcurity intelligence Center (ASEC) has recently detected a new type of backdoor malware being distributed alongside the Monero coin miner. This blog post covers malware that utilizes the PyBitmessage library to perform communications on a P2P (Peer to Peer) network and encrypt the communication content between endpoints, instead of using traditional HTTP communications […]
Analysis Summary
# Tool/Technique: PyBitmessage-based Backdoor utilizing Monero Mining
## Overview
This entry describes a new type of backdoor malware observed distributing alongside a Monero coin miner. Its primary distinguishing feature is the use of the open-source **PyBitmessage** library to establish Command and Control (C2) communication over a decentralized, P2P network, thereby evading traditional detection methods aimed at HTTP-based C2 traffic.
## Technical Details
- Type: Malware (Backdoor combined with CoinMiner)
- Platform: Windows (Inferred from PowerShell usage and WinRing0x64.sys dependency, though PyBitmessage is Python-based)
- Capabilities: Encrypted P2P C2 via Bitmessage protocol, fileless execution of malicious payloads via PowerShell, deployment of Monero coin miner components.
- First Seen: Recently (as of the report publication by ASEC)
## MITRE ATT&CK Mapping
This technique combines several TTPs primarily focused on Defense Evasion and Command and Control.
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.003 - Script Obfuscation (via PowerShell execution)
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Signed Binary Proxy Execution: Rundll32 (Inferred use of legitimate tools for execution context, though direct use isn't explicitly detailed)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Application Layer Protocol: Web Protocols (Attempted use of alternative application layer protocol—Bitmessage—to mimic non-malicious traffic)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - Command and Scripting Interpreter: PowerShell (Used to execute backdoor functions)
## Functionality
### Core Capabilities
- **Initial Execution & Dropping:** Malware retrieves the Monero CoinMiner and Backdoor components from the resource section of the main file, decrypts them using XOR operations, and drops them into `%Temp%\3048491484896530841649`.
- **Coin Miner Deployment:** Creates necessary files for Monero mining (`config.json`, `WinRing0x64.sys`, `idle_maintenance.exe`) in the temporary directory.
- **Backdoor Setup:** Executes a malicious PowerShell script in a fileless manner to install PyBitmessage functionality, listening for POST requests on local port 8442.
### Advanced Features
- **P2P C2 via PyBitmessage:** Utilizes the decentralized and anonymous Bitmessage protocol for C2 communication. C2 commands are hidden within messages appearing to originate from real users on the network, making classification difficult.
- **Self-Update/Resource Download:** Attempts to download the necessary PyBitmessage components from GitHub Releases. If inaccessible, it falls back to a suspicious file hosting/sharing site (suspected Russian actor link: `spac1[.]com`).
- **Code Obfuscation/Lodering:** The downloaded PyBitmessage file, built with PyInstaller, extracts modules, including hooking or patching the `QtGui4.dll` file by zeroing out a specific offset to remove its normal functionality, likely to conceal the malicious payload staging.
- **Payload Persistence:** Received C2 messages are saved and executed immediately as PowerShell scripts located in a subdirectory (`.\s`).
## Indicators of Compromise
- File Hashes:
- MD5: `17909a3f757b4b31ab6cd91b3117ec50`, `29d43ebc516dd66f2151da9472959890`, `36235f722c0f3c71b25bcd9f98b7e7f0`, `498c89a2c40a42138da00c987cf89388`, `604b3c0c3ce5e6bd5900ceca07d587b9`
- File Names:
- Miner components: `config.json`, `WinRing0x64.sys`, `idle_maintenance.exe`
- Extracted PyInstaller files (e.g., in `%TEMP%\_MEI~~` path)
- Registry Keys: [Not specified in the summary block]
- Network Indicators:
- C2/Download URIs (Defanged):
- `http[:]//krb[.]miner[.]rocks[:]4444/`
- `http[:]//krb[.]sberex[.]com[:]3333/`
- `http[:]//pool[.]karbowanec[.]com[:]3333/`
- `http[:]//pool[.]supportxmr[.]com[:]3333/`
- Download fallback hosting: `https[:]//spac1[.]com/files/view/bitmessage-6-3-2-80507747/`
- Behavioral Indicators:
- Creation of files in `%Temp%\3048491484896530841649` directory.
- Execution of PowerShell scripts received over the P2P network.
- Network activity mimicking P2P Bitmessage traffic.
## Associated Threat Actors
- Threat actors suspected to be from Russia or a Russian-speaking country, based on the use of a Russian-based file hosting/sharing site for fallback downloads.
## Detection Methods
- Signature-based detection: Utilizing the provided file hashes.
- Behavioral detection: Monitoring for the creation of coin miner components in the user's Temp directory and processes utilizing P2P communication protocols or specific local port listening (8442) associated with non-standard processes.
- YARA rules: [Not specified in the summary block]
## Mitigation Strategies
- **Source Integrity Verification:** Refrain from using files from unknown sources, torrents, or cracked software versions; rely exclusively on official websites and legitimate distribution channels.
- **Network Monitoring:** Implement robust monitoring for P2P network communication, specifically looking for traffic patterns or port usage that mimics the Bitmessage protocol in conjunction with other suspicious behaviors.
- **Endpoint Security Updates:** Keep security product definitions up to date to recognize known C2 characteristics or embedded miners.
## Related Tools/Techniques
- Monero Coin Miners (general category)
- Fileless PowerShell execution techniques
- Use of legitimate open-source libraries (like PyBitmessage) for camouflage.