Altisik Service Overview

Altisik Service is a malicious coin miner masquerading as a legitimate Windows process. It is used for hidden illegal cryptocurrency mining, thereby creating a significant load on the processor (up to 80% or 100%). However, this miner differs in one key aspect – it registers itself in the system as a service. As a result, hackers ensure their malware’s increased sustainability. Attempts to manually stop or delete the service can lead to critical system failures, potentially causing a “blue screen of death”.

Attackers choose the form of a service for their malware not only for the sake of sustainability. Unlike executable files, services are suspected of malicious activity much less often, simply because users trust them more. Also, Windows services can get higher privileges much more easily, and with less suspicion from security software.

As for the distribution method, users on Reddit report receiving Altisik as an unwanted “bonus” with other software. Miners generally enter systems disguised as bundled software within installers of cracked programs. Another method is through additional malware already present on the computer: vast loader malware botnets can offer huge gains for the operators of malicious coin miners.

Technical Analysis

Let’s have a closer look at the behavior of the Altisik miner. At the beginning, it is rather typical for a coin miner: upon launching itself, Altisik initially checks for a virtual environment and security mechanisms. Specifically, it checks the following locations:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\Drivers
HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences

Further, it pays special attention to Windows Defender settings, specifically ones that touch real-time protection. The malware checks the following system sections.

C:\Program Files\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

The sample employs stalling tactics, including long periods of inactivity, to hinder dynamic analysis. This also helps with circumventing some of the antivirus sandboxes: seeing no activity, one will report that the file is safe.

Persistence and Privilege Escalation

Next, the miner maintains persistence in the system as a service, which grants it elevated privileges. It executes the following shell commands:

"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\AltisikDevPL/AltisikHelper.dll",#1
C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\WerFault.exe -u -p 4328 -s 548
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

As you can see, it runs the AltisikHelper.exe and AltisikHelper.dll processes. They are needed to prevent the user from manually stopping the mining process. Further analysis revealed that the miner creates a DirectInput object, which allows it to read keystrokes. It is unlikely that the Altisik miner can act as a keylogger, but there are quite a few other applications for input capturing.

C2 Connection

Altisik uses network communication to send and receive data necessary for its mining operations. The miner communicates with the api.altruistics.org server, likely used for monitoring, control, or data transmission. This may include the miner’s status, statistics, or other mining-related parameters. The response is in text/html format, indicating that the server is returning a web page or text-based data. It also uses Cloudflare DNS 104.18.7.80 and 104.18.6.80, potentially complicating traffic analysis.

How To Remove Altisik?

To get rid of Altisik service, I recommend using GridinSoft Anti-Malware – an effective and easy-to-use antivirus, that will quickly repel any threats present in the system. Though first, I would recommend entering Safe Mode with Networking: go to the Start menu → click Reboot while holding down the Shift button on the keyboard.

When your PC reboots, in the menu that appears after restarting, select “Troubleshoot” → “Advanced options” → “Startup Settings” → “Restart”.

Next, select the Safe Mode with Networking and press the corresponding key (usually F5, though it may vary depending on your Windows version).

Hint: If you have any problems with switching to Safe Mode, please read our guide: How to Remove a Virus From a Computer in Safe Mode.

After switching to the Safe Mode with Networking, follow the steps below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Altisik Service Virus appeared first on Gridinsoft Blog.

Bloom.exe Miner Overview

Bloom.exe is a process created by coin miner malware. This class of malware exploits the hardware of the victim’s system to mine cryptocurrency. The name “Bloom.exe” serves only to make the malware look as legitimate process and confuse the user. Like malicious miners of this kind, it mines Monero or DarkCoin, with all profits going to the attacker.

The Bloom.exe miner monitors system usage and adjusts its resource consumption accordingly. This makes its less noticeable, as it does not consume all available resources as other miners do. Additionally, Bloom.exe is able to use GPU resources, improving the effectiveness of the mining process, and making it harder to detect the malware activity (if you’re not gaming or don’t pay attention to fan noise levels).

Spreading Methods

As for distribution, Bloom.exe is similar to the other miners. It is mainly distributed under the guise of legitimate software. The second, but almost as popular method is drive-by downloads and illegal software, such as pirated games or cracked programs.

A less effective but no less popular method of distribution is malvertising. Con actors can hijack search results for some popular software, to let the users to their sites instead of genuine ones. And instead of getting the installer of a program, users download and run malware, with Bloom.exe miner being among them.

Technical Analysis

Let’s take a closer look at how this miner behaves. In fact, the majority of miner malware behaves rather similar, regardless of whether they are stand-alone or are based on XMRig or another well-known open-source project.

Traditionally, malware begins its life cycle by checking for a virtual environment, sandbox, or debugging tools. To do this, our sample checks the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls

These keys contain some system settings and Windows security policies. Besides doing these checks, this malware often has its code packed, encrypted and obfuscated. These “passive” protection measures make Bloom.exe a tough nut for basic antiviruses.

C2 Communication

The malware uses several addresses for communications, including TCP 204.79.197.203:443, which belongs to Microsoft. This is possibly because frauds use some of the cloud services MS offers to anyone. Despite they are easy to take down, it is also easy to create new ones. There are also several addresses that could potentially belong to the command server:

https://pdfcrowd.com/?ref=pdf
https://pdfcrowd.com/doc/api/?ref=pdf
https://gettodaveriviedt0.com/secur3-appleld-verlfy1/?16shop

Payload

After all the checks and communications, the malware drops a payload on the system. It also loads a large number of files into the %windir%\System32\ folder, among which are:

C:\Windows\System32\OHcvDRK.exe
C:\Windows\System32\ROKnunx.exe
C:\Windows\System32\TAtNGGl.exe
C:\Windows\System32\WQDfJPu.exe

These are only a small part of what malware brings to the system; the more time malware is active – the more of these fileswill appear. Inside of these files are either modules that allow for certain functionality, or mining configurations.

How to Remove Bloom.exe?

To effectively remove Bloom.exe, I recommend using GridinSoft Anti-Malware, as it will easily detect and stop any malicious program, including this miner. Contrary to manual removal, this program will find every single element of the malware, ensuring that it won’t come back.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Bloom.exe appeared first on Gridinsoft Blog.

WinRing0x64 Overview

WinRing0x64.sys is a crucial software component that allows applications to gain low-level access to hardware components for system monitoring or overclocking purposes. It bypasses high-level interfaces provided by the operating system to interact directly with the hardware. This makes it essential for applications that require this type of access. Most often, this driver uses software that controls RGB backlighting. As a result, the process will appear in Task Manager.

It is essential to understand that WinRing0x64.sys is not malicious. Although it is generally safe and helpful for specific applications, it can pose potential risks if misused. For example, the ability for direct hardware access is exceptionally beneficial to malicious miners. As it allows access at such a low level, malicious software could exploit it to gain control over hardware components. And since it is a valid Windows driver, such a trick makes the malware more complicated to detect.

WinRing0x64.sys – What Software Uses It?

As I said above, WinRing0x64.sys is most often used by software for backlight control and hardware overclocking. Noriyuki MIYAZAKI, MasterPlus, EVGA Precision, and Intel Processor Diagnostic Tool are the most common programs. Since the algorithm of driver usage is similar to malware, some antivirus solutions erroneously block this driver like a Usermode Font Driver Host.

This driver is not mandatory for Windows, so it can be removed. In practice, however, it is deactivated by uninstalling the software that uses the driver. Depending on the software, it may be located in a subfolder of “C:\” or sometimes in a subfolder of the user’s profile folder or the folder with the installed program. Although the driver does not have its window, it may appear in the running processes in Task Manager.

Is WinRing0x64.sys Malware?

Although WinRing0x64.sys is a legitimate driver, it is sometimes detected as a trojan. For example, some users complained about blocking winring0x64.sys by antivirus after installing EVGA Precision Overclocking software for graphics adapters. To understand whether a file is malicious or not, you need to compare some factors, such as how many resources the process consumes, whether any software needs this driver, etc.

Suppose you downloaded video card software from an official website, which is detected as a trojan. This is most likely a false positive. On the other hand, if you have a laptop with Intel HD graphics but there is WinRing0x64.sys in Task Manager, it is a reason to dig deeper. Although WinRing cannot load the system to 100%, it can allow other processes to do this. So, if a suspicious process on your system consumes an abnormal amount of resources and you see WinRing0x64.sys among running processes, this is a red flag. In such a case, I recommend running a full scan with Gridinsoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post WinRing0x64.sys appeared first on Gridinsoft Blog.

Hellminer malware has a potential to attack a wide range of devices, from IoT to server clusters. The final target of its activity is bringing profit to its masters with the use of your hardware. Ignoring the activity of this malicious program may lead to premature hardware failure and overall performance deterioration.

Modern malware samples often come in packs, meaning that one thing may signify the presence of several others. Do not hesitate with removal: scan your device with GridinSoft Anti-Malware and remove all the threats in one click. Get your system cleaned up.

What is the Hellminer.exe process?

This is a process associated with a malicious coin miner. Such malware aims at exploiting the system’s hardware to mine cryptocurrencies, mainly DarkCoin and Monero. To maximize profits, hackers who stand behind this malware establish huge networks of infected computers. Hellminer takes up to 80% of CPU power in order to get substantial mining performance, making the system sluggish and uncomfortable to use.

Malicious miners like this one typically get into the user systems through malvertising on the Web, or with the use of dropper malware. Both spreading ways though are commonly used by other malware, which means the risk that Hellminer is not the only infection running in the system.

This malware appears to be different from other miners, as it is not based on XMRig, a popular open-source mining software. Instead, it appears to be written in Python, and is likely a private development. Let’s check out other interesting stuff I’ve found during the analysis.

Hellminer Malware Analysis

It is not completely clear how Hellminer gets into the system; I suspect it is not much different from how malware miners typically spread – via dropper malware and malvertising. After the launch, the malware begins with a selection of anti-VM and anti-debug checks.

Using the calls to WMI, it gets the info about the CPU, trying to find any signs of virtualization. Why I don’t think it is just an immediate info gathering is because the very next step is listing the services and processes. Hellminer specifically seeks for traces of the VMWare virtualization environment. After these checks, the main payload is unfolded. Though, malware may as well use the info collected at this stage, to configure the mining process or as a part of the system fingerprint.

wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list

Fingerprinting starts with another call to WMIC, wmic os get Version. Malware attempts to receive quite a basic, if not scarce, set of data – just the info about the operating system. After that, malware gains persistence through the manipulation with another command and series of changes in Windows registry.

%windir%\System32\svchost.exe -k WerSvcGroup – starting Windows error reporting service to make it run the malware. This increases the level of privileges the malicious program has, also providing it with a disguise.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security – changing network security policies.

The final round of persistence involves another call to WMI, specifically to its Adaptation Service. Hellminer forces it to recursively launch the payload, ensuring continuous execution. This specific command is also a part of resource allocation for the mining process.

wmiadap.exe /F /T /R

Command Server Connectivity

Same as other malware miners, Hellminer does not have any extensive C2 communication. After finishing the steps from the above, it sends the blob of system information to the command server, effectively notifying it about the readiness. C2 returns the configuration file, which specifies the mining pool and the IP address to connect to.

Still, there is a thing that catches an eye – the form of command servers used by this malware. They do not look like C2 of a classic model, instead being a peer-to-peer one. In such a network, the role of a command server is given to one of the infected computers. “Real” server sporadically communicates with one, retrieving the information about the new devices and assigning the next system to get the C2 role. This drastically increases the sustainability of the network, making it particularly hard to disrupt through the command server disruption.

During the analysis, I’ve detected these command servers:

• 20.99.184.37:443
• 20.99.186.246:443
• 23.216.147.64:443
• 192.229.211.108:80
• 20.99.133.109:443

Hellminer.exe Removal Guide

Removing Hellminer malware requires anti-malware software scanning. Such threats typically duplicate itselves to numerous folders across the system, with each acting as a backup. GridinSoft Anti-Malware is what would remove the malicious miner and all its copies in the matter of minutes.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Miner malware activity always correlates with cryptocurrency prices. At the moment, they are on the rise, meaning that more and more frauds will opt for this malware. The typical ways of spreading for malicious miners is malvertising, particularly ones in search engines. Avoiding it requires user attention: they typically mimic legitimate sites that spread freeware, but always have a different, mangled URL.

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

What is Csrss.exe?

Csrss.exe is a legitimate Windows process with the full name of Client Server Runtime Process and is critical to the system. This process is present in all modern Windows versions, and it is not uncommon to notice several instances running back to back. Such a phenomenon is normal and is not considered a sign of viruses. The system runs one upon the startup, and terminating it leads to BSoD.

This process in Windows 7, 8, and 10 is responsible for console programs, shutdown processes, starting another vital process – conhost.exe – and other critical system functions. It uses a few resources in normal mode, so there is no reason to terminate it. It is needed for System shutdown, Virtual DOS Machine (VDM) support and other system functions such as Ctrl+C and Ctrl+Break signal processing, user switching, and mounting and unmounting disks. As a legacy function, csrss.exe is responsible for opening the console window, but only to the extent of launching the conhost.exe process.

Csrss.exe BSOD – How to Fix?

Sometimes, after unsuccessful manipulations with the Csrss.exe file or other system files, the Windows may become unstable or not start. The corruption of important Windows system files can cause this. The solution is as follows:

Go to the Troubleshooting menu – Advanced Options – Command Prompt in the recovery environment. At the command prompt that launches, execute the following command:

sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows

After entering the command, press Enter and wait for the process to complete. This may take some time, but be sure to wait until the end, as it is required to finish the system files’ repair. After that, close the command prompt and restart your computer.

Analysis a Real Trojan Virus

We found several samples of Csrss.exe as Trojan Virus.

They can be downloaded from the Internet by the users themselves. Often when users open unknown files from the spam message, they infect the computer with different kinds of virus-like malware. But the malware developer usually has a plan B. They attach similar viruses to installing various free programs. Hence, if you skip the installation process and don’t look to the advantage setting, then ready that your computer will be infected with a virus-like this.

We discovered a sample of Trojan.CoinMiner written in Delphi, which is distributed via spam mail:

GridinSoft Anti-Malware detect it as “Trojan.Win32.CoinMiner.dd”

MD5: 922e0891ae30ac3adb3a09cb963570cc
SHA1: 77feeefff422519cdb63faa438fea87e5e70882a

Other antivirus programs detect Trojan.CoinMiner (csrss.exe) as:

Trojan Miner Drop Files:

C:\Windows\MicrosoftU
Auto.bat
Start.vbs
Start2.vbs
Hide.bat
Start.bat
Start2.bat
1.bat
2.bat
Srvany.exe
Csrss.exe
Srvanyx.exe

After Trojan.CoinMiner has been unpacked. It hides its presence using the strings in Hide.bat, setting the hidden and system attributes to the folder and files.

Attrib C:\Windows\MicrosoftU + S + H / S / D
Attrib C:\Windows\MicrosoftU\*. * + S + H / S / D

Trojan Miner uses the name of one of the system files “csrss.exe” to hide its presence in the system.

Csrss.exe virus starts with the following parameters:

• Stratum + tcp: //xmr.pool.minergate.com: 45560 – Resource for which “mining” will be entered
• Tatyana.kostomarova@gmail.com – user login from whom the extraction will be introduced
• Cryptonight – Mining algorithm

Another parameter is how many threads the program will work in. This “miner” has a formula for calculating the number of processor cores involved. It is in the .bat file that launches the “miner” for the first time:

Set / a CPU =% NUMBER_OF_PROCESSORS% / 2 + 1
Srvanyx -a cryptonight -o stratum + tcp: //xmr.pool.minergate.com: 45560 -u tatyana.kostomarova@gmail.com -p x -t% cpu%

High CPU & GPU Troubleshooting

If you encounter abnormal GPU and CPU consumption by the csrss.exe process, you should first check the file location. To verify it, right-click on it and select “Open file location“. It should be located at “%SYSTEMROOT%\system32“.

Next, right-click on the file and select “Properties“, then the “Details” tab. This file’s Product Name should be “Microsoft® Windows® Operating System“. Also, the Copyright section should be “© Microsoft Corporation. All rights reserved.”

If it is the original csrss.exe file, it may cause a high CPU/GPU load due to incorrect operation of the functions it is responsible for.

The Client Server Runtime Process’s excessive GPU consumption was previously a recognized problem in one of the Windows cumulative updates. However, Microsoft addressed the issue through various updates and hotfixes. You may still be using an older Windows version with this problem. If so, go to the Windows updates section and click “Check for updates“.

The next step is to update your GPU drivers. If you have an Nvidia, open Geforce Experience, and under the “Drivers” tab, click “Check for updates” and follow the instructions. If you have an AMD GPU, check the Radeon software for updates. It is vital to download drivers from official websites. Please avoid using low-trust sites or third-party installers like driver packs.

If the problem persists, run an SFC scan. To do this, run Command Prompt as administrator and paste the “sfc /scannow” command into it.

If the process csrss.exe still loads the device after all the manipulations, you can create a new user profile. To add a new user profile to your PC, go to Settings (gear icon) and select Accounts. Under Family & Other Users, click Add another person to this PC. Choose “I don’t have this person’s sign-in information” and then select “Add a user without a Microsoft account”. Fill in the details and click Next. Remember to grant administrator privileges only to those you trust.

Note: This guide is relevant for users of Windows 10. Windows 11 lacks the option to add a local account and asks you to use a Microsoft account.

Is CSRSS.exe trojan virus?

First, any claim that the “csrss.exe” file located in “C:\Windows\System32\” is a trojan virus is false. Low user knowledge along with unintelligible process names make system process names an excellent option for hiding malware. Usually, the malware tries to infect or disguise itself as critical system processes of the operating system. Also, many viruses use the name of that process or executable file to disguise itself so as not to make you suspicious. Each session creates a separate process, allowing the simultaneous running of several dozen processes.

Nevertheless, it is a good reason to worry if the csrss.exe high CPU and GPU load is constant. But even in this case, there are two options for abnormal process behavior: malware and user profile corruption. The original executable “csrss.exe” file is stored only in one place – in the “C:\Windows\System32\” directory. If only one OS is installed on the device, substituting or overwriting this file in the standard directory is almost impossible.

That being said, finding the files named “csrss.exe” in other directories on your PC is a sign of malware activity. To remove the threat, launch GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Csrss.exe Trojan Virus appeared first on Gridinsoft Blog.

Campaign discovery and GuptiMiner

Avast specialists analyzed the activity of the GuptiMiner malware active since 2018. GuptiMiner is a sophisticated malware that aims at spreading backdoors and performing hidden cryptomining in corporate networks. The malware utilizes a multi-stage infection chain. It starts by hijacking antivirus software updates through man-in-the-middle (MitM) attacks. This allows attackers to substitute legitimate updates for malicious ones.

Avast informed eScan and India CERT of the found vulnerability, which was successfully patched on July 31, 2023. However, since users rarely install more than one antivirus, this limits the ability to detect and analyze the full scope of GuptiMiner’s activities.

This malware uses a complex infection chain. The attack starts by intercepting eScan antivirus updates. The update program is downloaded from the server, but in its path is an attacker who substitutes it with a malicious one. Next, eScan decompresses and downloads the package, initiating a chain of infection using a DLL. This DLL allows the virus to control further downloads and code execution.

Next, GuptiMiner uses a sideloading technique to inject malicious code into trusted processes, which allows the program to remain invisible to antivirus systems. The malware also communicates with remote command and control (C2) servers to receive commands and updates. This allows attackers to control infected systems, run additional malicious processes, or conduct cryptocurrency mining.

How does GuptiMiner work?

GuptiMiner analysis revealed that the malware used a variety of sophisticated techniques to install and hide its presence on the system. Key techniques included sideloading DLL, modifying system files, and using forged digital signatures to simulate legitimacy.

Also, one of the characteristic features of GuptiMiner is its ability to modularize infections. This includes performing DNS queries to the attacker’s DNS servers and extracting useful data from innocent-looking images. In addition to its core functionality of installing backdoors, GuptiMiner unexpectedly spreads the XMRig miner used to mine the Monero cryptocurrency.

The process of dynamically assigning mining threads for XMRig:
xmrig_shellcode_copy_ = xmrig_shellcode_copy;
num_cores_ = num_cores;
dword_140020908 = 25;
xmrig_shellcode_copy-›max_cpu_usage = '53';
xmrig_shellcode_copy_->threads = '1';
if (num_cores_ >= 6)
xmrig_shellcode_copy_-›threads = '2';
if ( num_cores_ >= 8 )
xmrig_shellcode_copy_->threads = '3';

The malware has been identified as potentially linked to the Kimsuky, a prominent North Korean hacking group. This indicates possible state sponsorship and a high degree of organization of the attacks. Before, North Korean hackers showed a certain degree of interest in acquiring cryptocurrency. So, this should not be too much of a surprise.

Two Different types of Backdoors

While analyzing the GuptiMiner malware, researchers identified two different types of backdoors. Both types of backdoors were designed to function as part of a large-scale and well-planned campaign. But each was designed to perform specific tasks on infected corporate networks.

• The first type of backdoor is a modified version of PuTTY Link, which is used to scan SMBs on the local network. This backdoor allows lateral movement (horizontal propagation of malware within the network) to access potentially vulnerable systems running Windows 7 and Windows Server 2008. This facilitates the exploitation of vulnerabilities in legacy operating systems.
• The second type of backdoor is multifunctional and modular. It accepts commands from the attacker to install additional modules and specializes in finding and stealing locally stored private keys and cryptocurrency wallets. This approach allows attackers to monitor infected systems for long periods of time and activate additional malicious features if necessary.

The post GuptiMiner Use eScan to Spread Miners and Backdoors appeared first on Gridinsoft Blog.

OpenMetadata Vulnerabilities Threats Kubernetes Workloads, Actively Exploited

According to the recent Microsoft security blog, cyber attackers leverage critical vulnerabilities within the OpenMetadata platform to infiltrate Kubernetes workloads. These vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) impact versions preceding 1.3.1. All of these vulnerabilities have different CVSS levels, with the highest being 9.8 and 9.4 (later about them). Successful exploitation allows attackers to bypass authentication and achieve remote code execution (RCE).

OpenMetadata is a discovery, observability, and governance platform with a central metadata repository, in-depth lineage, and team collaboration. It has metadata schemas, a metadata store, APIs, and an ingestion framework. Key features include data discovery. However, subsequently, these compromised workloads become conduits for illicit crypto-mining activities.

Identifying Critical Vulnerabilities

CVE-2024-28255 is a critical vulnerability (CVSS: 9.8) in the OpenMetadata platform, affecting its API authentication mechanism. In brief, the `JwtFilter` handles API authentication by verifying JWT tokens. However, attackers can bypass the authentication mechanism by requesting excluded endpoints using path parameters. However, developers fixed the issue in version 1.2.4.

CVE-2024-28255 is a second vulnerability with 9.4 CVSS that stems from JWT token validation deficiencies in JwtFilter. An authorization check called `authorizer.authorize()` is named after `prepareInternal()`, which gets executed and evaluates the SpEL expression. To exploit this vulnerability, an attacker can send a PUT request to `/api/v1/policies`. The issue can lead to Remote Code Execution and is fixed in version 1.3.1.

How Does The Attack Work?

The following describes the attack sequence observed in instances where Kubernetes workloads of OpenMetadata accessible via the internet have been compromised. Attackers identify vulnerable versions and exploit the vulnerabilities to gain code execution within the container hosting the compromised OpenMetadata image, thereby obtaining initial access.

Post-infiltration, attackers validate their intrusion and gauge control using a publicly accessible service. They utilize ping requests to domains ending with oast[.]me and oast[.]pro—associated with Interactsh—to confirm successful exploitation and validate connectivity before establishing a command-and-control channel and deploying malicious payloads.

Following successful access confirmation, attackers download crypto-mining malware from a remote server for XMR mining, executed with elevated permissions. It is noteworthy that Microsoft identified the attacker’s server location as China. Additionally, other malware targeting both Linux and Windows operating systems was uncovered on the attacker’s server.

Prevention and Mitigation Measures

To reduce the risk of potential vulnerabilities, we highly recommend updating the image version of clusters hosting OpenMetadata workloads to the latest version—specifically version 1.3.1 or newer. Additionally, if you are making OpenMetadata accessible via the Internet, it is crucial to employ strong authentication mechanisms and avoid using default credentials.

The post OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes appeared first on Gridinsoft Blog.

Bitfiat Overview

The Bitfiat process is related to the activity of a malicious coin miner. Such malware uses your computer’s resources to mine cryptocurrencies, mainly Monero or DarkCoin. An unusual part about Bitfiat is its origins: it is based on its own technology rather than using XMRig code. This, however, is the last part where it is different from other malware miners – its behavior is as unpleasant as in other cases.

As for the symptoms, they are typical: it causes the CPU to run at maximum capacity, often reaching 100%. You may also notice that your computer’s fan runs at full speed even when you are not using any programs. Moreover, this process usually appears in Task Manager and consumes the most resources. Although coin miners usually don’t harm your files, they make your system unusable due to an overloaded CPU.

Bitfiat Virus Analysis

Despite having the origins different from the majority of malware miners, the infection chain of Bitfiat is pretty much the same. Let’s start from the very beginning and explore the operations of this malware. Fortunately, there are enough samples to analyze.

Spreading Methods

Bitfiat propagates through various channels, primarily leveraging cracked software and software activators “cracks”. These cracks are often distributed through illicit channels (like torrents) and online forums. It entices users with the promise of unlocking premium software features without needing to purchase. Even though it sounds like fairy tales, unwary users keep downloading such “free” premiums.

Another spreading way is botnets. By paying a coin to the masters of a botnet established with dropper malware, crooks can provide themselves with massive amounts of mining nodes. Thing is, after deploying the malware like a coin miner the entire malware spreading chain will be uncovered, and the dropper will be most likely removed from the machine. To maximize profits, miners are spread along with other “visible” malware, like ransomware or proxyware.

Launch, C2 Connection & Mining

The majority of Bitfiat samples do not have any detection evasion tricks. And, well, how can you evade the detection when your process takes up to 80% of the CPU? Right after launching, the malware performs an IP check, then collects some basic info about the system and connects to the command server.

Command servers used by Bifiat are rather unusual: there is no direct connection to the “main” C2. Instead, malware retrieves the needed instructions from the other infected machine, i.e. they operate like a p2p network. This provides much better stability, up to autonomous existence in the cases when the command server is unresponsive.

The said instructions in a form of config file contain the info about mining pool and crypto wallet address. After executing a few command prompt lines, it starts the mining process. And this is the point where the most noticeable sign of a malware miner activity appears – overloaded CPU and a strange process in the list of running programs.

How To Remove Bitfiat?

Effective removal of the crypto miner requires a complex approach to neutralize all malware actions. Unlike other types of malware, a miner can overload the system so that the removal tool has no resources left. To avoid these issues, the removal guide should have one more step.

• Download and install GridinSoft Anti-Malware. The first thing to do is to deploy the removal tool, even though it will be used later.

• Switch your Windows to Safe Mode with Networking. By booting into the Safe Mode with Networking, you prevent the Bitfiat process from exerting its influence on the CPU. This will facilitate uninterrupted removal by antivirus software.
• Start the Full Scan. By running a Full Scan, you make the program check every single element of the system. Such a thorough scan is essential to ensure that all the malware present in the system is removed. After the scan, click “Clean Now” to get rid of all the detected items.

The post Bitfiat Process High CPU – Explained & Removal Guide appeared first on Gridinsoft Blog.

What is Aluc Service?

At a glance, Aluc Service may look like a legit service among hundreds of ones running in Windows. However, even a tiny bit of research shows that it is not something common. No programs among well-known ones have their service named in such a manner. Moreover, users commonly report that it consumes significant amounts of CPU power. This makes me assume that it is most likely related to coin miner malware activity.

But why would malware take the disguise of a service? Well, the vast majority of malware does this trick – hooking up to a system service to make itself run without any permissions. The thing is, not much other malware takes as much CPU power as coin miners do. While a strange service launched by spyware will remain unnoticed, miners would not – quite an easy math here.

Aluc Service – Is It Dangerous?

The main issue coin miners like Aluc Service create is system overloading. Such pieces of software do not care whether you want to use your computer and what for – they will take 60-80% of your CPU power. By connecting hundreds and thousands of infected machines to a mining pool, hackers provide themselves with a free mining farm. Even though mining crypto on a CPU is inefficient, the amount of processors involved covers possible performance issues. Moreover, crooks commonly opt for coins with a less complicated blockchain, like Monero or DarkCoin.

However, an overloaded system is not a single issue here. Hackers who work with coin miners often use the services of dropper malware. That means you can have one more malware – or even several if other hackers used the same dropper to deliver their payloads. Possibly, there could be several other malicious things in your system, and they are much more stealthy than the coin miner is.

How did I get infected?

There could be a lot of possible ways of getting infected, but hackers commonly opt for a couple of the most cost- and effort-efficient methods. Among them are email spam, software cracks, and search results hijacking. Two former can spread pretty much any malware, while the latter is a common basis for multi-staged attacks. Droppers I mentioned above prefer to sneak as fake software installers, and then perform all the dirty deeds.

That being said, it is important to keep in mind that cybercriminals seek new opportunities pretty much constantly. Hackers adjust their attack campaigns correspondingly to the circumstances, so it is tough to know what you should be prepared for.

How to remove Aluc Service?

Removing such things manually is not the best idea. Malware that exploits service creation for persistence can sometimes protect them, so attempts to remove it by simply stopping & deleting may end up with a BSOD. Moreover, you can see the Aluc Service running, but can be missing all other threats present in your system. For that reason, a scan with a proper anti-malware program is recommended. GridinSoft Anti-Malware is an anti-malware program that will make this problem sorted in 10 minutes.

How to stay safe online?

Based on the spreading methods and injection approaches I mentioned before, it is not hard to create a list of effective ways to avoid malware infections.

Be cautious with email spam. There are several places to watch out for:

• Verify Sender. Never open email attachments or click on links in emails from unknown or suspicious senders. Verify the sender’s identity if you’re unsure.
• Check for Spelling and Grammar. Be wary of emails with poor grammar and spelling, as these are often red flags for phishing attempts.
  Avoid Pop-Up Promotions. Don’t click on pop-up promotions or offers in emails, especially those that seem too good to be true.

Steer clear of software cracks. Their hazards are not only about malware but also about legal consequences for breaking the copyright law.

• Use Legitimate Sources. Only download software and applications from reputable sources and official websites. Avoid using cracked or pirated software, as these often come bundled with malware.
• Regularly Update Software. Keep your operating system, software, and antivirus programs up to date. Updates often include security patches that protect against vulnerabilities.

Protect against search engine hijacks. There, your attention and checkups are king.

• Avoid Clicking Search Result Ads. Google, along with other search engine providers, embeds advertisements at the top of its search results. As users tend to choose top results, they click promoted sites, without thought it may be a malicious link.
• Verify Search Results. Before clicking on a search result, review the URL and ensure it looks legitimate. Avoid clicking on suspicious links.

Employ anti-malware software. A well-done security solution, like GridinSoft Anti-Malware, will serve for both proactive and reactive protection.

• Install Reliable Security Software: Use a reputable antivirus and anti-malware program on your computer and keep it updated. Schedule regular scans of your system.
• Enable Real-Time Protection: Activate real-time protection features to prevent malware from executing on your system.

The post Aluc Service: What Is Aluc App & How to Remove? appeared first on Gridinsoft Blog.

KmsdBot strikes, using security vulnerabilities

The experts called the malware KmsdBot. It is developed on the basis of Golang and is aimed at various companies – from gaming to automotive brands and security firms. GoLang gains popularity among malware developers, as it is quite hard to reverse engineer this language. The botnet infects systems via an SSH connection using “weak” login credentials. KmsdBot does not remain persistent on the infected system to avoid detection.

The malware gets its name from the “kmsd.exe” executable, which is downloaded from a remote server after a successful compromise. It is also designed to support multiple architectures – Winx86, Arm64, mips64 and x86_64. KmsdBot can perform scan and self-propagation operations by downloading a list of username/password combinations. The botnet is also able to control mining processes and malware updates. The control is possible through the communications with C2 server.

According to Akamai, the first detected target of KmsdBot was the gaming company FiveM, a multiplayer mod for GTA V that allows players to access custom role-playing servers. Botnet DDoS attacks include OSI Layer 4 and 7 attacks, in which a flood of TCP, UDP, or HTTP GET requests are sent to overwhelm the target server’s resources and bring it into a denial of service state. It is noteworthy that the KmsdBot botnet began as a bot for a gaming application, but turned into a tool for attacking worldwide-known names.

Is KmsdBot dangerous?

As any other malware, KmsdBot is not a pleasant addition to the infected system. It brings coin mining and DDoS capabilities, which creates enough problems with PC usage, regardless of the task. Mining supposes high hardware utilisation rates, which makes it problematic even to use basic apps. DDoS attacks, on the other hand, not just take a lot of bandwidth, but can also lead to bans for the IP address of an infected PC on the attacked sites.

The other edge of danger for this malware is the way it spreads into the users’ computers. Aside from the fact that exploitation is not a typical thing for malware that aims at single users, it also opted for a disguise of a bot for the game – GTA V. Gamers are known as not the most careful users, as they are the common public for cracks, patches, and different automatisation tools like bots. Since GTA V is not the sole game that makes the bot usage profitable, it will be obvious to see the KmsdBot spreading surge in the nearest weeks.

The post KmsdBot malware combines DDoS-attacks and coin mining appeared first on Gridinsoft Blog.