Zoomed In: A Look into a Coinminer Bundled with Zoom Installer
We found a coinminer bundled with the legitimate installer of video conferencing app Zoom. Users who attempt to download the installer get more than what they bargain for as they instead download the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO.
Save to Folio
Many companies around the world have transitioned to work-from-home arrangements because of growing concerns over the COVID-19 global health crisis. This new setup has highlighted the usefulness of video conferencing apps. These platforms have been utilized by companies and remote workforces to hold meetings and for other communication needs even long before the virus outbreak occurred. Unfortunately, cybercriminals are taking advantage of these tools’ recent time in the spotlight to spread malware.
We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their users appropriately.
Figure 1. Code snippets of 64.exe (a coinminer) bundled with a Zoom installer
Analysis of the malicious file
Users who attempt to download the installer get more than what they bargain for as they instead download the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO. The files it drops include the following:
|Detected as Coinminer.Win64.MOOZ.THCCABO
|asacpiex.dll (first 5 bytes are NULL)
|Archive file containing Coinminer.Win64.MOOZ.THCCABO
|CR_Debug_Log.txt (asacpiex.dll with the first 5 bytes replaced)
|Archive file containing Coinminer.Win64.MOOZ.THCCABO
|Used for scheduling tasks
|Legitimate Zoom installer version 220.127.116.11
Figure 2. The contents of the malicious file
Figure 3. A detailed breakdown of the file’s contents
For the archive file asascpiex.dll, the first 5 bytes NULL, and then were replaced by 0x00 in an attempt to make it difficult to determine its original file signature, 0x37 0x7A 0xBC 0xAF 0x27, which would identify it as a 7-Zip archive file. This file will soon be copied as CR_Debug_log.txt. 7-Zip archiver CL_Debug_log.txt is used to decompress this password-protected archive.
Figure 4. Screen showing the asacpiex.dll file format signature
The file determines the architecture of the infected system by using the cpuinfo flags bits. It will drop 64.exe for 64-bit systems. The package does not contain a 32.exe for 32-bit systems, meaning the malware only runs in a 64-bit environment for now.
Figure 5. Screens showing 64.exe code snippet
The file gathers information such as Graphics Processing Unit (GPU) information using Windows Management Instrumentation (WMI queries), which is useful information for mining activities. It also collects details on CPU, system, operating system version, video controllers, and processors.
Figure 6. Code that checks the processor details
Figure 7. Code that checks the video controller details
It also checks whether the Microsoft SmartScreen and Windows Defender are enabled and if the antivirus solutions listed below are running in the system:
|AvastUI.exe / AvastSvc.exe
|avguix.exe / AVGUI.exe
|avp.exe / avpui.exe
|egui.exe / ekrn.exe
Figure 8. Code that checks for running antivirus products
The gathered info will be sent to hxxps://2no.co/1IRnc using HTTP GET request.
Figure 9. Information sent to a URL using HTTP GET request
The CR_Debug_log.txt is a file, compressed using 7-Zip archiver, that contains the payload 64.exe coinminer. It will soon be copied as helper.exe coinminer into the %appdata%\Roaming\Microsoft\Windows\ folder. This is an AutoIt compiled malware that contains 7-Zip archiver and a compressed Tor binaries that are password protected. To maintain persistence, it schedules tasks with the -SystemCheck argument.
Figure 10. -SystemCheck scheduled task description
Figure 11. -SystemCheck scheduled task – actions
Once helper.exe is launched using the scheduled task, it will spawn itself with the -SystemCheck91137 argument.
Figure 12. -SystemCheck91137 in the Command Line of helper.exe properties
To evade detection, helper.exe checks whether the following processes are running. Aside from security tools, this list also includes other monitoring tools that can help detect mining activity:
It will then spawn the Tor binaries to start with coinmining.
The sudden need to transition to a work-from-home setup left enterprises with little time to ramp up security measures to ensure that it fits the requirements demanded by remote work. It also exposes businesses to possible compromise due to threat actors abusing tools like video conferencing apps to propagate malware.
Users are advised to only download installers from applications’ official websites to avoid such compromise. Users should also follow best practices for securing work-from-home setups. A multilayered protection approach is also recommended to effectively detect and block threats regardless of where they are in the system.
Indicators of Compromise
|Trend Micro Pattern Detection
|Trend Micro Predictive Machine Learning Detection
|04b560d234e8706d5e43532e9e674ee54ed6f63d62795fb0e5776e23da7eb4d8 (64.exe payload)