Summary:
Time for a traditional EK post. This is the first time I’ve seen GrandSoft myself. Sadly (or great depending on your point of view) it is less sophisticated than Rig EK and lets face it – Rig EK does not try hard.
In this run I have used a “Slots” gate and a vulnerable version of IE to get GrandSoft to run.
The payload appears to be a Leviarcoin miner which is unusual as most miners tend to go for XMR (Monero) from what I have seen. I had to run the payload manually and it ended up crashing my VM after I tried to reboot to get a scheduled task to kick in. So I’m not entirely sure it works and its likely a work in progress.
Background Information:
- An article regarding the original GrandSoft EK
http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html
Downloads
(in password protected zip)
- 09-Feb-2018-GranSoft-Miner-PCAP -> PCAP for traffic
- 09-Feb-2018-GrandSoft-Miner-CSV -> Some IOCs in CSV
- 09-Feb-2018-GrandSoft-Miner-Files -> Miner files dropped
- C2 from details ->
pool.leviarcoin.org:555
188.214.128.81:5055
pool.leviarcoin.hashvault.pro:5555195.133.145.16:90
Details of infection chain:
(click to enlarge!)
Full Details:
The infection chain begins with a malvertising campaign known as “Slots“. A simple 302 redirect leads to GrandSoft EK.
The landing page of GrandSoft is not obfuscated. It still checks for various plugins such as flash,java, adobereader and silverlight.
The second part of the landing exploits CVE-2016-0189 AKA “God Mode” to download the payload in a similar fashion to Rig EK. Unfortunately I don’t have the commands it ran but there is no RC4.
The payload is suspected to be a Coin Miner. It failed to run automatically so I had to run it from Temp where it was dropped. Upon doing so it began creating scheduled tasks rapidly to the point where I thought I would restart. My VM booted in but it has basically become crippled with these scheduled tasks and I could non longer interact with it. The full path contained a folder in Roaming called “WindowsShell”. Based on the user agent string, it is likely written with AutoIt.
Was dropped file was named “bussyzz (1).exe”.
The miner appears to be for a coin called Leviarcoin which is based on the CryptoNight algorithm. Below you can see some interesting details including two IP addresses and an email address. I guess this is an unusual coin to mine as they mostly tend to be XMR miners.
I’m unsure of the exact function of the dropped files. So I’m not sure this miner would even work. It certainly appears to be a work in progress.
The C2 domain returns a holding page stating real content is coming soon. I was unable to access the “bussyzz” directory to see what else was there.
I think that is about all. It’s interesting to see this miner and I wonder how things will develop in the future.
Zerophage Malware 