GrandSoft EK via Slots drops Leviarcoin Miner

Summary:

Time for a traditional EK post. This is the first time I’ve seen GrandSoft myself. Sadly (or great depending on your point of view) it is less sophisticated than Rig EK and lets face it – Rig EK does not try hard.

In this run I have used a “Slots” gate and a vulnerable version of IE to get GrandSoft to run.

The payload appears to be a Leviarcoin miner which is unusual as most miners tend to go for XMR (Monero) from what I have seen. I had to run the payload manually and it ended up crashing my VM after I tried to reboot to get a scheduled task to kick in. So I’m not entirely sure it works and its likely a work in progress.

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

GrandSoftMiner

Full Details:

The infection chain begins with a malvertising campaign known as “Slots“. A simple 302 redirect leads to GrandSoft EK.
Slotsredirect
The landing page of GrandSoft is not obfuscated. It still checks for various plugins such as flash,java, adobereader and silverlight.
GrandSoft1
The second part of the landing exploits CVE-2016-0189 AKA “God Mode” to download the payload in a similar fashion to Rig EK. Unfortunately I don’t have the commands it ran but there is no RC4.
GrandSoft2.PNG
The payload is suspected to be a Coin Miner. It failed to run automatically so I had to run it from Temp where it was dropped. Upon doing so it began creating scheduled tasks rapidly to the point where I thought I would restart. My VM booted in but it has basically become crippled with these scheduled tasks and I could non longer interact with it. The full path contained a folder in Roaming called “WindowsShell”. Based on the user agent string, it is likely written with AutoIt.
Was dropped file was named “bussyzz (1).exe”.
payloaddrop

processspam.png

The miner appears to be for a coin called Leviarcoin which is based on the CryptoNight algorithm. Below you can see some interesting details including two IP addresses and an email address. I guess this is an unusual coin to mine as they mostly tend to be XMR miners.
minercoin
I’m unsure of the exact function of the dropped files. So I’m not sure this miner would even work. It certainly appears to be a work in progress.
hashes
The C2 domain returns a holding page stating real content is coming soon. I was unable to access the “bussyzz” directory to see what else was there.
domain
I think that is about all. It’s interesting to see this miner and I wonder how things will develop in the future.

zerophageicon2

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s