I've came across a recently created rootkit, not yet detectable by many AV programs. This is part of an application "cracking" scam zip. That's not interesting, obviously. What's really interesting is that the main rootkit file (which installs itself as a Windows service) is digitally signed. Its icon is the same as the Process Explorer one (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer). The rootkit seems to be related to cryptocurrency mining (first glance, not yet analyzed). Here is the digital certificate: I may have some time to analyze the thing and post a full analysis here. For reference, I'm posting the virus file in an encrypted zip file. Password: "virus" (Without the quotes) DO NOT OPEN THE FILE INSIDE, IT IS MALWARE!! ONLY DO SO IF YOU KNOW WHAT YOU'RE DOING (e.g analyze the thing in a protected environment)! (Link removed to prevent non-legitimate use)
Perhaps he loves MDL sooooooooooooooooooooooooooo much! No seriously, it's a good idea to submit this to anti-malware firms
I don't see what purpose it serves to release potentially unknown malware on here so it can be reused by some unknown mdl lurker to do who knows what !
It's not rare that malware is signed with stolen certs. http://www.ccssforum.org/malware-certificates.php It should be reported since their certs become useless once they have been stolen...
Out of curiosity whether my AV would detect it, I tried to access the download yesterday on the day of posting, but was blocked for some reason. I didn't insist, as it wasn't a good idea in the first place.
I already did. I uploaded the file to VirusTotal (which sends it to AV companies for analysis). I'm not very experienced with this, thanks for the link. I will try to report the certificate (don't know how to fill in the "Website where the certificate is located or can be downloaded" field, since the malware is inside another file). I found the company's profile. It's not stolen, it's a shadow company: https://beta.companieshouse.gov.uk/company/10843206 I'm not a member of a security-related forum (yet). This is why I posted the file here, so that any pro/hobbyist is able to analyze it and learn more about its functionality. On second thoughts, however, there is the possibility of non-legitimate use, so I will remove the file. For the same reason, I've decided not to publish in full detail any analysis of the malware I may be able to make. UPDATE: My AV software (COMODO) does recognize the malware now. Hope they've already submitted the cert for revocation.
This thread reminds me of the time someone asked me "Here, try this yogurt, I think it might have gone bad."
Then there was the electrician who asked his young assistant, "Touch this wire". The assistant did. The electrician then said, "OK, now be careful not to touch the other one next to it, because it's electrified". And once I saw in a German computer mag a list of warez sites with the warning, “Don’t get any free stuff from these, as it’s illegal”.
You may post any details of analyses here. You've mentioned it is cryptocurrency mining related. I wonder what it really does since mining usually is made on ASIC chips---or maybe it is just designed to steal crypto coins. BTW: There is malware that is specially designed to steal private keys and certificates. Also CAs were attacked. And there is a way to inject code into the non signed area (end of certificate table) and execute it from a PE 'loader'. https://www.blackhat.com/docs/us-16...are-From-A-Digitally-Signed-Executable-wp.pdf
Malicious crypto miners can be installed on Apple, Linux and Windows pc's. They make coin on your resources https://www.sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/ https://vms.drweb.com/virus/?_is=1&i=15743486 http://blog.trendmicro.com/trendlab...miner-uses-wmi-eternalblue-spread-filelessly/
Before the EternalBlue exploit appeared as wannacry which encrypts data the same SMB exploit has been used to spread Adylkuzz a mining malware. It's no ransomeware like wannacry but takes silently benefit of your CPU power. They mostly mine coins with less difficulty like Monero, anyway mining requires a high CPU/GPU usage/load.
OK, I will post all details then. I just need to find some free time to start debugging. Probably this weekend.
it sounds like that trojan certificate is design to steal bit coins accounts. they been getting hack a lot as of lately....i bet theirs a good possibility that certificate came from russia or china.
Certificates are either stolen from a server (private part to sign) or legitimately signed 'software' is used for malicious code injection... The malicious soft does then either mine coins itself..or steal the wallet while a properly encrypted wallet is actually useless. You'd need malicious software that checks the virtual memory to spot the place and time when the private certificates (which authenticate your public BTC addresses) are decrypted and can be stolen and sent away..when using a cold wallet such malicious code is useless though. Mining code can be spotted by high CPU usage.
i bet the regular end user would never realize hes digital wallet is being hack or notice high cpu usage.