Cryptomining Tool ‘Victor’ — Advertised as Onion DDoS Tool on Dark Web
With the advent of cryptomining, there are plenty of tools/platforms that offers Mining as a Service such as NiceHash, Genesis-Mining etc. But as any new technology gains traction, the evil hands are not tied to stop the malicious activities.
One such advertisement had been spotted on a Dark Web Paste Platform where an anonymous had publicized malicious program as Onion DDoS Tool.
These are not a new thing on Dark Web or any other Deep Web Forums where such things usually pops up. The catch here is :- Rather than giving a download link and a short description (like earlier), adversaries are nowadays marketizing in a smarter way by adding few more technical details, which makes any newbies to fall into the trap and run the tool without a second thought.
While analyzing the file, it is found that the application is malicious, however the AV detection is low (not all AV programs are compatible with the infection rate)
When the indicators are closely checked for the submitted sample, few other malicious applications are spotted with similar indicators such as:-
From the above image, it can be observed that the most of the files which are flagged as “malicious” have a low AV detection rate such as 1%-3% and some are even marked as “clean” matching the uploaded sample. During the check, it is also found that the tool (Victor) is also checking for the presence of any anti-debugging tools and anti-Reverse Engineering is also observed.
The tool is actively targeting AMD64 Machines with Windows OS installed.
Now, we would unveil why AMD is chosen over Intel Architecture and what are the hidden programs associated with Victor.
By disassembling the application; following module breakdowns are achieved:-
On a Static Analysis, it is found that the program is reusing the code of various Mining Program’s such as:
From the above 4, first 2 are silent miners while the other 2 are Ransomwares that spotted earlier in the wild.
AMBA: A Ransomware that originally targeted Russian cyberspace which impacted in 2016. Once infected, all the files are encrypted with .amba or .rrod extension. The point of contact provided by the adversary is: firstname.lastname@example.org to victims demanding ransom in Bitcoin.
Don’t Worry: Another spin off for AMBA and CryptoLab Ransomware.
XMR Rig Miner: The first open source Monero Miner, which is suitable to mine cryptocurrencies in CPU Architecture (rather than Antminers). Later, this tool had been allegedly used for mining via: botnet infection, Malware Packages(BlackSquid), RDP Compromise, Browser Embeddable Miner, Youtube Videos (Hexadecimal Encoded IP Addresses of Miner) etc.
CoinMiner: A Monero Mining Malware.
When CoinMiner is closely inspected, it is found that CoinMiner Malware is having the similarity with BlueKeep Exploit (Security Vulnerability in RDP which allows RCE).
[BlueKeep Exploit: Vulnerability in RDP Implementation which allows the possibility of RCE was found in May, 2019. Nearly all the versions of Windows and Server editions are affected by BlueKeep Vulnerabilities, which is collectively called DejaBlue]
While analyzing the CoinMiner Module in the tool, it is found that the application is compiled recently:-
On further analysis, it is found that the tool made use of Perl and Microsoft Visual C++ Libraries.
Running an untrusted tool could make anyone a part of Botnet, which can be used for various offensive intents such as DDoS, Spamming, Cryptomining etc.
AMD is chosen over Intel as it is more GPU resourceful for mining capabilities.
In this tool (Victor); a sample got matched with BlueKeep Exploit (which is new at this moment and there is a high chance of infection rate as not much systems are equipped to defend)
Various libraries/source codes of past offensive programs could be re-used by adversaries for a massive targeted infection rate.
Further Analysis found here:-
Free Automated Malware Analysis Service — powered by Falcon Sandbox — Viewing online file analysis…
“############//123333789:; ($^O =~ /^MSWin/ ? ‘;’ : ‘:’),_exe => ($^O =~ /^(?:MSWin|OS2|cygwin)/ ? ‘.exe’ : ‘’),_delim…
Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)