[Virus Analysis] High-energy warning! Be wary of EnMiner mining

Recently, Sangfor discovered a new type of mining virus with high-intensity virus confrontation behavior, and its virus mechanism is very different from that of conventional mining. At present, the virus is in the early stages of the outbreak, and Sangfor has named the virus EnMiner mining virus, and will continue to track its development and formulate detailed countermeasures.

This EnMiner virus is the most "murderous" mining virus encountered so far, and has a high-intensity virus confrontation behavior, which can be called "seven anti-five kills". It can anti-sandbox, anti-debugging, anti-behavior monitoring, anti-network monitoring, disassembly, anti-file analysis, anti-security analysis and simultaneous killing of services, planning tasks, anti-viruses, similar mining, and even suicide to the greatest extent of resistance analysis behavior!     

Virus analysis

Attack scenario

The EnMiner virus attack can be described as prepared, and it has done enough to kill dissidents and fight analysis.

As shown in the figure above, lsass.eXe is a mining virion (in the C:\Windows\temp directory) and is responsible for mining functions. Powershell scripts are base64 encrypted and exist in WMI, with three modules: Main, Killer, and StartMiner. The Main module is responsible for starting, the Killer is responsible for killing the service and the process, and the StartMiner is responsible for starting mining. The details are as follows:

First, if there is an abnormal WMI item, PowerShell will be started at a scheduled time, and it will be automatically triggered once every 1 hour according to the WQL statement.

Determine if the lsass.eXe file exists, and if not, it will read WMI

root\cimv2: PowerShell_Command the EnMiner property in the class and Base64 decoding and writing to lsass.eXe.

Once all processes are executed, mining begins.

Advanced confrontation

In addition to mining functions, the mining virus lsass.eXe itself also has advanced adversarial behavior, that is, it does everything possible to prevent security software or security personnel from analyzing it.

lsass.eXe creates a thread with strong adversarial operations like this:

Iterate through the process and find that there is a related process (e.g., the sandbox process SbieSvc.exe discovered) and end itself:

The corresponding disassembly code is as follows:

In summary, it has a "seven antis" operation, that is, when there are the following security analysis tools or processes, it will automatically exit to prevent it from being analyzed by the sandbox environment or security personnel.

The first anti: anti-sandbox

Anti-sandbox files:

The second anti: anti-debugging

Anti-debug files:

The third anti: anti-behavior monitoring

Anti-behavior monitoring files:

The fourth anti: anti-network surveillance

Anti-network monitoring files:

Fifth antithesis: disassembly

Disassembly documents:

Sixth anti: anti-document analysis

Anti-file analysis files:

Seventh anti: anti-security analysis

Anti-security analysis software:

Widespread killing

In order to maximize profits, EnMiner Mining executes the "PentaKill" operation.

The first kill: kill the service

Kill all service processes that get in the way (all killing operations are performed in the Killer module).

Second kill: Kill plan mission

All kinds of planned tasks, wasting system resources (CPU resources that mining is most concerned about), will be killed.

The third kill: kill the virus

EnMiner has antivirus. Is it to do good deeds?

Of course not, like WannaCry 2.0, WannaCry 2.1 will cause blue screens, blackmail, and will definitely affect EnMiner mining, and they will be killed.

Another example is the BillGates DDoS virus, which has DDoS function, which will definitely affect EnMiner mining, and it will all be killed.

Fourth kill: kill your peers

Peers are enemies, one machine is not allowed to mine two mines, and EnMiner does not allow others to grab the business of "mining" with it. All kinds of mining viruses on the market, encounter one and kill one.

In order to ensure that peers are completely dead, additional processes are killed through ports (commonly used ports for mining).

The fifth kill: suicide

As mentioned earlier, when EnMiner discovers that there are relevant security analysis tools, it will withdraw, that is, suit, which is the maximum resistance to analysis.

Lay down and mine

EnMiner Miner, which has carried out the "seven anti-five kills" operation, has no competitors and basically mines lying down. In addition, the mining virion lsass.eXe can be regenerated from WMI via Base64 decoding. This means that if you kill only lsass.eXe, WMI will regenerate every 1 hour and you can mine lying down.

Up to now, the virus has mined Monero, and the virus is currently in the early stages of the outbreak, and Sangfor reminds users to strengthen prevention.

solution

1. Isolate the infected host: Isolate the infected computer as soon as possible, close all network connections, and disable the network card.

2. Confirm the number of infections: It is recommended to use Sangfor's next-generation firewall or security awareness platform for network-wide confirmation.

3. Delete WMI Exception Startup Items:

Use the Autoruns tool (download link is:https://docs.microsoft.com/zh-cn/sysinternals/downloads/autoruns), find the abnormal WMI startup and delete it.

4. Check and kill viruses

5. Patch vulnerabilities: If there are vulnerabilities in the system, patch them in time to avoid being exploited by viruses.

6. Change password: If the host account password is weak, it is recommended to reset the high-strength password to avoid being used by blasting.