In this article, I would like to share details about a phishing attack that I was a target of. Who was to drop a crypto miner on my computer?
Even if the phishing email was not very sophisticated to deceive a well-aware user like me, the malware was well-crafted and went undetected by Windows Defender.
Curious and concerned, I decided to dig deeper into how it worked, and in this article, I’ll walk you through exactly what I found. You might be surprised how easy it is to miss the signs until it’s too late.
Before delving into the specifics, it’s important to understand how such threats are engineered and deployed. The following section examines the mechanisms employed by the malware, highlighting the techniques used to evade detection and the potential risks posed to unsuspecting recipients.
Here is a closer look at the technical aspects uncovered during my investigation:
Stage 1: Malware delivery
The malware is sent to the target via a phishing email that looks like it shares a resume. The email has a link to download a Visual Basic script from Dropbox.
The first line is a message indicating that the file cannot be read on a mobile device and should be opened using a Windows computer. Notice the empty lines after the first message, which is probably intended to conceal the malware payload that follows.
Upon reviewing the content, I noticed numerous VB comments containing phrases that appear to be randomly generated, which obscure the underlying VB commands. Identifying these commands requires removing the comments first.
Here is a sample of the script after removing all the comments:
You can observe that the function and variable names use long character strings to avoid suspicious keywords that might trigger antimalware alerts.
What does the script:
- The Misleading Message: Once executed, the script immediately tries to deceive the victim. A pop-up message in French states, “Impossible de lire ce fichier : erreur lors de l’ouverture du document” (Cannot read this file: error opening the document). This clever ruse makes the user think a file simply failed to open, while the malicious activity starts silently in the background.
- Self-Preservation & Evasion: The script quickly deletes its own initial VBScript file. These crucial anti-forensics steps remove immediate evidence of the initial infection, making it harder for casual users or basic security tools to trace the attack’s origin.
- Privilege Elevation: The script uses “runas” to gain higher privileges, enabling it to modify settings, create tasks, and disable security features.
If the user has limited privileges, the script will persistently prompt the User Account Control (UAC) until the user enters administrator credentials.
- Disabling Defender Protection: The process involves running a PowerShell command to add multiple exclusions to Windows Defender, specifically targeting common drive letters (c:, d:, e:, f:, g:, h:, i:). This is intended to reduce the likelihood that the built-in antivirus will scan or detect the malware.
Stage 2: Delivering the Payload & persistence
With the defender offside, the malware has all latitude to deliver the primary payload, a mining program.
1. Downloading the Tools: The script first downloads 7zr.exe, a legitimate 7-Zip command-line utility, renaming it to 7g.exe. This tool is necessary for extracting the encrypted payload.
2. A password-protected 7-Zip archive named gmail.7z is then downloaded from a Dropbox link. This archive includes the crypto miner executable file (mservice.exe) and an additional VBScript (mservice.vbs).
3. Unpacking the Threat: Using the downloaded 7g.exe, the archive is silently extracted. The password, hardcoded in the script, is 1625093. The contents are strategically placed in a deceptive directory “C:\Users\Public\WindowsUpdate” designed to blend in with legitimate system files.
4. Persistence: The attack persists by:
- Adding a “Microsoft Media Service” entry to the user’s Run registry key makes mservice.vbs run at every login.
- Adding a scheduled Task: A scheduled task called “MicrosoftUpdateService” is set up via update.xml to launch mservice.vbs with high privileges every 10 minutes, ensuring ongoing activity even after manual stops or reboots
Stage 3: The Covert Operation – Mining for Malice
With all components properly configured, the mservice.vbs script operates continuously through the scheduled task, enabling it to fulfill its intended function.
As you may have noticed, the above code is not obfuscated; the attacker, by disabling Windows Defender, assumed that her script would not be detected. However, this approach doesn’t take into consideration other antimalware software.
1. Establishing Identity: The mservice.vbs script creates a log.dat file in the C:\Users\Public directory, recording the date and time of the initial infection (e.g., 210725_1756). This unique timestamp likely serves as a worker ID for the mining pool.
2. Resource-Aware Mining: The script checks the system’s RAM. If you have more than 4GB, it runs the miner in “auto” mode; otherwise, it uses a “light” mode. This intelligent optimization helps the attacker maximize mining efficiency while attempting to avoid system crashes on less powerful machines.
3. The Mining Command: The script launches mservice.exe (likely an XMRig variant) with a complex set of arguments:
- It connects to the attacker’s mining pool (141.94.96.144:443).
- It directs all mined Monero (XMR) to the attacker’s wallet address (42VXdAiAeFvEsma3tjqbJ9P8o21fCE3f6fzDDVDRNmi4EK4iMKaFtoodb76rYobsn3WBAPZrXWCnsPf8JuNbNYHQ6C3Kypi).
- It uses the log.dat timestamp as a worker password.
- It uses 16 CPU threads (a highly aggressive setting) and implements —pause-on-active=10, which pauses mining for 10 seconds when the user is active. This primary stealth tactic reduces noticeable performance degradation during active use.
- It also enables TLS encryption for mining traffic to evade network-based detection.
4. Silent & Persistent Income Generation: The miner runs hidden, without a visible window or title. Thanks to the scheduled task, even if the miner crashes or is manually terminated, it will restart within 10 minutes, ensuring a continuous stream of cryptocurrency for the attacker.
Insights Uncovered by This Phishing Attack Analysis:
- Based on the language used in the email, the attacker appears to be a French actor. This is further supported by the IP address of the Crypto Miner Server (141.94.96.144), which is hosted by OVH, a French cloud hosting provider.
- The malware is more likely to execute successfully in the context of a user with elevated privileges.
- The attack may fail if the targeted system is protected by an antimalware solution other than Windows Defender. Even if the initial malware is well obfuscated and can potentially evade detection, the antimalware software can easily identify the unobfuscated crypto miner.
How to Mitigate:
Be Skeptical of Unsolicited Emails:
Never open attachments or click links from unknown senders. Even from known senders, be wary of unexpected or unusual requests.
Principle of Least Privilege:
Do not run as an administrator all the time. Use a standard user account for daily tasks and only elevate privileges when absolutely necessary. This limits the impact if malware gains execution.
Robust Antivirus/Endpoint Detection & Response (EDR):
Consider EDR solutions for more advanced threat detection and response capabilities, which can spot unusual process behavior.
Network Monitoring:
For advanced users, network monitoring tools can reveal unusual outbound connections, especially to non-standard ports or known mining pools.
Backup Your Data:
Regular, offline backups are your last line of defense against any malware, including cryptojackers that might cause system instability.