CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)

by Prapattimynk, Monday, 25 September 2023 (5 months ago)
CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)

AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining.

Figure 1. Execution of command from threat actor


Figure 1 shows that the threat actor used the same command consistently on the infiltrated system. It shows a PowerShell script was detected being executed by a PowerShell command through the CMD process. Instead of downloading files directly, only a script is received as a string and executed.

Figure 2. Malicious PowerShell behavior


The executed PowerShell script decodes data encoded in Base64 and creates a file named “nodejssetup-js.exe” in the TEMP directory, which it then executes.

Figure 3. Key behavior of the malware


The executed malware can be observed in Figures 3 and 4. Its main features include receiving data files encrypted in DES from a distribution site, decrypting them, and injecting (Process Hollowing) them into the normal process MSBuild.exe.

Figure 4. Malware feature


Figure 5. Memory of msbuild after being injected


The injected (Process Hollowed) MSBuild.exe performs malicious behaviors. These malicious behaviors can be seen in Figures 5, 6, 7, and 8. Figure 5 shows the memory value of MSBuild.exe after it has been injected. These values can be found in the AhnLab EDR detection screens shown in Figures 6, 7, and 8. It receives additional malware (Figure 6), injects it into the normal process AddInProcess.exe, and executes it (Figure 7). By examining the command line during the execution in Figure 8, it can be confirmed that this is the method used for executing the CoinMiner.

Figure 6. Malicious behavior from MSBuild 1


Figure 7. Malicious behavior from MSBuild 2


Figure 8. Malicious behavior from MSBuild 3



Figure 9. Miner behavior from AddInProcess.exe


Finally, CPU usage that exceeds a certain threshold can be observed from the injected (Process Hollowed) AddInProcess.exe.

The process of installing a cryptocurrency CoinMiner that utilizes system resources on an infiltrated system involves multiple processes. However, the malware used is only one: “nodejssetup-js.exe”. All other scripts and malicious PE files used in the injection (Process Hollowing) process exist only in the memory. To detect this distribution method, enabling behavior detection in V3, an endpoint anti-malware solution, is necessary. In case of infection, further actions can be taken through detailed analysis using EDR.


[Behavior Detection]

1c5d05def6e3baabe8da94a3d275c5e5 Dropper/PowerShell.Generic
6efe15382531ae994f2f220046421b1d CoinMiner/Win.XMRig(2023.04.16.01)

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.



Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.