Acronis Discovers New AutoIt Cryptominer Campaign Injecting Windows Process

Acronis Active Protection discovers AutoIt cryptomining campaign

In a blog post last year we talked about how Acronis’ cryptomining protection had delivered great results within just one month of its release. Since then, we’ve seen few injection cases involving legitimate Windows processes. Recently, however, we’ve seen many cases involving attrib.exe being abused by the AutoIt script-based cryptominer malware. Malicious actors have famously abused attrib.exe often. Additionally, some other security vendors and researchers have reported that attrib.exe has been abused by injection techniques from other cryptominer variants.

We have observed some spike in our cryptomining protection telemetry: Around 36k attacks detected by our product in just three weeks. More than 30 countries were affected during this short timeframe.

Total attack count by date statistics

Total countries where AutoIt attacked

We managed to capture an interesting sample of the cryptominer that’s actively attacking our customers. The observed variant mines for one of the most famous cryptocurrencies that attackers abuse in the cyber world: Monero (XMR).

Stages of AutoIt cryptomining infection

During the execution of the dropper, it will unzip the archive containing the mining module and copy it into “%Appdata%\\Microsoft\\Windows\\Helper.exe”.  Then it will create a task scheduler to execute the mining sample with the parameter we’ll soon explain.

Dropped files path

The dropper use information from an XML file to create a task scheduler with the task name "SystemCheck". This will execute the cryptominer module with "-SystemCheck" parameter.

Cryptominer module executed with parameter by task scheduler

Cryptomining module

The cryptomining binary named as Helper.exe is actually a 64bit AutoIt script that’s compiled to an executable (.exe). Once decompiled, we managed to see the main script, which performs:

  1. Evasion - Described in detail in the section “Evasion technique”
  2. Modules download - It downloads additional component using tor.exe
    1. upd.version: Contains version number
    2. mn.pid: Contains process ID for process performing mining operation
    3. SysBackup.txt:  XMRig miner executable
  3. Process injection - Injecting mining module into legitimate attrib.exe, this is also part of evasion
  4. Cryptomining logic

This cryptominer will first drop the tor.exe component, which will download additional mining components anonymously via base64 hardcoded .onion domains. The main component downloaded is the XMRig binary itself.

Additional component to be downloaded by tor

AutoIt script to download XMRig executable

.onion domains encoded in base64

List of .onion domains after decode

Tor network communication

XMRig binary downloaded by tor.exe

AutoIt script containing stratum mining logic

Helper.exe injection to attrib.exe

Attrib.exe executing mining logic

Below is the TCP request and response containing XMRig mining JSON-RPC.

XMRig JSON-RPC mining over TCP

Evasion technique

This cryptominer module also has the ability to check for forensic and monitoring processes, as well as AV related processes. It will terminate itself if it sees any monitoring process listed below running on the victim’s machine.

Auto-shut down forensic and monitoring processes

Auto-shut down AV executable names

Infostealer module

There is a module to collect the victim’s machine information and send it to the attacker’s server via User-Agent over HTTP header. The collected information includes OS, CPU, GPU, and AV program information.

Infostealer module in AutoIt script

Conclusion

To protect against cryptomining, we recommend using an advanced anti-cryptomining solution and maintaining an updated anti-virus solution. Acronis products are equipped with advanced anti-cryptomining technology that can protect you against these kinds of attacks.

Cyber protection products like the personal solution Acronis True Image 2020, business solution Acronis Cyber Backup, and our newly released Acronis Cyber Cloud 8.0 come with the AI-based, anti-malware defense Acronis Active Protection built-in, enabling them to protect users from cryptomining malware.

Acronis Active Protection detects mining activity by injected code in attrib.exe

The effectiveness of Acronis Active Protection against illicit cryptomining was recently proven in an independent evaluation performed by AMTSO member testing laboratory, NioGuard. The test was done according to strict AMTSO standards and confirmed very good results from Acronis technology with Acronis Cyber Backup finishing in second place with an overall protection rating of 94%. You can check the full test to see details on more than 20 cryptojackers used in the evaluation.

Cryptominer hashes

Mining pool domain

Additional component download domain