Miner.Win32.Slytherin.n

General Explanation

Type: Miner

Degree of destruction: Average

Prevalence: Average

Used vulnerabilities:

  • CVE-2019-0803
  • CVE-2017-0213

What is a Miner?

A miner is a person or hardware that does mining or extracts Digital currencies. Bitcoin is a type of cryptocurrency. extracting bitcoin is a type of confirming information process which occurs in two different SHA256 hash levels. Bitcoin network rewards extractors bitcoins for their attempts in solving complex calculations. Malware authors write malware and infect the victim’s systems to have no cost for solving these complex calculations to earn money this way and also do not pay any prices for solving calculations. Solving these calculations will involve the victim’s system CPU and cause slowing the system.

What is Slytherin malware?

This malware that enters the system aimed to extract digital currencies will infect the victim’s system and network, by using diverse vulnerabilities and also downloading malicious files.

Technical Explanation

Slytherin malware is a member of Miners and from the Trojan family.

Signs of infection

  •  WUDFhosts.exe or 360se.exe processes running which are used to perform mining
  •  If the user runs “Netsh ipsec static show all” instruction, will view filters as Filter1 and FilterAtion1 amongst its communication policies. The name of the created policies can be diverse in different malware types.
  • ms19_.exe processes running to attack using CVE-2019-0803 vulnerability.
  • Scan.exe processes running, this process used as TCP Scanner.
  • The existence of job files with names that started with NET Framework NGEN v4.2 string and placed in %Windir%\System32\Tasks path.

Function explanation

  • This file will download the malicious file TQ.exe by connecting the http://sql.4i7i.com link which is used CVE-2017-0213 vulnerability. This vulnerability by having system access level can perform the malicious operation of the malware:

TQ.exe creates and runs ms19_.exe which this file can use CVE-2019-0803 vulnerability. This vulnerability gives access to outer system software so they can view, change, and remove by command.

  • Creating KuGouMusic in the system
  • Creating ju.exe in the system

This file will download a malicious file with the fake name “svchost.exe” by connecting to the hxxp://4i7i.com link, which function is as follows:

Will create a file named Erzxuk.dll (the name of the file will be randomly chosen in different types of malware) and it will set the following registers to return the values of this registry path to the common values if they were infected by other malware:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs: AeLookupSvc, CertPropSvc, SCPolicySvc, lanmanserver, gpsvc, AudioSrv, FastUserSwitchingCompatibility, Ias, Irmon, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, SENS, Sharedaccess, SRService, Tapisrv, Wmi, WmdmPmSp, TermService, wuauserv, BITS, ShellHWDetection, LogonHours, PCAudit, helpsvc, uploadmgr, iphlpsvc, msiscsi, schedule, SessionEnv, winmgmt, AppMgmt, DevicePickerUserSvc_0x0

  •  Erzxuk.dll will check the existence of antiviruses in the system and remove their services, if existed, and open the desktop remote access for the network users by setting the registry value to 1:

HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication

How to deal with it and disinfect the system

Padvish Antivirus will detect this malware and remove it from the system. Padvish IPS will also detect the victim’s system from probable infections caused by Windows vulnerabilities and prevent them from entering the victim’s system.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>