January 24, 2018

In July 2017, Doctor Web specialists detected a 0-day vulnerability in the Cleverence Mobile SMARTS Server server applications. Program developers released an update to fix this vulnerability. However, cybercriminals still use it to mine cryptocurrencies.

Applications of the Cleverence Mobile SMARTS Server family are created for automizing shops, warehouses, various facilities and productions. They are designed to operate on a PC with Microsoft Windows OS. In July 2017, Dr.Web specialist detected a critical vulnerability in one of the Cleverence Mobile SMARTS Server components. Cybercriminals used it for unauthorized access to servers and to install Trojans of the Trojan.BtcMine family designed to mine cryptocurrencies. We immediately informed the software developers of this vulnerability.

First, cybercriminals used several versions of the miner detected by Dr.Web as Trojan.BtcMine.1324, Trojan.BtcMine.1369 and Trojan.BtcMine.1404. Cybercriminals send a special request to the server where the Cleverence Mobile SMARTS Server software runs, which results in executing the command contained in this request. The attackers use the command to create a new user with administrator privileges in the system and employ this user account to get unauthorized access to the server via the RDP protocol. In some cases, cybercriminals use the Process Hacker tool to shut down the processes of anti-viruses running on the server. Once they obtain access to the system, they install the Trojan miner on it.

This Trojan is a dynamic library. Cybercriminals save it to a temporary folder and then run it. The malicious program replaces one of the legitimate Windows system services selecting a “victim” by a number of parameters and deletes the original service file. The malicious service then gets a number of system privileges and sets a critical flag for its process. Then the Trojan saves the files required for its operation to the disk and starts mining cryptocurrencies using the hardware of the infected server.

Although developers of Cleverence Mobile SMARTS Server released a timely update which closed the software vulnerability, numerous server administrators do not hurry to install it, and cybercriminals take advantage of them. The virus writers continue to install miner Trojans, which are constantly modified, on the hacked servers. Starting from late November 2017, cybercriminals started using a brand new Trojan, modified up to now. This malicious program was dubbed Trojan.BtcMine.1978. It is designed to mine the cryptocurrencies Monero (XMR) and Aeon.

The miner is launched as a critically important process with a displayed name “Plug-and-Play Service”. If one tries to shut down this process, Windows performs an emergency shutdown and displays the “blue screen of death” (BSOD). Once launched, Trojan.BtcMine.1978 tries to delete the services of Dr.Web anti-viruses, Windows Live OneCare, Kaspersky Anti-virus, ESET Nod32, Emsisoft Anti-Malware, Avira, 360 Total Security and Windows Defender. Then the miner searches for the launched processes of anti-virus programs on the attacked computer. If it is successful, the Trojan decrypts, saves to a disk and runs a driver used to make attempts at closing these processes. Dr.Web successfully detects and blocks the Process Hacker driver used by Trojan.BtcMine.1978. This driver was added to the Dr.Web virus databases as a hacktool.

Once it obtains a list of ports from its own configuration, Trojan.BtcMine.1978 searches a network for a router. Then, using the UPnP protocol, it redirects the TCP port of the router to ports from the obtained list and connects to them waiting for connections via the HTTP protocol. The malicious program saves the settings necessary for its normal operation in the Windows system registry.

In the body of the miner, there is a list of IP addresses of the command and control servers. The Trojan checks them for an active one. Then the Trojan configures proxy servers on the infected machine. They will be used to mine cryptocurrencies. Also, on the command of cybercriminals, Trojan.BtcMine.1978 launches PowerShell and redirects its input-output to a remote user connected to a compromised host. It allows the attackers to execute various commands on the infected server.

Once these actions are executed, the Trojan embeds a module into all running processes. It is designed to mine cryptocurrencies. It is the first process of this module’s operation that will be used to mine Monero (XMR) and Aeon.

Despite Trojan.BtcMine.1978 having a mechanism which allows it to force shut down processes of anti-viruses, our users can feel secure, because the Dr.Web anti-virus self-protection mechanism does not allow the Trojan to intervene with the operation of critically important components. Dr.Web specialists recommend that server administrators who use Cleverence Mobile SMARTS Server install all security updates released by the developers.