A recently observed piece of multifunctional malware can be used to mine for crypto-currencies, log user keystrokes, and download additional malware onto compromised machines, Fortinet security researchers have discovered.
Dubbed Proteus, this threat has been written in .NET and is being distributed through the Andromeda botnet. The malware, Fortinet researchers say, can act as a proxy, but its authors can also use it as an e-commerce merchant account checker, coin miner, keylogger, and malware downloader.
The malware, which functions as a botnet, was observed using encryption to secure all communications with its command and control (C&C) center. The symmetrical algorithm used for encrypting the communications is also used to encrypt all of the strings used in the botnet, the security researchers explain.
Once installed with a process running, the malware registers with the C&C sever by sending an initial registration message containing various details about the infected machine, including processor, BIOS and baseboard information. The bot, researchers say, comes with a hardcoded default fingerprint, which is always overwritten by the above-mentioned data, which also acts as a unique identifier for the infected machine.
“The fingerprint is included in the HTTP header in the authorization field. MachineName is retrieved by calling the Win32 API GetComputerName, OperatingSystem is the OS architecture x64 or x86. The BotVersion is obtained from the assembly version that the code is executing in,” Fortinet explained.
To this initial registration message, the C&C server responds with an encrypted string that reads “successful.” Next, the bot continues to beacon to the server constantly, to make sure it is live and to carry out other malicious actions.
The malware was observed creating six threads for different tasks: SocksTask – creates a socket and sets up port forwarding; MiningTask – appears to mine digital currency using SHA256 miner; EMiningTask – supposedly mining using CPUMiner and ZCashMiner; CheckerTask – validates given accounts; CommandsTask – kills current process or downloads and executes an executable on request; and LoggerTask – sets up keylogger.
The bot checks with the server during the crypto-mining runtime to determine which miner it should use for the mining operations. This is why it creates two threads for mining digital currency, each for different miner.
“The Proteus botnet has a combination of features including coin miner, proxy server, keylogger, and many more. It is also capable of downloading and executing a file. All of this in one botnet may be even more harmful than one might first think, as it could download anything and execute it in the infected host. Our team will continue to monitor this botnet family and provide more information as it comes to light,” Fortinet’s researchers said.
Related: Battling the Botnet Armies