BitMining Infection

[Mainstay]

Hi All,

I have a system that was deployed ~6 months ago and is protected by ESET.

It runs headless but users have access to it via internal file sharing as well as via RDP (limited user accounts).

A few weeks ago I received an alert that my backups failed and I logged in and corrected the problem.

Tonight I received the same alert and dug deeper. It seems that ~29 of the scheduled Windows Tasks had become corrupted and the system was in fact running a bit mining operation. The 29 scheduled tasks had all been either completely corrupted OR re-written with calls to a boardroot.exe

Malwarebytes only considers this "riskware" and HitManPro considered it risky, but not an actual threat.

Wow - it is running at 88% CPU on a pretty slick system.

This is the ini file associated with this program which is SOMEHOW operating out of a disabled Guest account.

I won't blank any of the data (and rest assured, that gmail account doesn't belong to anyone on my end).

[General]
version=6.6
server=https://minergate.com
minimizeToTray=true
closeToTray=true
showGpu=true
clientId={5c1cff45-44d8-4d7e-a8fd-930534e735e1}
email=vanillamorison@gmail.com
suppress_achievement_notify=true

[miners]
aeon\visible=false
aeon\pool=stratum+tcp://aeon.pool.minergate.com:45690
bcn\visible=false
bcn\pool=stratum+tcp://bcn.pool.minergate.com:45550
dsh\visible=false
dsh\mergedMining=
dsh\mergedPools\fcn=stratum+tcp://fcn-dsh.pool.minergate.com:45730
dsh\mergedPools\mcn=stratum+tcp://mcn-dsh.pool.minergate.com:45740
dsh\pool=stratum+tcp://dsh.pool.minergate.com:45720
duck\visible=false
duck\pool=stratum+tcp://duck.pool.minergate.com:45620
etc\visible=false
etc\pool=stratum+tcp://etc.pool.minergate.com:45777
eth\visible=false
eth\pool=stratum+tcp://eth.pool.minergate.com:45791
fcn\visible=false
fcn\pool=stratum+tcp://fcn.pool.minergate.com:45610
inf8\visible=false
inf8\mergedMining=
inf8\mergedPools\fcn=stratum+tcp://fcn-inf8.pool.minergate.com:45760
inf8\mergedPools\mcn=stratum+tcp://mcn-inf8.pool.minergate.com:45770
inf8\pool=stratum+tcp://inf8.pool.minergate.com:45750
mcn\visible=false
mcn\pool=stratum+tcp://mcn.pool.minergate.com:45640
mro\visible=true
mro\pool=stratum+tcp://mro.pool.minergate.com:45560
qcn\visible=false
qcn\mergedMining=
qcn\mergedPools\fcn=stratum+tcp://fcn-qcn.pool.minergate.com:45600
qcn\mergedPools\mcn=stratum+tcp://mcn-qcn.pool.minergate.com:45670
qcn\pool=stratum+tcp://qcn.pool.minergate.com:45570
btc\pool=stratum+tcp://btc.pool.minergate.com:3335
devFeeCC\pool=stratum+tcp://:0
ltc\pool=stratum+tcp://ltc.pool.minergate.com:3336
mro\speed=7
mro\running=true

Removing it is turning out to be a real pain as it re-constitutes itself quickly.

I have:

• ensured the Guest account is disabled in both GPO and in compmgmt.msc;
  
• I have set the security on the referenced folders to Guest as being denied access (deleting the folders isn't sufficient as it re-builds them);
• redirected all of those addresses to loop back to 127.0.0.1 via hosts file;
• have brought in second opinions from other antivirus makers who don't seem to think it is a big deal;
• have nuked all affected scheduled tasks (yikes!, going to have a helluva time rebuilding those!)
• have searched through the registry and killed off any references to boardroot and minergate
• have ensured there are no calls the virus / service in autoruns
• have ensured the service is not actually running while I've been doing all of this
  
• have cursed the makers of such a bit of software most vehemently
• have written on TN because I don't know... maybe one of you has the wisdom to beat this thing

Have any of you encountered this before?

Any thoughts on killing it?

Thanks!

--Matthew

 

[Slaters Kustum Machines]

Check for a related service in services.msc.

 

[Mainstay]

Check for a related service in services.msc.

Couldn't find anything - the system is pretty damn fresh, only running Office and one industry specific piece of software... (I added to my post as you were answering)

 

[Slaters Kustum Machines]

procmon may help, but it has a learning curve. Have you tried process explorer to gather any more information from the exe?

 

[Mainstay]

procmon may help, but it has a learning curve. Have you tried process explorer to gather any more information from the exe?

I have thrown Process Explorer - and it didn't yield much more than I could eliminate through scheduled tasks and folder permissions.

I have no idea how this could execute under a disabled Guest account... just puzzling to me.

Before I bring it in for a N&P I'd like to know more about protecting against it, as that would be terrible to re-deploy and just get re-infected.

Or I can let the damn miners keep at it and an i7 just burns away 24/7. ;-)

 

[Slaters Kustum Machines]

You could run currports to see what traffic is happening and block that upstream at the firewall. What are they using as a firewall?

 

[Mainstay]

I have never used currports - this might be interesting.

They are not using a router that is up to battling this sort of infection.

Might be time for an upgrade.

Thank you for the input!

 

[ZenTree]

Process explorer should have an option to scan all active processes with virustotal. Autoruns also has this option, both would be a good shout.

 

[ComputerRepairTech]

Process explorer should have an option to scan all active processes with virustotal. Autoruns also has this option, both would be a good shout.

I wasn't aware autoruns got that option, thanks.

@Mainstay got the original exe that I can take a look at to see the initial infection process?

 

[nlinecomputers]

I'd be looking at the staff of that office. Someone may have deliberately installed that on the sly.

 

[ZenTree]

I wasn't aware autoruns got that option, thanks.

@Mainstay got the original exe that I can take a look at to see the initial infection process?

It's incredibly handy. Not a silver bullet but for the tiny amount of time it takes to run a check you can get a good idea of what you're fighting against normally.

@OP only other suggestion to temporarily ease the load on the machine is to use process explorer to PAUSE the process in question. Most malware checks if the process is running and if not then start it but I've yet to meet one that checks to see if the process is paused.

Then you could look at using procmon as previously mentioned along with process explorer information to track down what other systems are interacting with it.