We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but unknowingly end up downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. Users who attempt to download the installer from random sources are at the risk of downloading the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO. Below are the contents of the malicious file, including but not limited to the legitimate Zoom installer.
The 7-Zip archive file will soon be copied as CR_Debug_log.txt. 7-Zip archiver CL_Debug_log.txt is used to decompress this password-protected archive. The file gathers information such as Graphics Processing Unit (GPU) information using Windows Management Instrumentation (WMI queries), which is useful information for mining activities. It also collects details on CPU, system, operating system version, video controllers, and processors.
It also checks whether the Microsoft SmartScreen and Windows Defender are enabled and if the antivirus solutions listed below are running in the system:
|Process Name||Antivirus solution|
|AvastUI.exe / AvastSvc.exe||Avast|
|avguix.exe / AVGUI.exe||AVG|
|avp.exe / avpui.exe||Kaspersky|
|egui.exe / ekrn.exe||ESET NOD32|
The gathered info will be sent to hxxps://2no.co/1IRnc using HTTP GET request. To evade detection, helper.exe checks whether some processes are running. Aside from security tools, this list also includes other monitoring tools that can help detect mining activity. It will then spawn the Tor binaries to start with coinmining.