Palo Alto Networks has discovered a unique malware family that can mine bitcoins via the victim’s CPUs and GPUs. The malware, called PWOBot, is completely written in Python and compiled via PyInstaller, generating a Microsoft Windows executable, according to a Palo Alto Networks posting . The malware has affected European organizations, mainly in Poland. A Polish file-sharing service delivers the malware.
The malware can download and execute files, log keystrokes, execute Python code and mine bitcoins via the affected computers’ GPUs and CPUs.
The malware has been noticed as far back as late 2013. There are at least two variants. Recent attacks have affected organizations from mid to late 2015.
The malware has affected the following victims: a large Polish retailer, a Polish shipping company, a Polish national institution, a Polish information technology organization, a Danish building company, and a French optical equipment provider.
Chomikuj.pl, a Polish file sharing web service, downloaded most of the PWOBot samples. The following URLs have provided PWOBot copies.
The IP address https://108.61.167 downloaded one instance of the malware. The address is related to the tracking[.]com domain, which a number of PWOBot samples also used.
The following file names delivered the malware:
• Quick PDF to Word 3.0.exe
• XoristDecryptor 184.108.40.206 full ver.exe
• Easy Barcode Creator 2.2.6.exe
• Kingston Format Utility 220.127.116.11.exe
• uCertify 1Z0-146 Oracle Database 8.05.05 Premium.exe
• Six Sigma Toolbox 1.0.122.exe
• Fizjologia sportu. Krtkie wykady.exe [Physiology of sports. Short lectures.exe]
Some of the PWOBot samples present themselves as various software utility programs.
How the malware first infected its victims is unclear. The filenames allow some inferences since the malware could have gone to end-users thinking they were downloading other software. It is also possible phishing attacks enticed victims to download the files.
The attackers use PyInstaller to convert the Python code into a Microsoft executable. But Python, as it is being used, can move to other operating systems like OSX and Linux.
PWOBot, upon first execution, will first uninstall earlier PWOBot versions they find. The malware will query Run registry keys seeking previous versions. Most versions use a “pwo[VERSION]” format for the Run registry key, where [VERSION] is the PWOBot version number.
After the prior versions uninstall, the malware installs itself to create a copy of its executable in this location:
Then it sets the following registry key to direct to the newly-copied executable:
Should this be the first run for the malware, PWOBot executes the newly copied file in a new process.
Following installation, the malware hooks various keyboard and mouse events that are used for subsequent keylogging functions. PWOBot allows the attacker to include various modules during runtime since it is written in a modular fashion. The following services and their descriptions have come with PWOBot based on the samples currently identified:
• PWOLauncher : Download/execute file, or execute local file
• PWOHTTPD : Spawn a HTTP server on the victim machine
• PWOKeyLogger : Log keystrokes on the victim machine
• PWOMiner : Mine bitcoins using the victim CPU/GPU
• PWOPyExec : Execute Python code
• PWOQuery : Query remote URL and return results
PWOBot comes with two configuration files, including one that specifies different settings the malware should use, while the other specifies the remote servers the malware should connect to during execution.
POWBot includes various windows executables included when attackers compile the code with PyInstaller, as shown in the settings configuration (Figure 2). The executables perform bitcoin mining and to-proxy requests via Tor. The bitcoin miner is a compiled version of cgminer and minerd. The files are used for CPU and GPU bitcoin mining respectively.
Also read: Report: BitTorrent malware risks call for better security measures
PWOBot uses Tor to tunnel traffic to attackers’ remote servers. This offers both anonymity and encryption, but it should also alert network administrators who see it since the traffic most likely violates organization policies.
PWOBot uses a Python dictionary for its network protocol. Every specified period PWOBot will notify the remote server.
Enumerations are configured to represent the different numbers encountered in the prior example. A more complete picture of the data being sent becomes visible when replaced with their respective enumeration.
Once notices are sent, the attacker might choose to give a command instructing PWOBot to perform a previously defined service. The results of these actions then upload to the attacker using the same format.
A total of 12 malware variants apparently exist, based on the last versions Palo Alto Networks Unit 42 identified. The unit has witnessed versions five, six, seven, nine 10 and 12 in the wild.
Changes among versions seem minimal and are likely performance improvements.
While PWOBot has affected Microsoft Windows platforms, it can move to the Linus and OSX operating systems as the underlying code is cross-platform. This fact, along with a modular design, makes PWOBot a significant potential threat.
The malware family has not previously been disclosed.
Palo Alto Networks protects customers from this threat in the following ways:
• All PWOBot samples are properly categorized as malicious by the WildFire service.
• Domains related to the PWOBot threat have been appropriately categorized as malicious.
• AutoFocus customers may use the PWOBot tag to monitor this threat.
Featured image from Shutterstock.