wolf in sheep's clothing: webfreer's wall browser hides the mining trojan

Posted by punzalan at 2020-03-20

0 * 1 profile

Since the advent of bitcoin in 2009, in just eight years, dozens of virtual coins based on blockchain technology have emerged in the virtual currency market, which has given birth to the "speculation fever". Virtual currency generates money by consuming computer computing power. Facing the virtual currency market with a market value of trillion yuan, many lawbreakers have taken a bad thought and embarked on a different road of mining.

Recently, Tencent security anti-virus laboratory has detected an abnormal traffic. Through analysis, it is found that a wall flipping browser named "webfreer" is greasy. Without the user's knowledge, the browser quietly starts the mining program to mine (mainly bitcoin and Monroe), which makes the poisoned machine become abnormally slow and slow. At present, tens of thousands of users have been affected, and the amount involved in mining is up to one million RMB!

0 × 2 sample analysis

Webfreer is a browser developed based on the open source project of chromium. Lawbreakers insert malicious code and recompile to generate Trojans. Because of the open source project, this kind of Trojan is easy to be judged by antivirus software. In addition, as a wall browser, webfree has built-in VPN agent, and the normal network traffic and malicious traffic are mixed, which makes the Trojan highly hidden.

(VT kill - almost no engine reports poison)

The earliest version of webfreer did not have a back door, but in the later upgrade version, malicious code was inserted. The malicious code inserted was relatively simple, and there was no cloud control. After the main program was started, the mining program started.

Next, decompress the installation package and compare the files of each version. The red box indicates the Trojan sample.

Mining execution flow chart:

1. Webfree analysis:

Virus samples:

Chrome.dll: the browser's main DLL module will pull up webproxy.exe

Webproxy.exe: mining program

1) During installation, a self startup item will be created, and the main program webfree.exe will be started at startup.

2) When webfree.exe starts, chrome.dll is loaded.

3) The chrome.dll main thread creates a timer to pull up the mining process.

4) Detect whether the "webclientservice" service exists, and ensure that there is only one mining instance. In other versions, the mining program will create a service named "webclientservice" for mining, which will be involved later.

5) Create a webproxy process to start mining. Mining uses stratum mining protocol, passing in mining parameters, such as mining pool, wallet information, etc.

Mining parameters:

Call CreateProcess to create the process:

2. Webfree analysis:

Virus samples:

Webclientservice.exe: service program, boot up, pull up webproxy.exe

Webproxy.exe: mining program

1) During installation, webclientservice.exe and webproxy.exe are released in the system32 directory.

2) After the installation is complete, the installation package starts the webclientservice.exe process.

3) The webclientservice registers a service and starts itself when it is turned on.

4) Call createevent to create an event, ensuring that only one instance is running.

5) Visit the Google website to test whether the browser is working properly. If you can't access it, continue to wait.

6) Get the path of webproxy.exe in system32 directory or webfree installation directory, call CreateProcess to create process and start mining.

7) Start a thread at the same time, and constantly check whether the webproxy.exe process has exited. If it exits, pull up the webproxy again.

0 × 3 traceability analysis

The above analysis results in two addresses.

1. Bitcoin wallet address: 113vkxzvzuou7jgwtrdha4ey7xukbhbt

This wallet receives nearly 50 bitcoins in total, and the total value is more than 1 million RMB at the current bitcoin unit price!

2. Address of Monroe Coin Wallet: 478wnywhn4sqs8j89p8qjy4dkm2c6jhcqizi5ucjookufqirbtesafjinsxlwzcysnn1l98r2vockjggjkoxrereirgpmyerc

The wallet has a total of 12 Monroes, with a total value of 6000 yuan calculated at the current unit price of Monroes.

3. Through the traceability analysis, we find the homologous samples. As follows, this sample pretends to be the shadowlocks wall crossing software, which is actually a Monroe coin mining Trojan horse. It is speculated that the author may prefer to spread the Trojan horse on the wall crossing software.

4. The official website server IP is located in Canada, and the company claims to be "Galaxy Inc" (unconfirmed whether it has been registered). Through whois analysis of the official website, we get the registration name: mi * * Ke. Through the registration name, we can find a QQ number, which is called Migao x, with a high degree of suspicion.

0 * 4 Conclusion

"Speculation hot" gave birth to the mining black industry chain, and the seemingly normal browser over the wall is also hidden, making people defenseless. Under the temptation of huge interests, the means of lawbreakers are endless. Users should pay attention to improving their awareness of prevention, develop good habits of surfing the Internet, and use Tencent computer housekeeper to intercept and kill Trojans.

*Author of this article: Tencent computer manager, reprint from