{ "id": "f6b26396-4480-4212-ad86-56a49a3238ca", "created_at": "2026-04-06T00:10:22.395335Z", "updated_at": "2026-04-10T03:36:36.837753Z", "deleted_at": null, "sha1_hash": "34f93c703618d45e9e78f8e44bd64bc4f70eb7f2", "title": "Hidden Miners: Making a profit for criminals AND keeping a foot in the door", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1644198, "plain_text": "Hidden Miners: Making a profit for criminals AND keeping a foot\r\nin the door\r\nBy G DATA Security Center\r\nPublished: 2020-07-07 · Archived: 2026-04-05 18:04:10 UTC\r\n07/09/2020\r\nServHelper: Hidden Miners\r\nReading time: 6 min (1702 words)\r\nIt is always a good idea to have multiple options when it comes to making a profit. This is especially true for\r\ncriminals. Having a backdoor is nice, but having the backdoored system directly make money is even better.\r\nBackdoor malware is a crucial component of most persistent attacks for its capability to carry out further damage\r\nto an infiltrated system. As it enables the threat actors to have access to an infected system, it gives them\r\npossibilities for lateral movements throughout the network, deployment of other malicious components, and even\r\ndirect communication and connection with them.\r\nFirst seen during Q3 of 2018, a backdoor named ServHelper that is associated with the hacking group TA505 has\r\nbeen seen targeting financial and retail sectors. With the help of this backdoor, it enabled them to install and\r\ndeploy other malware like Information Stealers (Predator Stealer), and Remote Access Trojans (RAT)\r\n(FlawedAmmy, NetSupport). And in January 2020, we have encountered a new variant that is readily capable of\r\ninstalling a CryptoMiner bundled with it. This Miner is hidden inside the infected system through a spawned\r\nvirtualized environment.\r\nArrival and Loader Function\r\nhttps://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nPage 1 of 7\n\nInstallation Overview of ServHelper\r\nThis variant is compiled and delivered as an NSIS installer (Nullsoft Scriptable Install System) that usually arrives\r\nto its target as an attachment on an email luring the victim to open it. This attachment serves as a loader for the\r\ninstallers that will be dropped and loaded.\r\nUpon execution, the loader will check if it is running on a virtualized environment. This evasion and anti-analysis\r\ntechnique enable it to detect if it is running on sandboxes or analysis tool that usually runs on a virtualized\r\nenvironment. It does this by checking for the presence of a file, C:\\aaa_TouchMeNot_.txt, which is a legitimate\r\ntest file of Windows Defender that is present if it is installed on a virtualized environment.\r\nIf the file is present, installation will stop.\r\nAs it proceeds, it will execute a PowerShell script file named upgrade.ps1 contained on the NSIS installer’s\r\ntemporary directory ($temp).\r\nThe executed PowerShell script will decrypt and invoke the main Installer of ServHelper. The PowerShell\r\ncommand was encrypted with a combination of Base64 encoding and Triple DES Algorithm. This provides an\r\nadded security from viewing the shell commands in plain text and contributes to the difficulty in manually\r\ndecrypting the shell. The technique has also been seen used by other Powershell exploits such as PowerSploit.\r\nAfter decrypting, it will use IEX (Invoke Expression) that will enable it to evaluate and execute the command.\r\nThis command calls the main installer for ServHelper and its bundled CryptoMiner.\r\nhttps://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nPage 2 of 7\n\nServHelper Installer\r\nFirst Layer PowerShell Decryption Algorithm (Click to enlarge).\r\nAfter the initial checks done by the loader, it will conduct another set of verification that will ensure that the target\r\nsystem can cater its full installation. It does this with the following checks:\r\n1. Check if the running instance has Administrator privilege.\r\n1. It does this by checking the WindowsIdentity Class and look for the SID “S-1-5-32-544”, an ID that\r\nindicates that the user is an has Administrator privileges.\r\n2. If the running instance of PowerShell is not in Administrator level, the installer will try to escalate\r\nprivilege by using DLL hijacking with the use of Fubuki from UACME project.\r\nUACME is a collection of tools designed to bypass Window’s User Access Control (UAC) and grant the user with\r\nlocal administrator privileges.  It is readily available via GitHub and is commonly used by Penetration Testers for\r\nresearch purposes. The escalation of privilege enables deployment and installation of its other components.\r\nThe hijack was done through Fubuki together with the vulnerable Windows components “Sysprep.exe” and\r\n“Wusa.exe”. This vulnerability was first discovered in 2017 on Windows 7 Build 7600 and has already been fixed\r\non Windows 10 TH1 Build 10147. Beyond the fixed version, the installation will only proceed if the user has an\r\nAdministrator privilege.\r\n1. Check if the Read-Only Memory (ROM) size is more than 2MB (Megabytes) in SMBIOS (System\r\nManagement BIOS).\r\n1. As there is no ROM in a virtual environment when SMBIOS is checked, this could be another anti-virtualization technique.\r\nIf all the checking is satisfied, it will now proceed to install ServHelper and its components.\r\nDuring installation, it will prepare its installation directory, C:\\Program Files\\windows mail\\, by adding it on the\r\ntarget scan exclusion of Windows Defender using Add-MpPreference -ExclusionPath. This enables it to evade the\r\nscans of Windows Defender.\r\nAfterwards, it will prepare the payload to be dropped by decrypting it using Base64 decoding and GZip\r\ndecompression and saves them to each of its designated directories.\r\nhttps://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nPage 3 of 7\n\nInstallation Directories for ServHelper Components\r\nVariables Holding Encrypted binaries of ServHelper and Remote Desktop Components. (Click to\r\nenlarge)\r\nOnce the components are all decrypted and dropped, it will add the installed RDP Wrapper Library (Remote\r\nDesktop Protocol) “appcache.xml” as TermService’s Service DLL as its main target to be executed. The modified\r\nRDP Wrapper Library will then load the ServHelper DLL. TermService (Terminal Services) is natively present\r\nand related to RDP. It allows multiple uses to be connected to a machine as well as the display of desktops and\r\napplications to remote computers. This modification done by ServHelper will make sure it runs every time the\r\nservice is started.\r\nIt can also be noticed that this specific variant only targets 64-bit Windows Operating Systems, as its variables that\r\nit is intended for the 32-bit version of ServHelper and RDP wrapper library were empty or insufficient. Variables\r\n$rdp and $bot are intended for the 32-Bit Version.\r\nThis completes the installation of ServHelper’s Backdoor Component. Once this installation is complete, it\r\nenables the threat actors to have backdoor access to the infected system, capable of sending commands and\r\nreceiving information.\r\nThe Hidden Miner: LoudMiner\r\nServHelper’s Code and the Appended Script for LoudMiner (click to enlarge)\r\nPrevious version of ServHelper installers will end once the service of the backdoor is installed and deployed. But\r\nin this variant, we have noticed that its installer was modified to deploy an additional attack, a CryptoMiner\r\ndubbed as LoudMiner.\r\nThis CryptoMiner is named “Loud” due to its intensive use of an infected machine’s resources. It uses\r\nvirtualization tool such as VirtualBox where it does the CryptoMining. Although this technique requires a lot of\r\nresource, it is a stealthy approach and does evade a lot of AV detection since it runs on a virtualized layer.\r\nhttps://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nPage 4 of 7\n\nInitial download form LoudMiner Installer (Click to enlarge)\r\nAs installation for the CryptoMiner commence, it will first check if the victim’s system can cater a spawned\r\nvirtualized environment. If it is capable and is allowed, it will proceed by downloading VirtualBox from its\r\nofficial source (hxxp://download.virtualbox.org/virtualbox) and download its other components from\r\nhxxp://almagel[.]icu/mon[.]zip which is known to host other components related to ServHelper’s previous\r\nversions.\r\nLooking inside the downloaded “mon.zip”, we can find the following files:\r\nThere are two VirtualBox Virtual Images available for it to use. If the available physical memory of the infected\r\nsystem is less than 5 GB, it will use tb.vbox virtual image. And if it has more than 5 GB of available physical\r\nmemory, the virtual image tbs.vbox will be used instead.\r\nChoosing from which image to use depending on victim’s available memory (Click to enlarge)\r\nIt will then use “nssm.exe” (Non-Sucking Service Manager) to install and run VirtualBox as a service. Non-Sucking Service Manager is a free utility tool that helps manage both background and foreground services. This\r\nprovides it with a legitimate way of creating an instance of VirtualBox, providing another layer of stealth.\r\nUpon loading the Virtual Box Image (In our test environment during analysis, the tb.vbox),  it is  configured to\r\nautomatically connect to its server and run the CryptoMiner. This was done by modifying the bootlocal.sh.\r\nTaking a closer look at the “bootlocal.sh”, we can see that it uses XMrig Miner as its CryptoMiner. XMRig is an\r\nopen-source CPU-based CryptoMiner that was released in May 2017 mainly for mining Monero CryptoCurrency.\r\nIt is a suitable CryptoMiner to exploit because it is open-source and it utilizes CPU which should be readily\r\navailable to all potential targets. This completes the installation of the CryptoMining component that enables the\r\ninfected machine to mine for CryptoCurrency while hiding inside a virtualized environment improving its chances\r\nof evasion and stealth.\r\nhttps://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nPage 5 of 7\n\nAn Infected System with LoudMiner Inside a VirtualBox\r\nConclusion\r\nThe ready combination of a backdoor capability and a CryptoMining component in a malware enables the threat\r\nactors to deliver both an active and a passive means of exploitation. It enables them to gain immediate passive\r\nbenefit for each successful infection through CryptoMining, while still having the flexibility and foothold on an\r\nactive control through the backdoor they have installed.\r\nWhether you are using technology from your home, from your business, or from the organization that you are a\r\npart of, threats are real and are actively adding additional features on their arsenal. That is why it is important to\r\nalways practice safe and secure use of technology because prevention will always be our first line of defense.\r\nThreats escalating its privileges on infected machines is a crucial component in a cyberattack. And enforcing\r\nsecurity concepts and policies from frameworks such as AAA (Authenticate, Authorize, Accounting) can help in\r\nensuring that the highest possible UAC is enforced, thus helping to mitigate the risks.\r\nAnd on top of that, it is also vital to make sure that we use a reliable security solution that covers multiple layers\r\nof protection from e-mail protection, network security, and up to an endpoint solution that is capable of cleverly\r\nprotecting us from these kinds of threats.\r\nIOC list\r\nBinaries\r\nSHA256    File    Detection\r\nC0F5375DD4530C7554212E7C8D85EBE41370BE49E1AA40D381F2E34CBF319134    (NSIS Loader;\r\ndetection: Gen:Variant.Strictor.239587\r\nA7ECF925427FA07C40FF335E57EE04DCB028A97B4C5A8429CC7ED101CB30B1D0   \r\n(upgrade.ps1; detection: PowerShell.Trojan.Agent.AQX)\r\n26E2794167F5A4F5A1C7E708823B77FD6500290DF4DA225181D55F030B0043EB   \r\n(default_list.xml/ServHelper; detection: Gen:Variant.Ursu.750288)\r\n85A8867844CC43840DB2ADB62153722A994EFEECC0F066A3E0211CAD69D1AA77    (appcache.xml;\r\ndetection: Gen:Variant.Ursu.750421)\r\nhttps://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nPage 6 of 7\n\nURLs\r\nhxxp://rotoscoping[.]xyz[:]3389\r\nhxxp://losos[.]cn[:]7201\r\nhxxp://romashka[.]cn/guga[.]txt\r\nhxxp://safuuf7774[.]pw/iplog/vmt[.]php?hst=vmt_installed_$env:computername\r\nhxxp://almagel.icu/cp.exe\r\nhxxp://almagel.icu/ssh.zip\r\nhxxp://asggh554tgahhr.pw\r\nhxxp://nsggh554tgahhr.pw\r\nhxxp://sggh554tgahhr.pw\r\nhxxp://dfsgu747hugr.pw\r\nhxxp://esggh554tgahhr.pw\r\nhxxp://hsggh554tgahhr.pw\r\nhxxp://kuarela.xyz/1.txt\r\nhxxps://sgahugu4ijgji.xyz/list/b.php\r\nhxxp://asggh554tgahhr.pw/list/b.php\r\nhxxp://gabardina.xyz/log.txt\r\nShare Article\r\nSource: https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nhttps://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners" ], "report_names": [ "36122-hidden-miners" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434222, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/34f93c703618d45e9e78f8e44bd64bc4f70eb7f2.pdf", "text": "https://archive.orkl.eu/34f93c703618d45e9e78f8e44bd64bc4f70eb7f2.txt", "img": "https://archive.orkl.eu/34f93c703618d45e9e78f8e44bd64bc4f70eb7f2.jpg" } }