- MonsterInstall trojan will gain persistence by adding itself to the infected system’s autorun, in order to get automatically launched after the machine is rebooted.
- The downloader trojan also downloads the crypto mining module ‘xmrig.dll’ onto the infected system.
How does the trojan function?
Researchers from Yandex discovered the MonsterInstall downloader trojan, who then reported it to Doctor Web’s research team for further analysis. Doctor Web researchers analyzed the trojan sample and revealed the following insights.
- When users download the game cheat, they end up downloading a password-protected zip archive that contains an executable file.
- Once launched, the executable file downloads the game cheat along with the MonsterInstall trojan components.
- Once the trojan gets launched, it will gain persistence by adding itself to the infected system’s autorun, in order to get automatically launched after the machine is rebooted.
- MonsterInstall then starts gathering system info and sends it to the C&C server controlled by the attacker.
- The downloader trojan then downloads the crypto mining module ‘xmrig.dll’ onto the infected system.
The cryptomining module
The cryptomining module loads the malicious executable ‘xmrig.exe’. The executable sends system information to its C&C server and gets back the miner configuration in the form of a JSON file.
Once the miner configuration file is loaded, it will automatically execute and start mining the TurtleCoin cryptocurrency.
“Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month,” Doctor Web researchers said.