Bitcoin miners spreading via software cracks

Software privacy comes in many forms, one way is using ‘cracks’ which can be used to bypass the licence and activation software seen in commercial software.

Running any software provided by an unknown third  party is a really risky thing to do. As it provides an easy method for an attacker to run malicious code on your system potentially without having to find any vulnerabilities or exploits. The MITRE ATT&CK technique for this is User Execution

Today we are analysing a highly popular software crack to determine how it works and how it covertly adds malicious code despite the appearance of it being clean when uploaded to tools such as VirusTotal.

Software cracking popularity

The software we are analysing is Internet Download Manager (Official Website: It’s popular in countries which have slower Internet speeds to manage large downloads. The software itself is not malicious and all the malicious activity described in this article is from a malicious third party crack.

A screenshot from the website where the crack is downloaded from is shown below. Note that the download has been commented on 2,156 times and we believe these are legitimate comments which shows its popularity. This download source is the most popular software cracking website English speaking Asia which according to Similar Web has nearly 500,000 visitors a month! 

The latest version has been downloaded  118,510 times and considering there were previous versions of this crack available, it is highly likely this sample has been executed at least hundreds of thousands of times.

Due diligence of suspicious software?

Many tech savvy users will perform a basic level of due diligence in an attempt to mitigate the risk of running software from an unknown source. The most common way is to upload all files to VirusTotal which will scan the file with multiple AntiVirus engines.

The crack archive contained two files. File 1 is  the original installer provided by Internet Download Manager which is clean.

File 2 is the software crack itself which only 1 Anti Virus engine reports as suspicious with the title ‘Possible Threat’. It does not provide details of the real hostile nature of this software crack.

The software crack vendor also prompts the user that Anti Virus may product a false positive by saying:

Based upon only 1 AV engine reporting the file as suspicious and with 62/63 vendors saying the file has no detected threats you can see why even tech savvy users believe the software crack to be non malicious.

By analysing a private data source we can determine where in the world suspicious samples are being detected. The majority of detections for this software crack are from countries with slower fixed line Internet speeds including: Pakistan, Bangladesh, Turkey, and Nigeria.

Archives, in archives, in archives

The software crack itself is a maze of encrypted archives, redundant and overlapping code. The primary files distributed which excludes files contained within the executables is shown in the image below. There are two levels of encrypted archives and additional encrypted archives which are downloaded by the installation process.

Analysing the files we find that the software crack is contained in main.bat and is very simple only requiring registry changes to activate the software.

Executing it on a system with the SenseOn sensor installed  and we can see main.bat file being executed in the cmd.exe processing amending the registry with reg.exe as shown in the script above.

Hidden payloads

However the sample clearly has significant additional functionality, before it unloads we detect it adding an exclusion path to Microsoft Defender for Endpoint to prevent it from scanning %username%\AppData\Roaming. This is the location where the malware operates from and 

After the Anti Virus has had an exclusion path set we see the file IDM0.bat checks the processor type. If it’s 64bit it extracts the encrypted archive files.tmp and adds new registry keys to establish persistence.

Running the sample with data from SenseOn we can see it unencrypting the archive files.tmp and the full password for the archive which is tmp@tmp420

Then we see a new file downloaded from the same site that provided the crack in PowerShell. This download occurs immediately after installation and then on a daily basis as a method to get updates. The update overwrote some of the binaries which were present in the initial software crack and is likely a way to run different payloads and provide updates to infected systems.

The downloaded update is a 7zip archive. The initial crack distributed a command line tool to extract the 7zip 7za.exe. With our telemetry we can can see the password in the clear which is un#912345678@rar

Within the archive which contained the update there are 3 files:

  1. An updated version of VScan
  2. A crypto miner cleverly called dl1host.exe which bears no similarity to dllhost.exe 
  3. A .sys file which is used to establish persistence of the dl1host.exe

After a reboot the cryptominer kicks into action and we can see one of the machine’s cores being maxed out.

The dl1host.exe executable frequently calls out to the crypto mining pool server.custompool[.]xyz. Connections to crypto mining pools from network or web proxy data is an effective way to detect crypto miners in any environment.

It’s not surprising to security professionals that running any executable which comes from an unknown source is highly risky. The threat actor in this case has gone to significant effort to obscure the malicious nature of their code to the extent that it appears almost without fault from an analysis on VirusTotal. 

Organisations should monitor their systems to ensure they are being used in lawful and appropriate manners. Additionally employees should be prevented from having administrative rights as a minority will abuse these rights. The risk of an employee using pirated software goes beyond just the deployment of malware but could inflict significant legal and financial implications.