Auteur Sujet: [FireEye]How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners  (Lu 100 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne igor51

  • Admin
  • Mega Power Members
  • *****
  • Messages: 10332
How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape:
The Growth of Miners


Introduction


 

Cyber criminals tend to favor cryptocurrencies because they provide
  a certain level of anonymity and can be easily monetized. This     href="https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html">interest
    has increased in recent years, stemming far beyond the desire to
  simply use cryptocurrencies as a method of payment for illicit tools
  and services. Many actors have also attempted to capitalize on the
  growing popularity of cryptocurrencies, and subsequent rising price,
  by conducting various operations aimed at them. These operations
  include malicious cryptocurrency mining (also referred to as
  cryptojacking), the collection of cryptocurrency wallet credentials,
  extortion activity, and the targeting of cryptocurrency exchanges.


 

This blog post discusses the various trends that we have been
  observing related to cryptojacking activity, including cryptojacking
  modules being added to popular malware families, an increase in
  drive-by cryptomining attacks, the use of mobile apps containing
  cryptojacking code, cryptojacking as a threat to critical
  infrastructure, and observed distribution mechanisms.


 

What Is Mining?


 

As transactions occur on a blockchain, those transactions must be
  validated and propagated across the network. As computers connected to
  the blockchain network (aka nodes) validate and propagate the
  transactions across the network, the miners include those transactions
  into "blocks" so that they can be added onto the chain. Each
  block is cryptographically hashed, and must include the hash of the
  previous block, thus forming the "chain" in blockchain. In
  order for miners to compute the complex hashing of each valid block,
  they must use a machine's computational resources. The more blocks
  that are mined, the more resource-intensive solving the hash becomes.
  To overcome this, and accelerate the mining process, many miners will
  join collections of computers called "pools" that work
  together to calculate the block hashes. The more computational
  resources a pool harnesses, the greater the pool's chance of mining a
  new block. When a new block is mined, the pool's participants are
  rewarded with coins. Figure 1 illustrates the roles miners play in the
  blockchain network.


 


 
 
 Figure 1: The role of miners


 

Underground Interest


 

FireEye iSIGHT Intelligence has identified eCrime actor interest in
  cryptocurrency mining-related topics dating back to at least 2009
  within underground communities. Keywords that yielded significant
  volumes include miner, cryptonight, stratum, xmrig, and cpuminer.
  While searches for certain keywords fail to provide context, the
  frequency of these cryptocurrency mining-related keywords shows a
  sharp increase in conversations beginning in 2017 (Figure 2). It is
  probable that at least a subset of actors prefer cryptojacking over
  other types of financially motivated operations due to the perception
  that it does not attract as much attention from law enforcement.


 


 
 
 Figure 2: Underground keyword mentions


 

Monero Is King


 

The majority of recent cryptojacking operations have overwhelmingly
  focused on mining Monero, an open-source cryptocurrency based on the
  CryptoNote protocol, as a fork of Bytecoin. Unlike many
  cryptocurrencies, Monero uses a unique technology called "ring
  signatures," which shuffles users' public keys to eliminate the
  possibility of identifying a particular user, ensuring it is
  untraceable. Monero also employs a protocol that generates multiple,
  unique single-use addresses that can only be associated with the
  payment recipient and are unfeasible to be revealed through blockchain
  analysis, ensuring that Monero transactions are unable to be linked
  while also being cryptographically secure.


 

The Monero blockchain also uses what's called a
  "memory-hard" hashing algorithm called CryptoNight and,
  unlike Bitcoin's SHA-256 algorithm, it deters application-specific
  integrated circuit (ASIC) chip mining. This feature is critical to the
  Monero developers and allows for CPU mining to remain feasible and
  profitable. Due to these inherent privacy-focused features and
  CPU-mining profitability, Monero has become an attractive option for
  cyber criminals.


 

Underground Advertisements for Miners


 

Because most miner utilities are small, open-sourced tools, many
  criminals rely on crypters. Crypters are tools that employ encryption,
  obfuscation, and code manipulation techniques to keep their tools and
  malware fully undetectable (FUD). Table 1 highlights some of the most
  commonly repurposed Monero miner utilities.


 
   
     
   
     
   
     
   
     
   
     
   
     
   
     
   
     
   
     
   
     
   
     


          XMR Mining Utilities

XMR-STACK

MINERGATE

XMRMINER

CCMINER

XMRIG

CLAYMORE

SGMINER

CAST XMR

LUKMINER

CPUMINER-MULTI


 


  Table 1: Commonly used Monero miner utilities


 

The following are sample advertisements for miner utilities commonly
  observed in underground forums and markets. Advertisements typically
  range from stand-alone miner utilities to those bundled with other
  functions, such as credential harvesters, remote administration tool
  (RAT) behavior, USB spreaders, and distributed denial-of-service
  (DDoS) capabilities.


 
Sample Advertisement #1 (Smart Miner + Builder)

 

In early April 2018, actor "Mon£y" was observed by FireEye
  iSIGHT Intelligence selling a Monero miner for $80 USD – payable via
  Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included
  unlimited builds, free automatic updates, and 24/7 support. The tool,
  dubbed Monero Madness (Figure 3), featured a setting called Madness
  Mode that configures the miner to only run when the infected machine
  is idle for at least 60 seconds. This allows the miner to work at its
  full potential without running the risk of being identified by the
  user. According to the actor, Monero Madness also provides the
  following features:


 
  • Unlimited builds

  •    
  • Builder GUI (Figure 4)
  • Written in AutoIT (no
      dependencies)
  • FUD
  • Safer error handling
  • Uses
        most recent XMRig code
  • Customizable pool/port

  •    
  • Packed with UPX
  • Works on all Windows OS (32- and
      64-bit)
  • Madness Mode option

 


 
 
 Figure 3: Monero Madness


 


 
 
 Figure 4: Monero Madness builder


 
Sample Advertisement #2 (Miner + Telegram Bot Builder)

 

In March 2018, FireEye iSIGHT Intelligence observed actor
  "kent9876" advertising a Monero cryptocurrency miner called
  Goldig Miner (Figure 5). The actor requested payment of $23 USD for
  either CPU or GPU build or $50 USD for both. Payments could be made
  with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly
  offers the following features:


 
  • Written in C/C++

  •    
  • Build size is small (about 100–150 kB)
  • Hides miner
        process from popular task managers
  • Can run without
        Administrator privileges (user-mode)
  • Auto-update
      ability
  • All data encoded with 256-bit key
  • Access to
        Telegram bot-builder
  • Lifetime support (24/7) via
      Telegram

 


 
 
 Figure 5: Goldig Miner advertisement


 
Sample Advertisement #3 (Miner + Credential Stealer)

 

In March 2018, FireEye iSIGHT Intelligence observed actor
  "TH3FR3D" offering a tool dubbed Felix (Figure 6) that
  combines a cryptocurrency miner and credential stealer. The actor
  requested payment of $50 USD payable via Bitcoin or Ether. According
  to the advertisement, the Felix tool boasted the following features:


 
  • Written in C# (Version
      1.0.1.0)
  • Browser stealer for all major browsers (cookies,
        saved passwords, auto-fill)
  • Monero miner (uses
        minergate.com pool by default, but can be configured)

  •    
  • Filezilla stealer
  • Desktop file grabber (.txt and
      more)
  • Can download and execute files
  • Update
      ability
  • USB spreader functionality
  • PHP web
      panel

 


 
 
 Figure 6: Felix HTTP


 
Sample Advertisement #4 (Miner + RAT)

 

In January 2018, FireEye iSIGHT Intelligence observed actor
  "ups" selling a miner for any Cryptonight-based
  cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows
  operating systems. In addition to being a miner, the tool allegedly
  provides local privilege escalation through the   href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032">CVE-2016-0099
  exploit, can download and execute remote files, and receive commands.
  Buyers could purchase the Windows or Linux tool for €200 EUR, or €325
  EUR for both the Linux and Windows builds, payable via Monero,
  bitcoin, ether, or dash. According to the actor, the tool offered the following:


 


  Windows Build Specifics


 
  • Written in C++ (no
      dependencies)
  • Miner component based on XMRig
  • Easy
        cryptor and VPS hosting options
  • Web panel (Figure 7)

  •    
  • Uses TLS for secured communication
  • Download and
      execute
  • Auto-update ability
  • Cleanup routine

  •    
  • Receive remote commands
  • Perform privilege
      escalation
  • Features "game mode" (mining stops if
        user plays game)
  • Proxy feature (based on XMRig)

  •    
  • Support (for €20/month)
  • Kills other miners from
      list
  • Hidden from TaskManager
  • Configurable pool,
        coin, and wallet (via panel)
  • Can mine the following
        Cryptonight-based coins:
    • Monero
    • Bytecoin

    •      
    • Electroneum
    • DigitalNote
    • Karbowanec

    •      
    • Sumokoin
    • Fantomcoin
    • Dinastycoin

    •      
    • Dashcoin
    • LeviarCoin
    • BipCoin

    •      
    • QuazarCoin
    • Bitcedi

 


  Linux Build Specifics


 
  • Issues running on Linux
        servers (higher performance on desktop OS)
  • Compatible with
        AMD64 processors on Ubuntu, Debian, Mint (support for CentOS
      later)

 


 
 
 Figure 7: Miner bot web panel


 
Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

 

In August 2017, actor "MeatyBanana" was observed by
  FireEye iSIGHT Intelligence selling a Monero miner utility that
  included the ability to download and execute files and perform DDoS
  attacks. The actor offered the software for $30 USD, payable via
  Bitcoin. Ostensibly, the tool works with CPUs only and offers the
  following features:


 
  • Configurable miner pool
        and port (default to minergate)
  • Compatible with both 64-
        and 86-bit Windows OS
  • Hides from the following popular task
      managers:
  • Windows Task Manager
  • Process Killer

  •  
  • KillProcess
  • System Explorer
  • Process
      Explorer
  • AnVir
  • Process Hacker
  • Masked as a
        system driver
  • Does not require administrator
      privileges
  • No dependencies
  • Registry persistence
      mechanism
  • Ability to perform "tasks" (download and
        execute files, navigate to a site, and perform DDoS)
  • USB
      spreader
  • Support after purchase

 

The Cost of Cryptojacking


 

The presence of mining software on a network can generate costs on
  three fronts as the miner surreptitiously allocates resources:


 
  1. Degradation in system
      performance
  2. Increased cost in electricity
  3. Potential
        exposure of security holes

 

Cryptojacking targets computer processing power, which can lead to
  high CPU load and degraded performance. In extreme cases, CPU overload
  may even cause the operating system to crash. Infected machines may
  also attempt to infect neighboring machines and therefore generate
  large amounts of traffic that can overload victims' computer networks.


 

In the case of operational technology (OT) networks, the
  consequences could be severe. Supervisory control and data
  acquisition/industrial control systems (SCADA/ICS) environments
  predominately rely on decades-old hardware and low-bandwidth networks,
  therefore even a slight increase in CPU load or the network could
  leave industrial infrastructures unresponsive, impeding operators from
  interacting with the controlled process in real-time.


 

The electricity cost, measured in kilowatt hour (kWh), is dependent
  upon several factors: how often the malicious miner software is
  configured to run, how many threads it's configured to use while
  running, and the number of machines mining on the victim's network.
  The cost per kWh is also highly variable and depends on geolocation.
  For example, security researchers who ran Coinhive on a machine for 24
  hours found that the electrical consumption was 1.212kWh. They
  estimated that this equated to electrical costs per month of $10.50
  USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.


 

Cryptojacking can also highlight often overlooked security holes in
  a company's network. Organizations infected with cryptomining malware
  are also likely vulnerable to more severe exploits and attacks,
  ranging from ransomware to ICS-specific malware such as TRITON.


 

Cryptocurrency Miner Distribution Techniques


 

In order to maximize profits, cyber criminals widely disseminate
  their miners using various techniques such as incorporating
  cryptojacking modules into existing botnets, drive-by cryptomining
  attacks, the use of mobile apps containing cryptojacking code, and
  distributing cryptojacking utilities via spam and self-propagating
  utilities. Threat actors can use cryptojacking to affect numerous
  devices and secretly siphon their computing power. Some of the most
  commonly observed devices targeted by these cryptojacking schemes are:


 
  • User endpoint
      machines
  • Enterprise servers
  • Websites
  • Mobile
      devices
  • Industrial control systems

 
Cryptojacking in the Cloud

 

Private sector companies and governments alike are increasingly     href="https://www.fireeye.com/blog/executive-perspective/2018/04/anatomy-of-a-public-cloud-compromise.html">moving
    their data and applications to the cloud, and cyber threat
  groups have been moving with them. Recently, there have been various
  reports of actors conducting cryptocurrency mining operations
  specifically targeting cloud infrastructure. Cloud infrastructure is
  increasingly a target for cryptojacking operations because it offers
  actors an attack surface with large amounts of processing power in an
  environment where CPU usage and electricity costs are already expected
  to be high, thus allowing their operations to potentially go
  unnoticed. We assess with high confidence that threat actors will
  continue to target enterprise cloud networks in efforts to harness
  their collective computational resources for the foreseeable future.


 

The following are some real-world examples of cryptojacking in the cloud:


 
  • In February 2018, FireEye
        researchers published a blog detailing various techniques actors
        used in order to deliver malicious miner payloads (specifically to
        vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our
        blog post for more detailed information regarding the       href="https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html">post-exploitation
          and pre-mining dissemination techniques used in those
      campaigns.
  • In March 2018,       href="https://www.bleepingcomputer.com/news/security/coinminer-campaigns-move-to-the-cloud-via-docker-kubernetes/">Bleeping
          Computer reported on the trend of cryptocurrency mining
        campaigns moving to the cloud via vulnerable Docker and Kubernetes
        applications, which are two software tools used by developers to
        help scale a company's cloud infrastructure. In most cases,
        successful attacks occur due to misconfigured applications and/or
        weak security controls and passwords.
  • In February 2018,       href="https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/">Bleeping
          Computer also reported on hackers who breached Tesla's cloud
        servers to mine Monero. Attackers identified a Kubernetes console
        that was not password protected, allowing them to discover login
        credentials for the broader Tesla Amazon Web services (AWS) S3 cloud
        environment. Once the attackers gained access to the AWS environment
        via the harvested credentials, they effectively launched their
        cryptojacking operations.
  • Reports of cryptojacking activity
        due to misconfigured AWS S3 cloud storage buckets have also been
        observed, as was the case in the       href="https://www.theregister.co.uk/2018/02/22/la_times_amazon_aws_s3/">LA
          Times online compromise in February 2018. The presence of
        vulnerable AWS S3 buckets allows anyone on the internet to access
        and change hosted content, including the ability to inject mining
        scripts or other malicious software.

 
Incorporation of Cryptojacking into Existing Botnets

 

FireEye iSIGHT Intelligence has observed multiple prominent botnets
  such as Dridex and Trickbot incorporate cryptocurrency mining into
  their existing operations. Many of these families are modular in
  nature and have the ability to download and execute remote files, thus
  allowing the operators to easily turn their infections into
  cryptojacking bots. While these operations have traditionally been
  aimed at credential theft (particularly of banking credentials),
  adding mining modules or downloading secondary mining payloads
  provides the operators another avenue to generate additional revenue
  with little effort. This is especially true in cases where the victims
  were deemed unprofitable or have already been exploited in the
  original scheme.


 

The following are some real-world examples of cryptojacking being
  incorporated into existing botnets:


 
  • In early February 2018,
        FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download
        a Monero cryptocurrency miner based on the open-source XMRig
      miner.
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed
        the banking malware IcedID injecting Monero-mining JavaScript into
        webpages for specific, targeted URLs. The IcedID injects launched an
        anonymous miner using the mining code from Coinhive's
      AuthedMine.
  • In late 2017,       href="https://www.bleepingcomputer.com/news/security/codefork-group-uses-fileless-malware-to-deploy-monero-miners/">Bleeping
          Computer reported that security researchers with Radware
        observed the hacking group CodeFork leveraging the popular
        downloader Andromeda (aka Gamarue) to distribute a miner module to
        their existing botnets.
  • In late 2017, FireEye researchers
        observed Trickbot operators deploy a new module named
        "testWormDLL" that is a statically compiled copy of the
        popular XMRig Monero miner.
  • On Aug. 29, 2017,       href="https://www.securityweek.com/jimmy-banking-trojan-reuses-nukebot-code">Security
          Week reported on a variant of the popular Neutrino banking
        Trojan, including a Monero miner module. According to their
        reporting, the new variant no longer aims at stealing bank card
        data, but instead is limited to downloading and executing modules
        from a remote server.

 

Drive-By Cryptojacking


 
In-Browser

 

FireEye iSIGHT Intelligence has examined various customer reports of
  browser-based cryptocurrency mining. Browser-based mining scripts have
  been observed on compromised websites, third-party advertising
  platforms, and have been legitimately placed on websites by
  publishers. While coin mining scripts can be embedded directly into a
  webpage's source code, they are frequently loaded from third-party
  websites. Identifying and detecting websites that have embedded coin
  mining code can be difficult since not all coin mining scripts are
  authorized by website publishers, such as in the case of a compromised
  website. Further, in cases where coin mining scripts were authorized
  by a website owner, they are not always clearly communicated to site
  visitors. At the time of reporting, the most popular script being
  deployed in the wild is Coinhive. Coinhive is an open-source
  JavaScript library that, when loaded on a vulnerable website, can mine
  Monero using the site visitor's CPU resources, unbeknownst to the
  user, as they browse the site.


 

The following are some real-world examples of Coinhive being
  deployed in the wild:


 
  • In September 2017,       href="https://www.bleepingcomputer.com/news/security/chrome-extension-embeds-in-browser-monero-miner-that-drains-your-cpu/">Bleeping
          Computer reported that the authors of SafeBrowse, a Chrome
        extension with more than 140,000 users, had embedded the Coinhive
        script in the extension's code that allowed for the mining of Monero
        using users' computers and without getting their consent.

  •    
  • During mid-September 2017,       href="https://www.reddit.com/r/thepiratebay/comments/70aip7/100_cpu_on_all_8_threads_while_visiting_tpb/?sort=new">users
          on Reddit began complaining about increased CPU usage when
        they navigated to a popular torrent site, The Pirate Bay (TPB). The
        spike in CPU usage was a result of Coinhive's script being embedded
        within the site's footer. According to TPB operators, it was
        implemented as a test to generate passive revenue for the site
        (Figure 8).
  • In December 2017, researchers with       href="https://blog.sucuri.net/2017/12/malicious-cryptominers-from-github.html">Sucuri
        reported on the presence of the Coinhive script being hosted on
        GitHub.io, which allows users to publish web pages directly from
        GitHub repositories.
  • Other reporting disclosed the Coinhive
        script being embedded on the       href="https://www.bleepingcomputer.com/news/security/showtime-websites-used-to-mine-monero-unclear-if-hack-or-an-experiment/">Showtime
        domain as well as on the       href="https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html">LA
          Times website, both surreptitiously mining Monero.
  • A
        majority of in-browser cryptojacking activity is transitory in
        nature and will last only as long as the user’s web browser is open.
        However,       href="https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/">researchers
          with Malwarebytes Labs uncovered a technique that allows for
        continued mining activity even after the browser window is closed.
        The technique leverages a pop-under window surreptitiously hidden
        under the taskbar. As researchers pointed out, closing the browser
        window may not be enough to interrupt the activity, and that more
        advanced actions like running the Task Manager may be required.

 


 
 
 Figure 8: Statement from TPB operators on
    Coinhive script


 
Malvertising and Exploit Kits

 

Malvertisements – malicious ads on legitimate websites – commonly
  redirect visitors of a site to an exploit kit landing page. These
  landing pages are designed to scan a system for vulnerabilities,
  exploit those vulnerabilities, and download and execute malicious code
  onto the system. Notably, the malicious advertisements can be placed
  on legitimate sites and visitors can become infected with little to no
  user interaction. This distribution tactic is commonly used by threat
  actors to widely distribute malware and has been employed in various
  cryptocurrency mining operations.


 

The following are some real-world examples of this activity:


 
  • In early 2018,       href="https://www.bleepingcomputer.com/news/security/coinhive-cryptojacker-deployed-on-youtube-via-google-ads/">researchers
          with Trend Micro reported that a modified miner script was
        being disseminated across YouTube via Google's DoubleClick ad
        delivery platform. The script was configured to generate a random
        number variable between 1 and 100, and when the variable was above
        10 it would launch the Coinhive script coinhive.min.js, which
        harnessed 80 percent of the CPU power to mine Monero. When the
        variable was below 10 it launched a modified Coinhive script that
        was also configured to harness 80 percent CPU power to mine Monero.
        This custom miner connected to the mining pool
        wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid
        Coinhive's fees.
  • In April 2018, researchers with       href="https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/">Trend
        Micro also discovered a JavaScript code based on Coinhive
        injected into an AOL ad platform. The miner used the following
        private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy
        and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other
        sites compromised by this campaign showed that in at least some
        cases the operators were hosting malicious content on unsecured AWS
        S3 buckets.
  • Since July 16, 2017,       href="https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html">FireEye
          has observed the Neptune Exploit Kit redirect to ads for
        hiking clubs and MP3 converter domains. Payloads associated with the
        latter include Monero CPU miners that are surreptitiously installed
        on victims' computers.
  • In January 2018,       href="https://research.checkpoint.com/new-rig-exploit-kit-campaign-dropping-xmrig-miner/">Check
          Point researchers discovered a malvertising campaign leading
        to the Rig Exploit Kit, which served the XMRig Monero miner utility
        to unsuspecting victims.

 

Mobile Cryptojacking


 

In addition to targeting enterprise servers and user machines,
  threat actors have also targeted mobile devices for cryptojacking
  operations. While this technique is less common, likely due to the
  limited processing power afforded by mobile devices, cryptojacking on
  mobile devices remains a threat as sustained power consumption can
  damage the device and dramatically shorten the battery life. Threat
  actors have been observed targeting mobile devices by hosting
  malicious cryptojacking apps on popular app stores and through
  drive-by malvertising campaigns that identify users of mobile browsers.


 

The following are some real-world examples of mobile devices being
  used for cryptojacking:


 
  • During 2014, FireEye
        iSIGHT Intelligence reported on multiple Android malware apps
        capable of mining cryptocurrency:
    • In March 2014, Android
              malware named "CoinKrypt" was discovered, which mined
              Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March
              2014, another form of Android malware –
              "Android.Trojan.MuchSad.A" or
              "ANDROIDOS_KAGECOIN.HBT" – was observed mining
              Bitcoin, Litecoin, and Dogecoin currencies. The malware was
              disguised as copies of popular applications, including
              "Football Manager Handheld" and "TuneIn
              Radio." Variants of this malware have reportedly been
              downloaded by millions of Google Play users.
    • In April
              2014, Android malware named "BadLepricon," which mined
              Bitcoin, was identified. The malware was reportedly being
              bundled into wallpaper applications hosted on the Google Play
              store, at least several of which received 100 to 500
              installations before being removed.
    • In October 2014, a
              type of mobile malware called "Android Slave" was
              observed in China; the malware was reportedly capable of mining
              multiple virtual currencies.
  • In December
        2017,       href="https://securelist.com/jack-of-all-trades/83470/">researchers
          with Kaspersky Labs reported on a new multi-faceted Android
        malware capable of a variety of actions including mining
        cryptocurrencies and launching DDoS attacks. The resource load
        created by the malware has reportedly been high enough that it can
        cause the battery to bulge and physically destroy the device. The
        malware, dubbed Loapi, is unique in the breadth of its potential
        actions. It has a modular framework that includes modules for
        malicious advertising, texting, web crawling, Monero mining, and
        other activities. Loapi is thought to be the work of the same
        developers behind the 2015 Android malware Podec, and is usually
        disguised as an anti-virus app.
  • In January 2018,       href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer-and-other-malicious-cryptominers-tpna.pdf?la=en">SophosLabs
          released a report detailing their discovery of 19 mobile apps
        hosted on Google Play that contained embedded Coinhive-based
        cryptojacking code, some of which were downloaded anywhere from
        100,000 to 500,000 times.
  • Between November 2017 and January
        2018,       href="https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/">researchers
          with Malwarebytes Labs reported on a drive-by cryptojacking
        campaign that affected millions of Android mobile browsers to mine
      Monero.

 

Cryptojacking Spam Campaigns


 

FireEye iSIGHT Intelligence has observed several cryptocurrency
  miners distributed via spam campaigns, which is a commonly used tactic
  to indiscriminately distribute malware. We expect malicious actors
  will continue to use this method to disseminate cryptojacking code as
  for long as cryptocurrency mining remains profitable.


 

In late November 2017, FireEye researchers identified a spam
  campaign delivering a malicious PDF attachment designed to appear as a
  legitimate invoice from the largest port and container service in New
  Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the
  PDF would launch a PowerShell script that downloaded a Monero miner
  from a remote host. The malicious miner connected to the pools
  supportxmr.com and nanopool.org.


 


 
 
 Figure 9: Sample lure attachment (PDF)
    that downloads malicious cryptocurrency miner


 

Additionally, a massive cryptojacking spam campaign was discovered
  by FireEye researchers during January 2018 that was designed to look
  like legitimate financial services-related emails. The spam email
  directed victims to an infection link that ultimately dropped a
  malicious ZIP file onto the victim's machine. Contained within the ZIP
  file was a cryptocurrency miner utility (MD5:
  80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and
  connect to the minergate.com pool. While each of the spam email lures
  and associated ZIP filenames were different, the same cryptocurrency
  miner sample was dropped across all observed instances (Table 2).


 
   
     
 
   
              width="420">

california_540_tax_form_2013_instructions.exe


       

state_bank_of_india_money_transfer_agency.exe


       

format_transfer_sms_banking_bni_ke_bca.exe


       

confirmation_receipt_letter_sample.exe


       

sbi_online_apply_2015_po.exe


       

estimated_tax_payment_coupon_irs.exe


       

how_to_add_a_non_us_bank_account_to_paypal.exe


       

western_union_money_transfer_from_uk_to_bangladesh.exe


       

can_i_transfer_money_from_bank_of_ireland_to_aib_online.exe


       

how_to_open_a_business_bank_account_with_bad_credit_history.exe


       

apply_for_sbi_credit_card_online.exe


       

list_of_lucky_winners_in_dda_housing_scheme_2014.exe


     


          ZIP Filenames


 


  Table 2: Sampling of observed ZIP filenames
    delivering cryptocurrency miner


 

Cryptojacking Worms


 

Following the WannaCry attacks, actors began to increasingly
  incorporate self-propagating functionality within their malware. Some
  of the observed self-spreading techniques have included copying to
  removable drives, brute forcing SSH logins, and leveraging the leaked
  NSA exploit   href="https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html">EternalBlue.
  Cryptocurrency mining operations significantly benefit from this
  functionality since wider distribution of the malware multiplies the
  amount of CPU resources available to them for mining. Consequently, we
  expect that additional actors will continue to develop this capability.


 

The following are some real-world examples of cryptojacking worms:


 
  • In May 2017,       href="https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar">Proofpoint
        reported a large campaign distributing mining malware
        "Adylkuzz." This cryptocurrency miner was observed
        leveraging the EternalBlue exploit to rapidly spread itself over
        corporate LANs and wireless networks. This activity included the use
        of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz
        infections create botnets of Windows computers that focus on mining
      Monero.
  • Security researchers with       href="https://sensorstechforum.com/w32-rarogminer-monero-miner-worm-lsass-exe-remove/">Sensors
        identified a Monero miner worm, dubbed "Rarogminer,"
        in April 2018 that would copy itself to removable drives each time a
        user inserted a flash drive or external HDD.
  • In January
        2018,       href="https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar">researchers
          at F5 discovered a new Monero cryptomining botnet that targets
        Linux machines. PyCryptoMiner is based on Python script and spreads
        via the SSH protocol. The bot can also use Pastebin for its command
        and control (C2) infrastructure. The malware spreads by trying to
        guess the SSH login credentials of target Linux systems. Once that
        is achieved, the bot deploys a simple base64-encoded Python script
        that connects to the C2 server to download and execute more
        malicious Python code.

 

Detection Avoidance Methods


 

Another trend worth noting is the use of proxies to avoid detection.
  The implementation of mining proxies presents an attractive option for
  cyber criminals because it allows them to avoid developer and
  commission fees of 30 percent or more. Avoiding the use of common
  cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and
  instead hosting cryptojacking scripts on actor-controlled
  infrastructure, can circumvent many of the common strategies taken to
  block this activity via domain or file name blacklisting.


 

In March 2018,     href="https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/">Bleeping
    Computer reported on the use of cryptojacking proxy servers and
  determined that as the use of cryptojacking proxy services increases,
  the effectiveness of ad blockers and browser extensions that rely on
  blacklists decreases significantly.


 

Several mining proxy tools can be found on GitHub, such as the     href="https://github.com/xmrig/xmrig-proxy">XMRig Proxy tool,
  which greatly reduces the number of active pool connections, and the
        href="https://github.com/x25/coinhive-stratum-mining-proxy">CoinHive
    Stratum Mining Proxy, which uses Coinhive’s JavaScript mining
  library to provide an alternative to using official Coinhive scripts
  and infrastructure.


 

In addition to using proxies, actors may also establish their own
  self-hosted miner apps, either on private servers or cloud-based
  servers that supports Node.js. Although private servers may provide
  some benefit over using a commercial mining service, they are still
  subject to easy blacklisting and require more operational effort to
  maintain. According to     href="https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html">Sucuri
  researchers, cloud-based servers provide many benefits to actors
  looking to host their own mining applications, including:


 
  • Available free or at
      low-cost
  • No maintenance, just upload the crypto-miner
      app
  • Harder to block as blacklisting the host address could
        potentially impact access to legitimate services
  • Resilient
        to permanent takedown as new hosting accounts can more easily be
        created using disposable accounts

 

The combination of proxies and crypto-miners hosted on
  actor-controlled cloud infrastructure presents a significant hurdle to
  security professionals, as both make cryptojacking operations more
  difficult to detect and take down.


 

Mining Victim Demographics


 

Based on data from FireEye detection technologies, the detection of
  cryptocurrency miner malware has increased significantly since the
  beginning of 2018 (Figure 10), with the most popular mining pools
  being minergate and nanopool (Figure 11), and the most heavily
  affected country being the U.S. (Figure 12). Consistent with     href="https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/">other
  reporting, the education sector remains most affected, likely due
  to more relaxed security controls across university networks and
  students taking advantage of free electricity to mine cryptocurrencies
  (Figure 13).


 


 
 
 Figure 10: Cryptocurrency miner detection
    activity per month


 


 
 
 Figure 11: Commonly observed pools and
    associated ports


 


 
 
 Figure 12: Top 10 affected countries


 


 
 
 Figure 13: Top five affected industries


 


 
 
 Figure 14: Top affected industries by country


 

Mitigation Techniques


 
Unencrypted Stratum Sessions

 

According to security researchers at Cato Networks, in order for a
  miner to participate in pool mining, the infected machine will have to
  run native or JavaScript-based code that uses the Stratum protocol
  over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe
  architecture where clients will send subscription requests to join a
  pool and servers will send messages (publish) to its subscribed
  clients. These messages are simple, readable, JSON-RPC messages.
  Subscription requests will include the following entities: id, method,
  and params (Figure 15). A deep packet inspection (DPI) engine can be
  configured to look for these parameters in order to block Stratum over
  unencrypted TCP.


 


 
 
 Figure 15: Stratum subscription request parameters


 
Encrypted Stratum Sessions

 

In the case of JavaScript-based miners running Stratum over HTTPS,
  detection is more difficult for DPI engines that do not decrypt TLS
  traffic. To mitigate encrypted mining traffic on a network,
  organizations may blacklist the IP addresses and domains of popular
  mining pools. However, the downside to this is identifying and
  updating the blacklist, as locating a reliable and continually updated
  list of popular mining pools can prove difficult and time consuming.


 
Browser-Based Sessions

 

Identifying and detecting websites that have embedded coin mining
  code can be difficult since not all coin mining scripts are authorized
  by website publishers (as in the case of a compromised website).
  Further, in cases where coin mining scripts were authorized by a
  website owner, they are not always clearly communicated to site visitors.


 

As defenses evolve to prevent unauthorized coin mining activities,
  so will the techniques used by actors; however, blocking some of the
  most common indicators that we have observed to date may be effective
  in combatting a significant amount of the CPU-draining mining
  activities that customers have reported. Generic detection strategies
  for browser-based cryptocurrency mining include:


 
  • Blocking domains known to
        have hosted coin mining scripts
  • Blocking websites of known
        mining project websites, such as Coinhive
  • Blocking scripts
      altogether
  • Using an ad-blocker or coin mining-specific
        browser add-ons
  • Detecting commonly used naming
      conventions
  • Alerting and blocking traffic destined for known
        popular mining pools

 

Some of these detection strategies may also be of use in blocking
  some mining functionality included in existing financial malware as
  well as mining-specific malware families.


 

It is important to note that JavaScript used in browser-based
  cryptojacking activity cannot access files on disk. However, if a host
  has inadvertently navigated to a website hosting mining scripts, we
  recommend purging cache and other browser data.


 

Outlook


 

In underground communities and marketplaces there has been
  significant interest in cryptojacking operations, and numerous
  campaigns have been observed and reported by security researchers.
  These developments demonstrate the continued upward trend of threat
  actors conducting cryptocurrency mining operations, which we expect to
  see a continued focus on throughout 2018. Notably, malicious
  cryptocurrency mining may be seen as preferable due to the perception
  that it does not attract as much attention from law enforcement as
  compared to other forms of fraud or theft. Further, victims may not
  realize their computer is infected beyond a slowdown in system performance.


 

Due to its inherent privacy-focused features and CPU-mining
  profitability, Monero has become one of the most attractive
  cryptocurrency options for cyber criminals. We believe that it will
  continue to be threat actors' primary cryptocurrency of choice, so
  long as the Monero blockchain maintains privacy-focused standards and
  is ASIC-resistant. If in the future the Monero protocol ever
  downgrades its security and privacy-focused features, then we assess
  with high confidence that threat actors will move to use another
  privacy-focused coin as an alternative.


 

Because of the anonymity associated with the Monero cryptocurrency
  and electronic wallets, as well as the availability of numerous
  cryptocurrency exchanges and tumblers, attribution of malicious
  cryptocurrency mining is very challenging for authorities, and
  malicious actors behind such operations typically remain unidentified.
  Threat actors will undoubtedly continue to demonstrate high interest
  in malicious cryptomining so long as it remains profitable and
  relatively low risk.


Source: How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape:
The Growth of Miners

Security-X


Tags: