Full-featured SD-WAN Solution Deep Dive

Learn about the capabilities you should expect to find in a full-featured SD-WAN design and how these features operate within the larger Secure SD-WAN architecture.

SD-WAN Growth Report 2020

Futuriom outlines the market trends for SD-WAN in their June 2020 report and provides their predictions for growth and change in the space.

Versa Redefines McLarens F1 Speed Strategy

NTT Communications and Versa Networks provide McLaren with reliability, security, stability, and flexible management of their data traffic flows so they can set up a secure, optimized network connectivity in preparation of race weekend.

Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

Gartner Magic Quadrant for WAN Edge Infrastructure, 2020

Gartner 2020 Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.

Versa Networks - Explained in 1 minute

Learn about the Versa Secure SD-WAN solution in a high-level, one minute overview.

Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

The Secure

Research Lab

Fake Flash Updates Mine Monero Under the Hood

By Versa Staff
Versa Networks
October 25, 2018

The recent surge in cryptomining is providing cyber criminals with more vectors to attack, at the expense of legitimate users. This year has seen a huge increase in the deployment of numerous malwares, with cryptominers as primary or secondary payloads. Cryptominers are becoming easy targets, that allow attackers to go a step further to disguise themselves as the miner in the form of a flash update. Palo Alto Networks reported a list of collected samples, some dating back to August 2018[1]. The author further adds that installers from the Adobe website were legitimate, and the malicious ones were mostly Windows binaries. There were many previous attempts to pass off malware as Flash updates, but in this current scenario, some of the samples perform a legitimate flash update, along with dropping the Monero miner executable, executing it without user knowledge.

On running the flash update executable a22b50d4f18b2fc92bdcffc01281c40cd4ed1d2bd9364fce91ea484a37bf3725, it shows a typical warning, “Do you want to allow the following program from an unknown publisher to make changes to this computer?”, which is dismissed by most. When we accept to continue, it executes and drops two files in the path %appdata%\Roaming\xbooster\Manager.exe and %appdata%\Roaming\xbooster\xmrig.exe, and also runs the xmrig.exe. The task manager shows the process xmrig.exe running with CPU utilization at above 90%

Fig 1: CPU usage and executable dropped

Looking at the processes created at the execution xmrig.exe, the process is created from the execution of the command “C:\Users\<USER>\AppData\Roaming\xbooster\xmrig.exe -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRzL9pCSYqvM4EaC4kh/2 -p x –donate-level=1 -B –max-cpu-usage=90 -t 1”.

The executable extracts resources into the temp folder and writes that to xmrig.exe and Manager.exe. Then xmrig.exe establishes a connection with the mining pool and executes in the background.

On analysis of the packet capture showing execution, the executable does a DNS query for “ztracker.xyz”, as well as “xmr-eu1.nanopool.org”. The domain name is resolved to a number of IP addresses of which the system establishes a TCP connection with over port 14444. All further communication recorded by the xmrig.exe is only to port 14444.

Fig 2: DNS query and response

Following the TCP stream of the connection shows it trying to connect with the XMRig with the login parameters “4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRzL9pCSYqvM4EaC4kh”, that indicates the cryptowallet in which the mined coins will be collected. As per the definitions of the json format for xmrig executable[2], we understand the first exchange is a login request to a mining pool, the second json exchange represents the success reply to the login process. The last exchange contains ”method : job”, which indicate the new jobs to send the miner. The executable also contains placeholder strings for the submit request, as well as the reply to the keepalive requests. The submit request will probably be sent once the miner solves the challenge to get the hash to be communicated for verification, and for collecting the mined coins.

Fig 3: Communication of xmrig.exe with mining pool


Fig 4: Placeholder strings for keepalive and submit

Cryptominers, if installed without the knowledge of user in a system, might usually be detected  by slow systems performance. Many end users might not be able to immediately pinpoint the issue. Campaigns such as this, that inject miners alongside legitimate updates, need to be monitored and prevented. Though it might not be openly malicious, it will still degrade the system performance. Versa VOS™ (formerly FlexVNF) antivirus module detects malicious executables and prevents them from being downloaded onto the system.


[1] https://researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/

[2] https://github.com/xmrig/xmrig-proxy/blob/master/doc/STRATUM.md