New Report Reveals Top 10 Cryptomining Malware for 2018
December 17, 2018
Disruptive technologies, like blockchain, usher in new market opportunities, like cryptomining. Whenever there is a growing trend, with the potential for financial gain, cyber criminals will invariably find ways to disrupt and distort these markets.
Cryptomining is highly compute-intensive, using computer resources, such as CPU cycles, to mine “cryptocurrency”. Miners are paid for solving CPU intensive cryptographic challenges that validate each block of a transaction added to a cryptocurrency’s blockchain. They are paid a certain amount of cryptocurrency into their cryptocurrency wallet as commission for validating a transaction. .
Anywhere there is a profit to be made, capable people will take advantage, and cryptocurrency is no exception. In 2017, there were numerous ransomware campaigns that attacked systems by encrypting files and withholding the key code in exchange for ransom. With the rise in cryptocurrency market rates, we are seeing more cryptomining malware, or cryptojacking attacks in 2018. Cryptojacking is the process of taking over an unsuspecting user’s computer resources, and mining for cryptocurrency- without the user’s explicit permission.
A new Versa Networks report “Top 10 Cryptomining Malware for 2018”, examines cryptomining and its underlying technology, blockchain. In this article, we will share the results which reveal the many ways malware is infesting this market.
Even after the havoc created by the Wannacry ransomware, many devices still remain unpatched, and vulnerable to exploitation. As seen by the report, the mining of cryptocurrency continued to grow rapidly in 2018, as did the amount of cryptojacking attacks. Cryptojacking campaigns indicate that attackers are targeting a wide range of computational resources, from large data centers, to mobile and IoT devices. Virtually any device that can provide CPU cycles is vulnerable.
Distribution Mechanisms and Evasion Techniques
Cyber attackers are exploiting cryptomining through various methods. There are many different types of cryptomining malware that drop the mining software as the payload. These payloads are dropped into the victim’s machine and executed to utilize their CPU cycles to mine and fill the attacker’s wallets.
Certain malware samples were seen to incorporate a primary payload for propagation and the mining software as a secondary payload. This allows the attackers to use the miner’s machines to spread the software, along with other infections. The general techniques use known vulnerabilities to deliver the miner payload to servers, using powershell or shell scripts embedded in documents to download miners, or perform lateral movements to spread the infection throughout a network.
One of the methods implemented on a wide-scale is browser-based mining, using the Coinhive API. The technology, as such, is not malicious. However, running it without the user’s knowledge and permission, makes it malicious. Coinhive API allows sites to make money, by running the mining scripts on a website, rather than relying on paid advertisements. However, many websites have switched to mining without informing their users. This practice is also exploited by attackers in compromised websites, where even the website owner is unaware of the script running and draining the resources on the devices visiting their website.
Traditional miners must be dropped inconspicuously in a victim’s machine and use persistence techniques to support a long session. Web-based mining only requires attackers to inject their code into a website. And when a victim visits the website, their CPU cycles are robbed to mine currencies for the attacker’s wallet. The drawback with web-based mining is that it’s inefficient compared to a miner executable, and because it only runs when the page containing the mining script is open within the browser.
The WebAssembly (Wasm) solves this to an extent. It is a binary instruction format for stack-based virtual machines. This works as a target for high-level languages like C/C++ to be deployed on web-based client/server applications. It also aims to achieve native speed execution, making it an appealing solution for implementing the miner code.
Cryptomining malware distribution has become more frequent with the increase in cryptocurrency value. Easy availability of a browser-based miner that doesn’t require attackers to inject miner executables into a system has also contributed to the increase of this malware, as attackers only need to redirect victims to the infected websites.
Below is a summary of malware campaigns and their targeted cryptominers in 2018.
Another cryptomining malware, Wannamine, uses a similar technique that Wannacry uses on the Server Message Block (SMB) vulnerability, that is still prevalent. SMB is the transport protocol used by Windows machines for file and printer sharing, and access to remote Windows services. Wannamine takes advantage of a flaw in the SMB protocol that lead to the infamous EternalBlue exploit used by malware like WannaCry and WannaMine. After a successful exploitation, one component of the attack ensures persistence, download of more malware and another scan for more machines to propagate to within the network.
Wannamine mines Monero currency, usually infecting systems through phishing emails or downloads from compromised websites. Wannamine malware infects systems using Windows Management Instrumentation (WMI) or Powershell. It then runs Mimikatz, an open-source post-exploitation tool, to get login details from other systems on the network. Wannamine also attempts to infect other devices in the network through the SMB vulnerability that allowed the spread of Wannacry.
Upon analysis, using samples of the Wannamine malware, the report found the files in the initial stage of infection were large ascii text files. They included large strings obfuscated with various techniques, including base64 encoding. These strings were Powershell scripts, which on de-obfuscation, exposed commands that used WMI, and contained the executable of the Monero Miner, as well as the Mimikatz tool.
Fileless malware uses the evasion technique that allows malicious software to reside within computer memory. GhostMiner, a Monero cryptominer, was first seen in March 2018, and exhibits fileless evasion. This miner malware achieves this through Powershell Evasion frameworks, like Out-Compressed DLL and Invoke-Reflective PE Injection. According to the report, when the GhostMiner malware was discovered, the account wallet that was linked to the campaign only collected 1.03 XMR. Even though the miner only mined a small amount, the techniques used by the malware were advanced in trying to achieve fileless execution.
Fake Flash Updates
Fake Flash Updates are used to distribute cryptominer executables, and they are among the more recent cryptojacking campaigns. This was reported in an earlier blog which contains details of samples analyzed and the Indicators of Compromise (IoC).. Though there were many previous attempts to hide different malware in Flash updates, this particular case stood out. It had legitimate looking Adobe popups for installation, along with updating Flash player to the latest version. These smokescreens easily lull the unsuspecting user.
Xbash is a recently discovered malware family that targets Linux and Windows servers. The report findings show it was developed from Python code, and combines ransomware, mining, and botnet, as well as self-propagation techniques. Xbash scripts contain commands to kill a list of processes, like rivaling cryptominers, using specific ports, and removing the related files.
Pirate Bay initially experimented using Coinhive to mine, instead of monetizing through advertisements. Some charity websites also host it, but with disclosure of using CPU for mining. Coinhive scripts were also seen in Google’s DoubleClick. The affected page showed the miner script, along with the script to display the actual advertisement. Many streaming sites also host these miner scripts, as users spend a long time on such sites.
Cryptoloot is similar to Coinhive. However, Cryptoloot only keeps 12 percent of the mined coins, and gives the rest to the website owners, compared to Coinhive’s 30 percent take. Cryptoloot advertises itself as stealthy and un-intrusive. It uses crypto-loot.com and cryptoloot.pro as domains for its operations. According to Checkpoint, Cryptoloot is among the top cryptomining threats, after Coinhive.
Some of the major campaigns within web-based mining include capitalizing on the vulnerabilities in CMS websites to host the script, by using obfuscated shortlinks of the Coinhive miner. Another major attack in the campaign involves unpatched Mikro Tik routers that are compromised to push pages with miner scripts. In this case, all the browsers behind the infected router will begin to mine, as the attack causes the router to push miner script into them.
Shortlink Coinhive URL
A campaign using a shortlink of the Coinhive URL was reported. Coinhive provides an option to allow website owners to include the shortlink to mine, exploiting the CPU of unsuspecting users when forwarding to another site.
This was misused by injecting the shortlink into an iframe size of 1×1, which is easily missed by a normal user when a miner is running in the background. The shortlink, by nature, does not show the details of the exact page it is going to, until the browser loads it, and so it can easily misdirect users to click it, allowing malicious sites to be loaded. Researchers went on to find a larger operation which not only catered to drive-by mining, but also directed users to fake download pages that dropped miner executables in Linux or Windows.
Mikro Tik Routers
A cryptomining campaign involving the Mikro Tik routers was discovered at the end of July 2018. The initial infection was reported across Brazil, and later spread to many other parts of the world. The exploit is based on a Winbox vulnerability that was disclosed and patched by the Mikro Tik routers. But many router administrators failed to apply this patch in a timely manner, which led to a significant attack. When a user under the infected router tries to access http sites, the router returns a custom 403 error page that hides a script within it. The script runs the miner in the browser. It also loads the original website in an iframe while the miner continues to run in the background. Unsuspecting users won’t detect a problem and will continue browsing.
Cryptomining Malware Prevention
The various campaigns described here display different techniques used by attackers to evade detection and achieve unscrupulous mining. To thwart these attacks, enterprises must employ proper security practices and technology, and execute timely patches and updates, to stay ahead of the attackers.
Versa Networks security platform detects the scripts and executables related to these attacks, and prevents downloading of the infected components, thus protecting the systems from unwanted miners.
To learn more about how Versa can help protect your organization from malware request a demo: https://www.versa-networks.com/request-a-demo/