Category Archives: cryptocurrency

Check Chain Mail and Hoaxes: HoweyCoins: fake offer, real education

US Securities and Exchange Commission: The SEC Has an Opportunity You Won’t Want to Miss: Act Now! – “The SEC set up a website, HoweyCoins.com, that mimics a bogus coin offering to educate investors about what to look for before they invest in a scam. Anyone who clicks on “Buy Coins Now” will be led instead to investor education tools and tips from the SEC and other financial regulators.” Commentary from Sophos: Don’t invest! The ICO scam that doesn’t want your money

And, returning to a more common scam topic on this site…

Malwarebytes: Fake Malwarebytes helpline scammer caught in the act – Given how much work Malwarebytes have done on these scams, not good targeting on the scammer’s part.

David Harley

Advertisements




Check Chain Mail and Hoaxes

Interview: Tax Strategies for Crypto Traders

With cryptocurrencies going mainstream, more and more people are asking how trading and holding of it should be reported to the tax authorities in their respective countries. And not only are people wondering, even the tax authorities themselves sometimes seem to have a hard time figuring out how they should deal with it. Although guidelines […]

The post Interview: Tax Strategies for Crypto Traders appeared first on Hacked: Hacking Finance.

What Happens When A Blockchain Project Fails?

Blockchain is the new buzz word. Everyone seems to want one these days, but most of the blockchain projects out there fail. When these projects fail, what happens with them? How about all the people who put money, effort, commuting power or other resources into them? A new project called CoinJanitor is the first to look at these issues and offer a user-friendly solution that will recycle the value trapped in these failed blockchain projects. CoinJanitor refers to these failed projects as dead coins, and it has a clever system to deal with them.

Failed Blockchains and Dead Coins

Yet defining how a blockchain project looks like and what a dead coin is are not easy tasks. There is no consensus out there around these definitions. Therefore, CoinJanitor took on the issue and came up with its own definitions. These failed projects or dead coins were basically abandoned by developers and community members, they were either delisted or they were never listed on an exchange, they have blockchains that do not comply with their own operational specifications, they did not achieve their goals, and can no longer be used to transfer value.

CoinJanitor suggests buying out these dead coin projects because they still hold value. The buy outs will allow CoinJanitor to integrate all these dead coin holders into a single project, creating network effect. The buy out process will also allow CoinJanitor to study the code and the data within the blockchains and recycle what is useful from them. CoinJanitor will also control other assets after the buy out, like the dead coin’s marketing assets.

User Friendly Buy Outs

CoinJanitor will implement its buy outs in a user-friendly manner, reaching out to dead coin holders to swap their dead coins for JAN tokens – CoinJanitor’s indigenous cryptocurrency. After each buy out, CoinJanitor will burn the coins it bought to decommission those projects that are trapping value. This allows the project to complete the cycle of dealing with a failed blockchain project, getting thousands of users, valuable data and other assets in return, as well as support from the community.

How Many Dead Coins Are There?

That might sound neat, but many people ask themselves if dead blockchain projects are that much of an issue to justify the existence of CoinJanitor. The short answer is that most blockchain projects fail, therefore there is a clear case for cleaning them up. The problem is quite deep, because there are more than 4,500 coins in circulation. In the words of Marc Kenigsberg, the CEO at CoinJanitor “Right now there are 4,500 coins in the market, only 1,500 of them have enough trading volume to be labeled active. This is a lot of trapped value that we can and will release with CoinJanitor to create a clean, functional and prosperous crypto market for everyone.”

The post What Happens When A Blockchain Project Fails? appeared first on TechWorm.

Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software

While a new variant of the dreaded Mirai botnet, so-called Wicked Mirai, emerged in the wild the operators of the Mirai Satori botnet appear very active.

Experts observed hackers using the Satori botnet to mass-scan the Internet for exposed Ethereum mining pools, they are scanning for devices with port 3333 exposed online.

The port 3333 is a port commonly used for remote management by a large number of cryptocurrency-mining equipment.

The activities were reported by several research teams, including Qihoo 360 Netlab, SANS ISC,  and GreyNoise Intelligence.

Starting from May 11, experts are observing the spike in activity of the Satori botnet.
satori botnet activity

According to the researchers at GreyNoise, threat actors are focused on equipment running the Claymore mining software, once the attackers have found a server running this software they will push instructions to force the device to join the ‘dwarfpool’ mining pool using the ETH wallet controlled by the attackers.

The experts noticed that most of the devices involved in the mass scanning are compromised GPON routers located in Mexico.

The experts monitored five botnets using the compromised GPON routers to scan for Claymore miners, one of them is the Satori botnet that is leveraging an exploit for the attack.

Below the details of the five botnets published by Netlab 360:

  • SatoriSatori is the infamous variant of the mirai botnet.
    • We first observed this botnet coming after the GPON vulnerable devices at 2018-05-10 05:51:18, several hours before our last publish.
    • It has quickly overtakes muhstik as the No.1 player.
  • Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module
  • HajimeHajime pushed an update which adds the GPON’s exploits
  • Two Mirai variants: At least two malicious branches are actively exploiting this vulnerability to propagate mirai variants. One of them has been called omni by newskysecurity team.
  • imgay: This appears like a botnet that is under development. Its function is not finished yet.

“In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days.” reads a blog post published by Netlab 360.

“From our estimate, only 2% all GPON home router is affected, most of which located in Mexico.”

“The source of this scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico,”

Researchers at SANS ISC that analyzed the Satori botnet activity discovered the bot is currently exploiting the CVE-2018-1000049 remote code execution flaw that affects the Nanopool Claymore Dual Miner software.

The experts observed the availability online of proof-of-concept code for the CVE-2018-1000049 vulnerability.

“The scan is consistent with a vulnerability, CVE 2018-1000049, released in February [2]. The JSON RPC remote management API does provide a function to upload “reboot.bat”, a script that can then be executed remotely. The attacker can upload and execute an arbitrary command using this feature.” reads the analysis published by the SANS ISC.

“The port the API is listening on is specified when starting the miner, but it defaults to 3333. The feature allows for a “read-only” mode by specifying a negative port, which disables the most dangerous features. There doesn’t appear to be an option to require authentication.”

Pierluigi Paganini

(Security Affairs – Satori Botnet, hacking)

The post Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software appeared first on Security Affairs.

Bitcoin millionaire Dies In Suspected Suicide after social media show off

Young Bitcoin millionaire found dead in St. Petersburg apartment

While social networking may be one of the best way to instantly reach people from anywhere and keep them updated of your life, it can at the same time invite all kinds of problems that sometimes can’t ever be undone.

A Russian cryptocurrency investor and YouTube blogger who had taken to social media and posted videos to show off his wealth online has been found dead in an apparent suicide in his apartment.

Pavel Myakushin, 23, also known as Pavel Nyashin, was the victim of a robbery in January, which saw 24 million Russian rubles (approximately $38,000 USD) stolen from his safe. At that time, the blogger had mentioned that he had boasted about his wealth on YouTube which accidentally revealed his address and made him an easy target for robbers.

The assault was carried out by a gang dressed in Santa Claus costumes in the village of Lazurniye Berega, just outside St. Petersburg in northwest Russia. Besides stealing a large amount of money, the gang also fled away with a number of iPhone X handsets and crashed Myakushin’s Bitcoin mining farm, which he used to assemble his cryptocurrency fortune.

According to Myakushin’s mother, a large amount of the stolen cash belonged to potential Bitcoin investors. The robbery had left Myakushin depressed since January, as he was unable to pay the money back. His mother was reported to have pointed that the robbery could have led him to take his own life.

The police say that there was no sign of anyone else being involved in Pavel’s death. Also, there is no news if the gang who robbed him has ever been caught.

Myakushin, who blogged about cryptocurrency as well as provided consultancy service for potential investors had a popular YouTube channel with almost 20,000 subscribers.

Source: nzherald

The post Bitcoin millionaire Dies In Suspected Suicide after social media show off appeared first on TechWorm.

Could Cryptocurrencies Be The Future Of Online Payments?

Cryptocurrencies and the potential that they have to evolve the way our financial institutions work is fascinating. Despite recent market fluctuations, BTC price appears to be climbing once again, further helping to increase the public interest in the exciting world of cryptocurrencies. However, how much potential do cryptocurrencies actually have, and could they be the future of online payments? Here, we’re taking a closer look.

Fast & Secure Transactions

The major benefit of cryptocurrencies is the speed and security of the transactions that are made across the blockchain. The technology behind cryptocurrencies is fully encrypted and due to the public ledger on which the blockchain is based, transactions can be made almost instantly. This is a huge difference when compared to some debit or credit card transactions which can take up to a number of days to be confirmed and for money to be transferred in full.

People who are shopping online are looking for more convenient ways to purchase the products and services that they are looking for, and as a result it is highly likely that cryptocurrencies are going to help to bridge this particular gap. This is likely to be integrated alongside social networks which are slowly beginning to offer native payment systems to further streamline online shopping. The security behind transactions is also highly beneficial, and the transparency of the blockchain technology behind cryptocurrencies helps to reduce human error while minimising security breaches.

Opportunities To Reach The Unbanked

A large proportion of the population around the world is considered to be ‘unbanked’. This means that they do not have access to a bank account and are therefore unable to transfer funds. While there are some eWallets available on the internet, the majority of these require a connection with a bank account, and if not, they can require fees to transfer funds across the globe. Cryptocurrencies on the other hand are not regulated by a single entity, meaning fees and charges to transfer funds internationally are minimised. This not only helps to benefit customers who are looking to purchase online, but businesses can also enjoy minimal transaction fees, too.

Digital Currencies vs. Cryptocurrencies

Having a clear understanding of the difference between digital currencies and cryptocurrencies is important when it comes to understanding just how much of an impact the latter will have on the future of online payments. Digital currencies have all of the characteristics of traditional fiat funds, where you can exchange, obtain and transfer it for another currency, but they are only available in the digital landscape. Digital currencies are not restricted by political or geographical borders, but they are still controlled by a single entity.

Cryptocurrencies on the other hand is an asset, and not an actual currency, and are run from a decentralised ledger, although they are often classified as a form of digital currency. Structure, anonymity, transparency, transaction manipulation and legal aspects are the major differences between the two, and it is the transparency and anonymity that are really likely to push cryptocurrencies to revolutionise the way we make online payments.

Technology is continuing to change and expand, and cryptocurrencies alongside the blockchain technology which helps to create a transparent and secure set up for them are likely to continue to have a huge impact in the way that we purchase products and services online.

The post Could Cryptocurrencies Be The Future Of Online Payments? appeared first on TechWorm.

Crypto-Mining, IoT Attacks Among Top Internet Security Threats in 2018

Crypto-mining is up, Internet of Things (IoT) attacks are on the rise and ransomware is undergoing a “market correction,” according to recent research. As noted by TechRepublic, new data on internet security threats revealed an 8,500 percent jump in the volume of crypto-mining efforts while criminal IoT compromises grew by 600 percent over the previous year.

Ransomware Saturates the Cybercrime Market

According to Security Boulevard, ransomware is now considered a commodity with the rise of cybercrime-as-a-service options, which enable would-be hackers with no technical experience to rent their own versions of popular ransomware.

The increased availability of ransomware tools caused the average ransom fee to drop to $522 in 2017, less than half of what the average cybercriminal demanded in 2016. Still, organizations should expect the sheer number of ransomware attacks leveraging commonly available tools to rise in 2018.

Crypto-Mining Headlines Top Internet Security Threats of 2018

Crypto-mining experienced the largest boost of all internet security threats last year with an 8,500 percent jump, according to Symantec’s “2018 Internet Security Threat Report.” With just a few lines of code, attackers can install crypto-mining software on unsuspecting devices and dig for digital coins in the background.

The lightweight nature of crypto-mining code enables it to fly under the radar of typical threat detection tools even as it consumes central processing unit (CPU) cycles and energy. As more miners are installed on network and IoT devices, performance suffers, energy costs rise and cloud resources are maxed out.

The TechRepublic article likened the rise of crypto-mining to the get-rich-quick lure of 19th century gold rushes and cautioned that new technology designed to combat IoT attacks “will not be enough to stop them all.” Recognizing the telltale signs of a IoT-driven crypto-mining attack, therefore, requires a “well-informed and well-trained workforce.”

Supply Chains in the Crosshairs

As noted in the Symantec report, supply chain attacks are on the rise. These incidents increased by 200 percent in 2017 as cybercriminals looked for ways to compromise valuable corporate systems.

In supply chain attacks, threat actors don’t typically target suppliers directly. Instead, they use them to bypass enterprise network security. For example, NotPetya leveraged flaws in Ukranian accounting software to access larger, more valuable systems.

What’s more, primary targets may not be aware that supply chain partners have been compromised until it’s too late. According to the Security Boulevard piece, companies must ensure that suppliers don’t “walk around cybersecurity controls,” but instead meet all applicable standards.

Zero-Day Exploits Decline as Targeted Attacks Rise

Finally, while zero-day exploits are declining, targeted attacks are on the rise. For example, spear phishing, a technique employed by 71 percent of cybercrime groups last year, is now the top threat vector, according to Symantec. That’s because it works: stealing credentials and bypassing security systems is much easier than fighting with firewalls.

The post Crypto-Mining, IoT Attacks Among Top Internet Security Threats in 2018 appeared first on Security Intelligence.

Crypto-Miners Supplant Ransomware as the Top Healthcare Cybersecurity Threat

Malicious crypto-miners have supplanted ransomware as the top healthcare cybersecurity threat, a cross-sector report revealed.

The April 2018 edition of the Healthcare Information and Management Systems Society (HIMSS)’s “Healthcare and Cross-Sector Cybersecurity Report,” which referenced the recent “Comodo Cybersecurity Q1 2018 Report,” found that crypto-miner attacks increased over the course of the quarter while ransomware attacks decreased.

Comodo’s researchers also noted that attackers are debuting innovations for embedding malware within crypto-miners, a trend that could indicate a preference among bad actors for cryptojacking over more traditional threats.

Crypto-Miners, Backdoors and More

On June 11 at the Healthcare Security Forum, Lee Kim, privacy and security director for HIMSS, will present her a talk titled “Through the Looking Glass: What’s Happening Now and in the Future.” Her session will expand on some of the findings from the April 2018 HIMSS report.

In addition to crypto-miners, HIMSS featured other threats in its roundup, including an authentication bypass vulnerability that facilitates code execution with root privileges on some ASUS routers. The report noted that public exploits are readily available for this weakness.

HIMSS also covered a threat group targeting healthcare firms with a custom backdoor, a remote code execution vulnerability in the 7-Zip program and a Python-based crypto-miner that uses the ETERNALROMANCE exploit to spread to vulnerable Windows PCs.

Improving Healthcare Cybersecurity, One Asset at a Time

Ahead of her presentation at the Healthcare Security Forum, Lee advised healthcare organizations to take inventory of their assets’ locations and configurations. That way, security teams will be in a better position to defend the network from national-state actors, criminals and zealous competitors.

“Think like an attacker and a defender,” she advised, as quoted by Healthcare IT News. “Know how the enemy moves, what they go after, and who they may be — this intelligence can go a long way.”

Lee also emphasized the importance of establishing communication channels for defending against phishing emails.

The post Crypto-Miners Supplant Ransomware as the Top Healthcare Cybersecurity Threat appeared first on Security Intelligence.

This Week in Security News: Zippy’s and Flynn

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Hawaii-based restaurant Zippy’s suffered a POS data breach. In addition, Uber executive John Flynn argued that user expectations on data protection are rising, but consumers still aren’t implementing the right precautions for their own data safety.

Read on to learn more.

State-of-the-Art Security: The Role of Technology in the Journey to GDPR Compliance

As we’ve discussed over the last 7 weeks in our video case study series, the GDPR impacts many different areas of our company, including our employees, customers, and partners.

PROTECTING YOUR PRIVACY – Part 1: The Privacy Risks of Social Networks and Online Browsing

Most Americans today spend many of their waking hours online. In fact, we’re up to spending an average of five hours per day just on our mobiles.

What HIPAA and Other Compliance Teaches Us About the Reality of GDPR

The date for General Data Protection Regulation (GDPR) compliance is three months away, yet many organizations, especially those outside Europe, remain unprepared

PROTECTING YOUR PRIVACY – Part 2: How to Maximize Your Privacy on Social Media and in Your Browser

You can manually configure your Privacy Settings on sites including Facebook, Twitter, LinkedIn, and more. However, no two sites are the same, and some are easier than others to navigate. 

Securing the Connected Industrial World with Trend Micro

At Trend Micro we’ve made it our business over the past 30 years to anticipate where technology is taking the world. That’s why our message has evolved over that time from Peace of Mind Computing to Your Internet Firewall and most recently Securing Your Journey to the Cloud.

FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation

Trend Micro’s Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger.  

How cryptocurrency is shaping today’s threat environment

Cryptocurrency has exploded as a popular way to support digital transactions. Since its creation, users have discovered an array of different ways to leverage cryptocurrency, including within mining strategies and digital wallets. 

Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

Cryptocurrencies have been generating much buzz of late. While some governments are at work to regulate transactions involving them, there are others that want to stop mining activities related to them altogether.  

Legitimate Application AnyDesk Bundled with New Ransomware Variant

Trend Micro recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.  

Zippy’s Restaurants Suffers POS Data Breach

Zippy’s Restaurants’ point-of-sale system was compromised for four months, exposing customer data.

ASEAN Cybersecurity in the Spotlight Under Singapore’s Chairmanship

At ASEAN Summit 2018 in Singapore, the strong focus on cybersecurity reflected regional and international attention to growing cyber threats in Southeast Asia.

Almost Half of UK Businesses Suffered Cyberattack or Security Breach Last Year, Figures Show

The 2018 Cyber Security Breaches Survey found 19 percent of charities and 43 percent of businesses in the UK had reported cyber security breaches or attacks in the last year.

Commentary: States Are Getting Tough on Data Security—but That Might Be a Problem

The Facebook-Cambridge Analytica scandal shines a light on the need for more regulation protecting data; more than 240 bills were introduced in 42 states last year covering a range of security issues.

Uber Security Head Says Users Need to Care More About Data After Breach

At the 2018 Collision Tech Conference, John Flynn relayed that user expectations on data protection are rising, but customers still aren’t taking the right actions to protect their personal information. 

Alexa Can Listen Indefinitely, Potentially Exploited to Transcribe Information to Cybercriminals

Researchers discovered a new internet of things (IoT) design flaw in a popular smart home system: They found that Amazon’s Alexa service can be programmed to eavesdropon its users and transcribe all the information heard.  

Securing the Internet of Things Through Effective Regulation

According to a survey done by Gartner, almost 20 percent of organizations have observed at least one IoT-based attack in the last three years.

As cities get high-tech, hackers become more dangerous

Remember when a major U.S. city’s computer infrastructure was hacked, and held ransom, by a group of cyber criminals?

Do you agree with John Flynn’s speech on user expectations for data protection? Share your thoughts in the comments below or follow me on Twitter to continue the conversation; @JonLClay.

The post This Week in Security News: Zippy’s and Flynn appeared first on .

Blockchain-powered e-commerce startup leaks personal information of 25,000 early investors

A misconfigured MongoDB database has led to the leak of names, email and physical addresses, wallet information, encrypted passwords, and driver’s license and passport numbers of 25,000 early investors in Bezop. The leak deals a second security-related blow in months to the e-commerce startup, which hopes to give retail giant Amazon a run for its money by fashioning its business around digital currency.

Bezop is a decentralized blockchain-powered commerce platform, similar in some ways to Amazon, that hopes to be “the future of global trade,” according to its creators.

“No monthly fees, Build professional amazon-like stores and start accepting cryptocurrency in minutes,” reads a marketing tagline on the firm’s website.

The business is based on its own Bezop cryptocurrency, which trades under the name BEZ. Users are promised several sure-fire ways to generate profits, not just by selling goods in exchange for crypto coins, but also by participating in “mining” programs for an extra incentive.

However, things went awry for Bezop when researchers at Kromtech (a developer of popular macOS utilities) found a misconfigured MongoDB database that was showing the personal information of 25,000 Bezop investors in plain text – publicly, for anyone with access to the Internet to see.

When alerted to the breach in March, Bezop fixed the problem but made no public admission that it messed up so badly – if there’s one thing a startup needs like air, it’s the trust of its early backers.

Sadly for Bezop, it’s not the first time the company has made headlines for insecure handling of user data. As reported by hackread.com, only a few months ago the company sent usernames and passwords in cleartext format.

John McAffee (the founder of the security firm with the same name) sits on Bezop’s board of directors, but his expertise has apparently yet to rub off on the company he is backing.

MyEtherWallet DNS Hack Causes 17 Million USD User Loss

MyEtherWallet DNS Hack Causes 17 Million USD User Loss

Big news in the crypto scene this week was that the MyEtherWallet DNS Hack that occured managed to collect about $17 Million USD worth of Ethereum in just a few hours.

The hack itself could have been MUCH bigger as it actually involved compromising 1300 Amazon AWS Route 53 DNS IP addresses, fortunately though only MEW was targetted resulting in the damage being contained in the cryptosphere (as far as we know anyway).

Read the rest of MyEtherWallet DNS Hack Causes 17 Million USD User Loss now! Only available at Darknet.

Cryptomining Campaign Returns Coal and Not Diamond

Executive summary


Soon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that were tied to Bitvote.

Apart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this campaign is notable for its usage of a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. It is quite uncommon to implement this functionality in kernel, apart from the payload protection, and points to a moderate to high level of technical knowledge behind the attack.

The payloads and the configuration were embedded in specially modified animated GIF files and published as parts of web pages hosted on free blogging platforms.

The campaign was active in February and March, and so far, it has brought limited returns for attackers.



Introduction


One of the benefits of open-source projects is the ability for other people to create so-called "forks" — copies of the original source code repository and to essentially split (fork) the development process in two by creating a separate project with a new development team and a separate development process.

Forks also happen with cryptocurrencies. Since the initial release of bitcoin, there has been more than 18,000 forks of bitcoin code on the hosting service GitHub, although only a few of them have successfully been launched as alternatives to bitcoin.

While some, such as Bitcoin Cash, Bitcoin Gold or Litecoin have been fairly successful, most new forks die out without being noticed by a significant number of users.

A frequent reason that forks are created is to improve on the so-called "one-CPU-one-vote" principle, which prescribes rules on how the network decides on a transaction's validity. In the original plan laid out by Bitcoin creator Satoshi Nakamoto, the miner is awarded proportionally to the amount of computing resources they invested, without explicit mention of the type of hardware that should be used for mining. However, some people took the "one-CPU-one-vote" principle — quite literally — to mean that desktop CPUs should exclusively be used for mining.

Nevertheless, the original practice of bitcoin mining has moved away from using standard desktop system CPUs and GPUs, and into the realm of specialized ASIC-based hardware systems, requiring a significant up-front investment to achieve notable returns for miners.

This development has seen many home users moving away from mining bitcoin into mining other currencies such as Monero, which is specifically designed to make mining using ASIC more difficult. Monero also increasingly became the currency of choice for malicious mining botnets, which we already covered in one of our recent blog posts.

On Jan. 20, an unknown group of developers launched a new bitcoin fork called Bitvote, with their own view on how to improve on the "one-CPU-one-vote" principle, and give desktop users a fairer chance to successfully mine a cryptocurrency.

Bitvote uses the Cryptonight algorithm for its proof of work, which is also used by Monero. The algorithm is designed to allow standard desktop CPUs to be equal participants in the mining process.

As cyber criminals move farther away from ransomware, and closer to cryptocurrency mining, it comes as no surprise to find out that a malicious actor decided to take a gamble on Bitvote, and developed a malicious campaign that resulted in the infection of hundreds of systems with a modified version of the cpuminer mining software, recruiting the affected systems into a Bitvote mining pool.

This post is focused on the driver functionality of Bitvote, although we briefly describe the dropper, as well as the final cryptocurrency mining payload used in this campaign.

Calculator with unexpected functionality: The dropper


A driver dropper, purporting to be a calculator application was found by investigating AMP for Endpoints product telemetry. The dropper was spotted in the wild, and blocked on Feb. 6. It is likely to have been a part of a (potentially) unwanted application installer published on sites hosting an alleged version of Microsoft Toolkit, which should allow the user to activate different versions of Microsoft Office and Windows without owning a valid license.

A Microsoft Toolkit bundler installs many potentially unwanted applications (PUAs), but it also installs a file calculator<nnnn>.exe that drops a randomly named kernel mode driver. Earlier calculator dropper variants have been around at least since the last quarter of 2017.

Typically, the malicious functionality of the dropper (written using MFC framework) is to install the driver in the <Windows>\system32\drivers folder with eight random characters' base filename (eg. djkeuihk.sys), or with the original name of the driver, which is DrToolKrl.sys. After creating the driver, the dropper creates a Windows service with the same name, as the driver file loads the driver into the kernel memory by starting the service.

Before dropping the driver, the dropper checks if it is executing in a virtual machine environment, under a control of a debugger or in a sandbox. If a virtual machine environment is detected, the malicious driver is not dropped, and the execution continues with a calculator functionality.

Trojanized Calculator GUI

The dropper checks for the following environments:

  • Parallels
  • VMWare
  • VirtualBox
  • JoeBox
  • GFI Sandbox (CWSandbox)
  • Anubis
  • Sandboxie
  • Debugging Tools for Windows


If a debugging or analysis environment is not detected, the dropper checks the version of the operating system in order to drop an appropriate, 32- or 64-bit version of the rootkit driver. It also attempts to communicate with the driver in order to make sure that the driver is not already loaded.

Check for the bitness of the operating system and prepare to drop a driver

Main culprit: The driver


The driver is signed with a certificate belonging to "Jiangsu innovation safety assessment Co., Ltd." with expired validity period. This means that it will not be loaded by Windows Vista and later versions of 64-bit Windows, which enforce valid driver signatures. On the one hand, this seems like a failure of the attacker's process, as the attack can only target older Windows versions, likely executing on less capable CPUs. On the other hand, it may prove to be an advantage for the attacker, as it is more likely that older systems are not fully up to date and protected with the latest security software. Therefore, this attack is less likely to be discovered if only older CPUs are affected.

The driver contains the functionality to:

  • Manage configuration of the C2 infrastructure
  • Parse configuration files hosted on free blogging platforms to decode the information hidden in animated GIF files published as part of the C2 blogs.
  • Download and execute the final payload (in our case, the Bitvote pool miner agent)
  • Protect the driver from deletion
  • Protect the driver registry entry from third-party access (read and write)
  • Protect payload processes and threads from termination
  • Download and install new driver versions
  • Disable the User Account Control (UAC)


Apart from the core driver's ability to protect itself and its payload, the driver somewhat unusually contains the download and execute functionalities, which is rarely implemented in kernel mode by well-known malware downloader families.

This indicates an increased level of proficiency of the author of the driver, who might also be the actor behind this Bitvote mining operation.

However, it is also possible that the driver is created by a generic third party toolkit, which would allow an actor to specify configuration and payload URLs in a simple way. Once the configuration is specified, the toolkit might be used to build and sign the driver, which could also explain the fact that the driver samples were signed with an expired certificate. However, we were not able to find generator samples that would confirm this theory.

Configuration management


The driver initially contained several hardcoded URLs pointing to free blogging platforms, such as Blogspot (Blogger) and Russian blogging platform LiveJournal. Before the hardcoded URLs are accessed, the dropper attempts to download a GIF file from a special URL hardcoded in the dropper body.

The downloaded GIF file contains an encrypted data blob at offset 0xA0000, with a driver configuration block including the new command and control locations, as well as updated URLs for downloads of payloads. The configuration data block starts with a header containing a magic double word 'lKTD' ('DTKl'), followed by a double word containing a simple addition-based checksum of all bytes in decoded configuration, a static double word XOR decryption key and a double word count of configuration records within the block.

Download and decode driver configuration

Each configuration record size is 407 bytes long, and contains a type of the record, which may indicate a payload record, a driver update record or C2 record, followed by a URL, as well as pointers to HTML parsing functions, the local file paths and arguments that should be used when they are launched.

The configuration is decoded and loaded into the DeviceExtension block of the device object created by the driver in the DriverEntry function. The device extension block is the most important data structure associated with a device object. Its internal structure is driver-defined, and it is typically used to maintain device state information and provide storage for any kernel-defined objects. In our case, the DeviceExtension also stores the in-memory configuration of the malicious driver.

The GIF containing the driver configuration

The IP address of any host is resolved by querying Google's DNS resolver 8.8.8.8. Defenders are advised to block direct traffic from standard internal network endpoints to external DNS resolvers, which would prevent the driver from downloading and executing payloads, as well as connecting to the botnet C2 servers, internally referred to as the "Heart servers."

The host used as the Heart server in this campaign was cdn[.]rmb666[.]me. At the time of the analysis, the domain name resolved to 185.180.14.16, which is also associated with other malicious domains. The domain was registered on Dec. 20, 2017, and it seems to have been used specifically for this campaign. The IP address is hosted in the Czech Republic. The domain has now changed the provider,and it points to 91.213.8.57, an IP address hosted in Ukraine.

The country graph taken from the Cisco Umbrella Investigate tool indicates that the campaign was the most active in Indonesia with many other countries, such as India, Algeria and Vietnam being affected.

The top affected countries are Indonesia and India

The driver uses fairly specific User-Agent string 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/520.16 (KHTML, like Gecko) Chrome/61 Safari/517' when posting the initial data to the C2 server, which may be a good network detection indicator.

Initial Heart server post request example

Download and execute functionality


Once the configuration is uploaded, the driver loops over the records and attempts to access the specified URLs. If a URL hosts an HTML file, the driver will parse the page to find an image URL which satisfies a criteria set in the associated HTML parsing function.

If a target image URL is found, the driver will download the image file. The downloaded image files were GIF images with a PE executable payload simply appended to it. The driver then extracts the payload from the image, saves the payload into a destination path set by the configuration record and executes it by changing the process context into Windows Explorer (explorer.exe) and launching the downloaded file using the standard WinExec Windows API function.

The driver finds Windows Explorer process identifier (PID) by calling the ZwQuerySystemInformation API to obtain an array of SYSTEM_PROCESS_INFORMATION structures, one for each process in the system.

Execute the payload in the context of "explorer.exe"

Driver protection


Apart from the core 'download and execute' functionality, the driver implements several protection techniques to protect the driver's file, its own in-memory configuration, its service and the payload process.

To protect itself, the driver stores its own image and the configuration records within a registry key, and if the original driver is removed from the disk or modified, the modified file is replaced by the original driver, or a new driver copy is created.

If the driver is not able to restore itself into the old location, it generates a new eight-character long base random name, saves the original version of the driver into the newly generated path and creates a new service to point to it.

The configuration is stored in the DataInfo value of the registry key used by the driver service. For example: \HKLM\System\CurrentControlSet\Services\kemamiti\DataInfo. The service registry key is protected by the driver, and the access to it is not allowed as long as the driver is active in memory.

Access to the driver services registry key is denied by the driver

Hiding the driver


The driver attempts to hide by removing itself from the InLoadOrderLinks linked list of loaded modules. The driver accesses its own _DRIVER_OBJECT object DriverSection pointer, which points to an area with a _LDR_DATA_TABLE_ENTRY structure, used to keep the information about the loaded module.

The driver is removed from the InLoadOrder linked list by modifying both the Flink (forward link) member of the previous list member and Blink (backward link) of the next list member.

The driver also zeroes out the DriverName field of the _DRIVER_OBJECT object as well as FullDllName field in the _LDR_DATA_TABLE_ENTRY structure.

The driver zeroes out its name but BaseDllName still remains

This way, the name of the driver module is not displayed when the loaded module lists are examined by many utilities. For example, if we use the WinDbg extension SwishDbgExt, developed by Matthieu Suiche, to display kernel callbacks, the driver module name will not be displayed, although we can still follow hyperlinks to disassemble and analyze the callback code.

The driver module name is not assigned to callbacks after zeroing out

Payload process protection


Apart from protection of the module and its registry entries, the driver protects the payload process from termination and respawns the process if all of its threads are terminated. This is achieved using one of the documented kernel mechanisms and registering object callbacks, allowing the user to supply functions, which will be called by the kernel when the registered kernel event, such as opening a process, is triggered.

The protection of the process is implemented by calling the ObRegisterCallbacks for process objects. When the kernel initiates a callback, the rootkit changes the DesiredAccess mask in order to prevent other processes from terminating the payload.

There is some additional filtering, and if the process creating a handle to the payload is not explorer.exe or csrss.exe, the process will be unable to terminate the payload.

Access to the payload process is denied by the driver

System callbacks


When Windows kernel mode rootkits appeared, they used to hook undocumented operating system structures and tables such as System Service Dispatch table (SSDT) or Interrupt Descriptor table (IDT) but today, they typically use documented interfaces, such as system callbacks, in order to avoid detection by Windows kernel security mechanisms.

Our driver sample is also aware of Windows protection mechanisms, and it uses documented callbacks in order to register functions for its own protection.

The list of used functions for registering callbacks is:

Final payload - the miner


The final payload is a modified cpuminer application downloaded into <Windows>\winserv,exe. The miner is modified to automatically connect to a btv.vvpool.com site using TCP port 5700 and join a Bitvote mining pool. The application seems to be a minor modification of an open-source cryptocurrency miner cpuminer, and it does not warrant further investigation.

The miner connects to the pool at TCP port 5700 and sends its address

At the time of writing, we could see that the mining operation has been able to earn just over 4,400 BTV, close to $1,500. This is easily checked using Bitvote block explorer ,and searching for transactions to the address 1C9BLDgbx8geYzc5sNPDUhpHWFqAEqHRHB, belonging to the botnet.

Despite the moderate botnet size, the attackers earned more than $1,500.

The top hash rate of 340 Khash/s indicates around 2,500 bots participating in the mining activity, considering an average hash rate of 125 hashes per second that can be, on average, generated by an average CPU. It seems like attackers were betting on BTV, but the payback would be much higher if they attempted to mine another, more established cryptocurrency such as Monero.

After a high initial hashrate the activity quickly dropped to 12Khash/s

The mining activity started its operation on Feb. 16, which can be seen in the stats available on the vvpool.com website.

Conclusion


With the the difficulties and unpredictability associated with the recent widespread ransomware attacks, it is not surprising that cyber criminals are turning toward mining cryptocurrencies. Besides well-established cryptocurrencies such as Monero, malicious actors are also becoming early adopters of newly created cryptocurrencies. Bitvote is just one of these, created as a bitcoin fork and launched on Jan. 20. The attackers created trojanized calculator applications with an intention to create a large pool of infected machines to mine Bitvote. 

Apart from targeting a newly created cryptocurrency, this campaign is notable for using a kernel mode driver deployed in order to provide the complete infrastructure for the final payload, ranging from downloading the payload, reloading the malware configuration, as well as hiding and protecting the malicious modules from detection and removal.

Using a kernel mode driver is quite an unusual method for everyday malware campaigns, and requires at least a moderate technical knowledge on the part of the developers. The fact that the certificate used to sign the driver has an expired validity period, points to a possible intention of attackers to target geographic regions with a smaller proportion of the latest operating systems in the user base.

Although this newly created cryptocurrency provided only limited returns, we can expect attackers to continue this trend in the future as more cryptocurrencies opt to allow mining with commodity desktop CPUs.

Coverage


Additional ways our customers can detect and block this threat are listed below.



Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.


IOCs


Drivers


d90ebf52ad16db60949af988c24a9aaf59994836998ddefb7eadb7b26cecf05c
7dc5f6e0296213b95ac6bbf07812987f681e933de8c41fef43789d01a410e320
b2c497662c1fd004ad97173c95740ee89490dfe34cfae5c898461c108f6539cd
87cdfc90ded55e83948e54ef2d20d78c1ef9d78a8a018c01aa80645fb7eb33ce
838d62a9d978ca5dfbeef50636df6a05ac0377d245b3b9df931a2c2ddb8b9f28
ea828b2250825e3530fa6a889b71aba5fe52bf1aa70cc240b5208fcd57490912
9c45bf161947c7dd7aead23c2de4e806a7e260bd61be99eda0ce674f831c414f
6e9bc99005f7070acd58c873caddcd3fe256bd281f1e7dfb81fbcc4fcdafeddd
19f42d8d1a2b57058f38d62246cb1b7128c43060d2c504d2a52f4ef62e63e1fe
a7c7f4b1751857c4e44b4a81666e10e73808294b9bdbfd9be18865b4612a370e
f514319a8677fa29f0b2179d91fd7b190402de5bc87aca48b1ed2e96ab56905a
d81c1d5f21e66f8fc49123dffb11d23c3d7531a922a7e060dc9455c92cdb8008
d3c30f7339374d96c99df11cb4bbd944f11593a416cb5a67188c0f87e30d6054
0e92454df699cea60df2ca1620ced9ca8e0bec8c6f4424df62b1b8c5e4b2167f
cb48cefc8cdd4856f800b80ab7bb2dd98a5f3e2e83ec11d89f138ef259c324db
d2323e3e850733b32cc72d6f9527181af1e1f13d24fa2bc4e2c2cc14bf148d70
962c723b17d35b83ec52801be82bce4c2ce936c2bc57c82112958b0d32c9db97
ab0b53890ecc5c85f050b18564b953895daec8db75652100639da49a71e538ff
708db4511cb78329caaa50b69ed07ec28208a3bd05aea25f47fe5fe0ae5e2592
c81d032fba5e178b7a264b301aec4399375067fa22ca85a0ab3eef4d06f3cdb0
fff7ba34752cf2ed8e934b826235ea66a701b6a79f15c4e88e692c91e12941fa
934b7cce2c370b5bfcd462e33e55aa45cc25c588361fdb32e7a2670a3acef0e2
ec37f13a40eac500eece7904885ace72ca66fa015293159bba2a33992d2d2a6e
28ed8326bb1c4099e2bd88973e73c4464a46bb35952b4490f7be165491b40da6
0d8969db5bda666b92de13bc0033344ee489c340e02c2667e6fd5a924d52d20c

Droppers (CalculatorXXXX.exe)


66908c744a11db8d72ad0b95c41de9fa13cc996c17884a3b39e8fdcd4fee20ee
f98f23c223a498c5687af84cd6c17b853a0abb0458d5606e5b62a3e75b1dbab6
019426698cb1cc733024c38d0d09ff5dcac1ad9cf81d26c092a278f72f131e59
04de0bcd0f61a38f7ffd59c8fb369616a1648e65ea717994dbbef7db1bb6df1d
051825abb810183939cc00055eb841ba4c319c46fbacf30cc2b6ac60fb3305f8
0ace52b5d1847f2fea1f6db75e69215176017d98d113fd7860eab89607e6c955
1648ee9890f17f19b45c751f3bcf898267c7b8a3bb5188138f65b1857e8c9985
1f634c71be6f0615facd7364ed2edb50b388d75ff26e486addafc40ee0f95d89
3163a93a00d5e6c6de4d2d57a4badab0f33c5f27016f3685e5cfd83d0de759dd
32e2f73faf2f8acb68b373ae61cdcb0a72d168be85102e520690bfd64840bb59
4eeb22623b78909c1b6179ce47d1c5130b88d381ba86dc51886b78c03476c2dd
551fd86f19d1980696622dd4cf2535573b8a66f3e4fb0155f8dac919f1f50488
6bde69fb7d35fac40d6e108ce610401eb08c5fc69a481d4cb03483ee3cd9705e
76d419d9a9d047ef19058496bb64c8caf2456a8d76f45a0523b7a5fdce21dd40
7e41a9427e27e980578e59698d4f7f88c649e355eb26bbd549973f1ca7355828
806742372cb0f4fc8a64b15b186e78cea1459f970b5620e2bcfdcd73db2d6fa6
a94a8cbe146fb4f66ba907c1d40fdda916c8ecd0fa0d7114814a25565ac96aa2
d6fce2bd96498333feb43404a34ce826ee915fa30785a18ec3c7b15b6ae924a9
db25a7265029188d4d39cb5654c9ca558302fb0ddb3de081e53300122c8a3c2c
e2da5b82da75be16640774128af067ac608515bd7a3c32082ae89c3967048c20
e4c0c999af4abf99f6afa21c991357aff3c1eae1f424df3a2c307bb578fdbbf0
ea6226fcb7adf1ad57f2e64c99d735e7cb54063b5bed970c5fd75a9e55f7bf1a

Dropper Toolkit


8185b8a3629dc1fb5090a12f0418ce91ee1908117487e3316f96ba17fa64a5db

Modified Bitvote cpuminer


87c27f08d1eaa1ad2addd6af381829c037d55186ceded7249d5af0a62e464032

Domains for configuration downloads


hxxp://image.bcn2018.com/
hxxp://image.cheap2019.com/
hxxp://image.docu2018.com/
hxxp://image.gxb2018.com/
hxxp://image.japchn2018.com/
hxxp://image.pply2018.com/
hxxp://image.succe2018.com/
hxxp://image.yyxp2019.com/
hxxp://img.rmb777.me/

Hardcoded Urls for downloads of payloads and newer driver versions (may be superseded by the new configuration downloaded from configurations sites)


hxxp://1022k.blogspot.com/2018/02/1022s.html
hxxp://7mlftakc3qt48.livejournal.com/721.html
hxxp://bbx2018.blogspot.com/2018/02/1026i.html
hxxp://bct2018.blogspot.com/2018/02/1027i.html
hxxp://btv2018.blogspot.com/2018/02/blog-post.html
hxxp://check2018.livejournal.com/517.html
hxxp://earthjor.livejournal.com/721.html
hxxp://gba2019.livejournal.com/767.html
hxxp://hbrhzuds1199.livejournal.com/799.html
hxxp://hrb2019.livejournal.com/620.html
hxxp://iphone2019.livejournal.com/635.html
hxxp://kawakaw.livejournal.com/594.html
hxxp://livegoogle.livejournal.com/546.html
hxxp://lovejoin2019.blogspot.com/2018/02/1031.html
hxxp://myinsterschool.blogspot.com/2018/02/1032.html
hxxp://myqnewworld.blogspot.com/2018/02/1030.html
hxxp://nha2019.livejournal.com/749.html
hxxp://talkto2018.livejournal.com/518.html
hxxp://tpshadow66655.livejournal.com/545.html
hxxp://xabx2019.livejournal.com/559.html
hxxp://xmr1022.livejournal.com/763.html
hxxp://xmr1022x.livejournal.com/656.html
hxxp://xmr2019.blogspot.com/2018/01/1021s.html
hxxp://xmr2019.blogspot.com/2018/01/my-sister.html
hxxp://xmr2019.livejournal.com/1165.html
hxxp://xmr2019.livejournal.com/748.html

URLs for C2


hxxp://down.rmb666.me/dr.php

Tens of thousands per Gram

Looking at Instagram one morning, I spotted several posts from some fairly well-known people (in certain circles) who had invested in an ICO held by Telegram. Interesting, I thought to myself. I fancy a piece of that. Only I was pretty sure that if Telegram was indeed holding an ICO, it would be a private affair — off limits to cash-strapped social media-based “investors.” That’s when I decided to do some digging.

Let’s start with a brief history lesson. In late 2017, information appeared on specialized resources about a Telegram ICO to finance the launch of its own blockchain platform based on TON (Telegram Open Network) technology. Despite the fact that Pavel Durov did not confirm the ICO rumors, and no information was posted on the company’s official website (and still hasn’t been), the mooted project attracted a huge number of potential investors. According to various (dubious) sources, participation in the ICO is by invitation only, and the first closed round, the so-called presale, has already taken place. Technical documentation and a white paper also appeared online, but their authenticity is not confirmed.

Perhaps the masterminds behind the project deliberately clothed it in mystery to spark interest. In any case, the lack of information bred speculation and provided fertile ground for scammers: the rumors prompted mailshots seemingly from official representatives of the platform, inviting people to take part in the ICO and purchase tokens. And there was a mushrooming of sites supposedly selling Grams (the name of the cryptocurrency that Telegram presumably intends to launch).

When creating fake sites, cybercriminals try to keep to the style of technical documentation and white papers

Meanwhile, Pavel Durov tweeted that all TON-related news would be posted only on the official website, and asked for any “Gram” sales to be reported:

Despite the announcement, fake sites continued scooping cash from unwitting victims. But to give credit where it’s due, their creators did a superb job. Unlike some phishing fakes, these sites really do lure people in. Not only that, most use a secure connection, require registration, and generate a unique online wallet for each new victim, making it hard to track the movement of money.

Grams can be purchased in a selection of cryptocurrencies

The price of the new cryptocurrency varies greatly from one fake site to the next. And although most of them create unique wallets for victims, I managed to find several that use static wallets. From the transaction history of one of them, we see that the cybercriminals withdrew 85 ETH:

Withdrawal of funds harvested in Ethereum

At the time of writing this article, the Ethereum exchange rate was about $422. This resource alone seems to have collected more than 35 000$(2 million rubles), and there are dozens like it. Judging by their content, it’s possible they have common ownership. For example, several have one and the same Our Team section.

Suspiciously similar Our Team sections

While the presence of the Durov brothers doesn’t raise any question marks, Lucas Pernas-Valles seems to exist only on dozens of other fake sites. He may indeed be a member of Telegram’s new project team, but a brief online check reveals that the person in the photo is not called Lucas Pernas-Valles, although he does have cryptocurrency links.

It should be noted that this ICO project is one of relatively few to have attracted mass attention. And where there’s mass attention, there’s fraud. The lack of reliable information from official sources only serves to aggravate the situation

Parasitic Coin Mining Creates Wealth, Destroys Systems

The increasing popularity of cryptocurrencies has inspired some people to pursue coin mining, essentially making money online. (Mining is the processing of transactions in the digital currency system, in which new transactions are recorded in a digital ledger called the blockchain. Miners help to update the ledger to verify and collect new transactions to be added to the blockchain. In return, miners earn Bitcoins, for example.) Mining is resource intensive and legal if it is done with the proper permissions.

McAfee Labs has recently seen a huge increase in a malware variant, commonly known as CoinMiner or CoinMiner-FOZU!, which takes control of a victim’s computer to mine new coins by infecting user executables, injecting Coinhive JavaScript into HTML files, and blocking the domains of security products to stop signature updates.

CoinMiner-FOZU!, which we analyzed, has led all major coin-miner malware in prevalence in 2018. (March figures are incomplete.) Source: McAfee Labs.

The following graphs show statistics and geographic data for recent CoinMiner-FOZU! detections:

W32/CoinMiner employs—without a user’s consent—machine resources to mine coins for virtual currencies. Its parasitic nature makes it rare as well as destructive: The malware does not put a unique marker on each file it infects. Thus subsequent infections by the same malware will reinfect the victim’s files.

Analysis

After launching, CoinMiner copies itself into two hardcoded locations:

  • %Windows%\360\360Safe\deepscan\ZhuDongFangYu.exe
  • %filesystemroot%:\RECYCLER\S-5-4-62-7581032776-5377505530-562822366-6588\ZhuDongFangYu.exe

These two files are hidden and read only:

The binary executes from the first location and starts the parasitic infection process. The malware prepends itself to user-executable files but, unlike traditional file infectors, it does not allow the original file to run. It targets files with extensions .exe, .com, .scr, and .pif. This malware does not check for multiple infections. If the threat is deleted and later reinfects the system, the same files will again be targeted.

To prevent victims from restoring clean copies of their files, the malware deletes both ISO (disk image) and GHO (Norton Ghost) files:

 

Once CoinMiner finishes infecting other executable files, it injects a Coinhive script into HTML files. The Coinhive service provides cryptocurrency mining software, which using JavaScript code can be embedded in websites and use the site visitor’s processing power to mine the cryptocurrency:

CoinMiner disables the user account control feature, which notifies the user when applications make changes to the system. Through registry updates, it also disables folder options and registry tools, and deletes safe mode.

From its second location on an infected system—the hidden autorun.inf at the file system root—the malware ensures that it starts after rebooting:

To avoid detection by security products, CoinMiner puts security software domains in the hosts file and redirects them to 127.0.0.1, the loopback address on the victim’s system. If users have not created a local website, they will see an error page in their browsers. By doing this, the malware ensures that no victim can receive an update from the security vendor.

When the victim runs the script-injected HTML files, the Coinhive script executes, downloading coinhive.min.js (hash: 4d6af0dba75bedf4d8822a776a331b2b1591477c6df18698ad5b8628e0880382) from coinhive.com. This script takes over 100% of the CPU for mining using the function setThrottle(0). The mining stops when the victim closes the infected HTML file:

The simple hosts-file injection, hiding in the recycle bin, and maximizing CPU usage suggest that this malware has been written by a novice author. McAfee advises all users to keep their antimalware products up to date.

McAfee Detections

  • W32/CoinMiner
  • CoinMiner-FOZU![Partial hash]
  • TXT/CoinMiner.m
  • HTML/CoinMiner.m
  • JS/Miner.c

Hashes (SHA-256)

  • 80568db643de5f429e9ad5e2005529bc01c4d7da06751e343c05fa51f537560d
  • bb987f37666b6e8ebf43e443fc4bacd5f0ab795194f20c01fcd10cb582da1c57
  • 4d6af0dba75bedf4d8822a776a331b2b1591477c6df18698ad5b8628e0880382

The post Parasitic Coin Mining Creates Wealth, Destroys Systems appeared first on McAfee Blogs.

Google banishes cryptocurrency mining extensions from Chrome Web Store

The tech giant is taking the measure after a rise in malicious browser extensions that mine digital money by hijacking the processing power of users' computers. The clampdown follows Google’s recent move to stop serving any and all adverts promoting virtual currencies and initial coin offerings.

The post Google banishes cryptocurrency mining extensions from Chrome Web Store appeared first on WeLiveSecurity

Cryptojacking is Soaring, and “Stegware” Makes it a Stealth Bomber

With Bitcoin becoming resource-intensive to mine, and several cryptocurrency platforms arising as alternatives, more bad actors are jumping into cryptojacking: the unsolicited use of your device to mine cryptocurrency. This is becoming a dangerous threat that sometimes targets web systems, while other times infiltrates consumer or enterprise devices.

When a consumer device is targeted by cryptojacking, immediate effects appear because of the mining operation. Sometimes the system performance is not consistent with the expected user workload. Similarly, when the attack targets an enterprise device such as a server, these indicators will be there, although maybe harder to identify. In fact, when the mining script is correctly configured, a throttled CPU usage might be concealed as a slightly higher server usage in accordance with theoretically higher demand. Verifying these facts? Not an easy task.

The purpose of a cryptojacking attack is essentially revenue, so it makes sense that high-value assets (involving significant CPU or GPU resources) will be targeted. Recent reports reveal that manufacturing and financial services industries together constitute more than 55% of the systems affected by cryptojacking attacks (1). In one recent example, the Smominru Monero botnet has produced around $3 million running a mining operation with more than 500k compromised hosts (2).

Several cryptojacking attacks are using steganography, which is used as a mechanism to conceal and deliver the malicious mining script.

With security solutions maturing, bad actors need to think about new strategies to convey the attacks. That’s where “stegware”, malware hidden with steganography, comes in handy. As previously discussed (3), steganography is a very good vehicle for concealing an attack. In the case of cryptojacking, delivering the mining script is all the attacker requires. For that purpose, carriers such as an image file are used to hide the script. Then, taking advantage of either vulnerabilities (or features) already present in the services exposed by servers, the image is planted and the mining script can be executed. This technique is so effective that in some cases, bad actors won’t use actual steganography, just a fake image file, which is enough to bypass security solutions.

In a similar way, web-based cryptojacking attacks are poisoning hundred of websites (by either taking advantage of web server exploits or via “malvertising”) to mine cryptocurrency when a user visits a webpage. Essentially, an image (for example an ad) is placed somewhere so the mining script can be extracted and executed via the user device resources. Fortunately, popular browsers have already implemented measures to detect this activity and shut it down.

But even with monitored devices such as servers, differentiating between a legitimate increased server demand and a cryptojacking attack may not always be that simple. If the mining script is correctly configured, an infected server process using a slightly higher amount of CPU would be on a gray area, but not necessarily spotted as an anomaly.

 Collateral Damage

The fact that a mining script is extensively consuming resources such as CPU or GPU constitutes a potential risk to the system and its components. When devices are stressed by the extra load of mining, CPU, GPU and heat dissipation mechanisms are more active than usual. This increases energy consumption and could rapidly deteriorate system components. Although this is not the purpose of cryptojacking, we can’t ignore the consequences, as it may constitute a sort of “denial of service” when critical infrastructure is compromised. A cryptojacking botnet compromising servers may not disrupt a business, but it surely introduces some challenges to the operation.

Less Headache, More Benefits

In comparison with ransomware, cryptojacking might be more attractive to cybercriminals. Essentially, both attacks will produce revenue. However, while a ransomware attack becomes obvious once the ransom is requested, a stealthy cryptojacking has better chances of being undetected (especially when steganography is assisting the attack). Also, if a cryptojacking attack is discovered, it’s very hard to trace it back to the source, because of the intrinsic anonymity of cryptocurrency. Add to that the fact that the victim may not have enough incentive to go after the author (since “no damage” was produced), and it’s clear why this attack provides more benefits and fewer headaches than ransomware.

Staying Alert

Because no evident damage is produced, fighting cryptojacking requires a trained eye. Look for anomalies related to either performance, overheating, or failing components. The more data you have, the better you will be able to spot an attack. Determining the cause of a device or server being stressed is not easy, but that’s where you should start. Also, other indicators such as unknown processes or unknown images being downloaded can help you trace the path to a mining script.

The post Cryptojacking is Soaring, and “Stegware” Makes it a Stealth Bomber appeared first on McAfee Blogs.

McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime

In December 2017 Bitcoin values skyrocketed, peaking at the unprecedented amount of roughly US$19,000 per coin. Unsurprisingly, the market for cryptocurrencies exploded in response. Investors, companies, and even the public found a fresh interest in digital currencies. However, the exciting change in Bitcoin value did not just influence your average wealth seeker. It also influenced vast underground cybercriminal markets, malware developers, and cybercriminal behavior.

Blessing and Curse

The surge of Bitcoin popularity and price per coin piqued the interest of cybercriminals, driving cryptocurrency hijacking in the last quarter of 2017. However, the same popularity and price jump also created a headache for bad actors. Ransomware techniques and the buying and selling of goods became problematic. The volatility of the Bitcoin market makes ransom costs hard to predict at the time of infection and costs can surge upwards of $28 per transaction, complicating a criminal campaign. The volatility made mining, the act of using system resources to “mint” cryptocurrency, exceedingly difficult and raised transaction prices. This was especially true for Bitcoin, due its high hash rate of the network. (The higher the hash rate, the more people they compete against.)

Cybercriminals will always seek to combine the highest returns in the shortest time with the least risk. With the Bitcoin surge, malware developers and underground markets found themselves in need of more stability, prompting a switch to other currencies and a resurgence of old techniques.

It is far easier to mine small currencies because the hash rate is generally more manageable and hardware requirements can be more accessible depending on the network design. Monero, for example, is ASIC resistant, meaning that while mining specialized hardware does not have an overwhelming advantage to nonspecialized hardware. This allows the average computer to be more effective at the task. Due to this advantage, Monero is actively mined in mass by criminals using web-based miners on the machines of unsuspecting visitors. This intrusion is known as cryptojacking, which works by hijacking the browser session to use system resources. A quick look at recent examples of cryptojacking throws light on this issue. Starting mid-2017, there have been a slew of instances in which major websites have found themselves compromised and unwittingly hosting the code, turning their users into mining bots. The public Wi-Fi at a Starbucks outlet was found to hijack browsers to mine Monero. Even streaming services such as YouTube have been affected through infected ads. Ironically, Monero is said to be one of the most private cryptocurrencies. Attacks such as these have also happened on Bitcoin, NEM, and Ethereum.

Criminals are also leveraging techniques beyond mining, such as cryptocurrency address or wallet hijacking. For example, Evrial, a Trojan for sale on underground markets, watches the Windows clipboard and replaces any cryptocurrency wallet addresses with its own malicious address. Essentially, this hijacks a user’s intended payment address to redirect funds. Unwitting users could accidentally pay a bad actor, losing their coins with essentially no chance of recovery.

A Brief Timeline

Cybercriminals have always faced the difficulty of securing their profits from government eyes. For the cybercriminal, banks present risk. If a transfer is deemed illegal or fraudulent, the bank transfer can easily be traced and seized by the bank or law enforcement. Trading in traditional currencies requires dealing with highly regulated entities that have a strong motivation to follow the rules. Any suspicious activity on their systems could easily result in the seizure of funds. Cybercriminals have long tried to solve this problem using various digital currencies, the prelude to cryptocurrencies. When cryptocurrencies were introduced to the world, cybercriminals were quick to adapt. However, with this adoption came Trojans, botnets, and other hacker activities designed specifically for the new technology.

The evolution of digital currencies. Despite various attacks from bad actors, digital money continues to evolve.

1996: E-gold appeared, and quickly became popular with cybercriminals due to its lack of verification on accounts. This was certainly welcome among “carder groups” such as ShadowCrew, which trafficked in stolen credit cards and other financial accounts. However, with three million accounts, e-gold’s popularity among criminals also caused its demise: It was taken down just 10 years later by the FBI, even after attempts in 2005 to rein in criminal activity. Accounts were seized and the founder indicted, collapsing all e-gold operations.

2005: Needing another avenue after the collapse of e-gold, cybercriminals migrated to WebMoney, established in 1998. Unlike e-gold, WebMoney successfully discouraged the bulk of cybercriminals by modifying business practices to prevent illegal activities. This kept the organization alive but pushed many cybercriminals to find a new payment system.

2006: Liberty Reserve took on much of the burgeoning cybercriminal demand. The institution got off to a rocky start with cybercriminals due to the almost immediate arrest of its founders. The company’s assets were seized in 2013—causing an estimated $6 billion in lost criminal funds.

2009: Cybercriminals were increasingly desperate for a reliable and safe payment system. Enter Bitcoin, a decentralized, pseudo-anonymous payment system built on blockchain technology. With WebMoney usage growing increasingly difficult for cybercriminals and Liberty Reserve under scrutiny from world governments, cybercriminals required something new. Within the Bitcoin network, no central authority had the power to make decisions or otherwise seize funds. These protections against centralized seizures, as well as many of its anonymity features, were a major influence in the migration of cybercriminals to Bitcoin.

Game Changers

By 2013 cybercriminals had a vested interest in cryptocurrencies, primarily Bitcoin. Cryptocurrency-related malware was in full swing, as evidenced by increasingly sophisticated botnet miner kits such as BitBot. Large enterprises such as Silk Road, primarily a drug market, thrived on the backbone of cryptocurrency popularity. Then three major events dramatically changed the way cybercriminals operated.

Silk Road closed: The popular black market and first major modern cryptocurrency “dark net” market was shut down by the FBI. The market was tailored to drug sales, and the FBI takedown left its buyers and sellers without a place to sell their goods. The migration of buyers and sellers to less restrictive markets enabled cross-sales to a much larger audience than was previously available to cybercriminals. Buyers of drugs could now also buy stolen data—including Netflix accounts or credit cards—from new markets such as AlphaBay as demand increased.

Major retailers breached: Millions of credit card records were stolen and available, raising the demand for underground markets to buy and sell the data. Dark net markets already offering malware and other goods and services took up the load. Agora, Black Market Reloaded and, shortly thereafter, AlphaBay responded to that demand. Although many of these markets were scams, a few such as AlphaBay, which survived until its July 2017 takedown, were hugely successful. Through these markets, cybercriminals had access to a much larger audience and could benefit from centralized structures and advertising. The demand for other types of stolen data rose even more, particularly streaming media accounts and personally identifiable information, which carries a high financial return for cybercriminals.

In the past, many of the credit card records were sold on forums and other specialized carding sites, such as Rescator. The new supply of credit card data was so massive, however, that it enabled secondhand sales and migration into broader markets. Dark net markets were simply more scalable than forums, thus enabling their further growth. New players joining the game now had easy access to goods, stolen data, and customers. This shift reshaped and enabled retail targeting as it exists today.

Cryptocurrency-based ransomware introduced: Outside of dark net markets, malware developers sought to acquire cryptocurrencies. Prior to 2013 the primary method to maliciously acquire coin was through mining. Less effective methods included scams, such as TOR-clone sites, fake markets, or Trojans designed to steal private keys to wallets. By late 2013 malware developers and botnet owners sold their malware at a premium by including mining software alongside the usual items such as credit cards and password scrapers. However, at a cost of around $250 per coin, Bitcoin miners did not immediately see higher profits than they could manage with focused scraper malware. Criminals needed more reliable ways of acquiring coins.

Ransomware, a potentially lucrative form of malware, was already on the rise using other digital currencies. In late 2013, the major ransomware family CryptoLocker included a new option for ransomware victims—to pay via Bitcoin. The tactic effectively created a frenzy of copycat malware. Now malware developers could outpace the profits of scraper malware as well as secure currency for the underground market. Ransomware quickly enjoyed several immensely successful campaigns, many of which, including Locky and Samsa, are still popular. Open-source tools such as Hidden Tear allowed low-skilled players to enter the market and acquire cryptocurrencies through ransomware with only limited coding knowledge. The thriving model ransomware as a service emerged with TOX, sold via a TOR hidden service in 2015.

The use of cryptocurrencies by malicious actors has grown substantially since their inception in 2009. Cryptocurrencies meet a need and have been exploited in ever-evolving ways since their introduction. The influence of cryptocurrencies on underground markets, malware development, and attackers behavior cannot be understated. As markets change and adopt cryptocurrencies, we will surely see further responses from cybercriminals.

 

Resources

https://securingtomorrow.mcafee.com/business/exploring-correlation-bitcoins-boom-evrials-capabilities/
https://securingtomorrow.mcafee.com/mcafee-labs/darknet-markets-will-outlive-alphabay-hansa-takedowns/
https://blogs.mcafee.com/mcafee-labs/weve-hacked-okay-ill-deal-next-week/
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014.pdf
https://securingtomorrow.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/
https://www.forbes.com/sites/forbestechcouncil/2017/08/03/how-cryptocurrencies-are-fueling-ransomware-attacks-and-other-cybercrimes/2/#25d727c56144
https://threatpost.com/new-ransomware-scam-accepts-bitcoin-payment/102632/
https://www.mcafee.com/threat-center/threat-landscape-dashboard/
“Dynamic Changes in Underground Markets,” by Charles McFarland. Cyber Security Practitioner, Vol. 2, Issue 11. November 2016.
https://en.wikipedia.org/wiki/Silk_Road_(marketplace)
http://www.mcafee.com/us/resources/white-papers/wp-digital-laundry.pdf
https://en.wikipedia.org/wiki/Liberty_Reserve
https://securingtomorrow.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet
https://arstechnica.com/tech-policy/2017/12/bitcoin-fees-rising-high/
https://www.bleepingcomputer.com/news/security/venuslocker-ransomware-gang-switches-to-monero-mining/
https://securingtomorrow.mcafee.com/mcafee-labs/malware-mines-steals-cryptocurrencies-from-victims/
https://www.theverge.com/2017/9/26/16367620/showtime-cpu-cryptocurrency-monero-coinhive
https://gizmodo.com/hackers-hijacking-cpus-to-mine-cryptocurrency-have-now-1822466650
https://techcrunch.com/2018/02/12/browsealoud-coinhive-monero-mining-hack/
https://www.fbi.gov/news/stories/alphabay-takedown
https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/
http://www.bbc.com/news/technology-42338754

The post McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime appeared first on McAfee Blogs.

Understanding How Bitcoin Mining Poses Security Risks

From 2017 to 2018, the cost of one Bitcoin increased over one thousand percent. This rapid growth dominated headlines and ignited a cryptocurrency boom that left consumers everywhere wondering how to get a slice of the Bitcoin pie. For those that want to join the craze without trading traditional currencies like U.S. dollars, a process called “Bitcoin mining” appears to be a great way to get involved. However, Bitcoin mining introduces a number of security risks.

What is Bitcoin mining?

Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. “Miners”, as they are called, essentially upkeep and help secure Bitcoin’s decentralized accounting system.

Each time there’s a transaction it’s recorded in a digital ledger called the “blockchain.” Miners help to update the ledger by downloading a special piece of software that allows them to verify and collect new transactions to be added to the blockchain. Then, they must solve a mathematical puzzle to be able to add a block of transactions to the chain. In return, they earn Bitcoins, as well as transaction fees.

What are the security risks?

As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning a user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power.

This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices to mine for Bitcoin. This recently happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors were using this time to access the users’ laptops for mining.

In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. In fact, this has become such a widespread problem, that over 1 billion devices are believed to be slowed down by web-based mining. And slowing your device down is not even the worst thing that could happen. A device that is “cryptojacked” could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.

Now that you know a little about Bitcoin mining and the risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:

  • Avoid public Wi-Fi networks—These networks often aren’t secured, opening your device and information up to a number of threats.
  • Use a VPN— If you’re away from your secure home or work network, consider using a virtual private network (VPN). This is a piece of software that gives you a secure connection to the Internet, so that third parties cannot intercept or read your data. A product like McAfee Safe Connect can help safeguard your online privacy no matter where you go.
  • Secure Your Devices—New threats like Bitcoin malware are emerging all of the time. Protect your devices and information with comprehensive security software, and keep informed on the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Understanding How Bitcoin Mining Poses Security Risks appeared first on McAfee Blogs.

All Up In Your Browser: Stopping Cryptojacking Attacks

With the massive upsurge in the value of bitcoin and other cryptocurrencies, cybercriminals are turning their prime focus to cryptocurrency. One of the fastest growing forms of malware are those mining cryptocurrencies on victim machines. Specifically, using the browsers of visitors as CPU cryptocurrency miners. Even news sites are utilizing this to monetize their websites and blogs. As bitcoin often takes specialized hardware to effectively mine, criminals are turning to Monero as the mining currency of choice for victim machines.

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction

FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.

We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.

The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().


Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).


Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers


Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence


Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers


Figure 5: Deletion of scheduled tasks related to other miners

In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”.  In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.  

From this, it’s quite clear that different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other cryptominers


Figure 6: Terminating processes directly


Figure 7: Terminating processes matching certain strings

Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).

  • Connects to mining pools with wallet key


Figure 8: Connection to mining pools

The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion


Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and the EternalBlue vulnerability (CVE-2017-0144).

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.

If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.


Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers


Figure 11: Terminating processes matching certain strings

  • Downloads and executes cryptominer malware


Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence


Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU usage


Figure 14: Terminating other potential miners

The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.

Conclusion

Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the following indicators:

Detection Name

POWERSHELL DOWNLOADER (METHODOLOGY)

MONERO MINER (METHODOLOGY)

MIMIKATZ (CREDENTIAL STEALER)

Indicators of Compromise

MD5

Name

3421A769308D39D4E9C7E8CAECAF7FC4

cranberry.exe/logic.exe

B3A831BFA590274902C77B6C7D4C31AE

xmrig.exe/yam.exe

26404FEDE71F3F713175A3A3CEBC619B

1.ps1

D3D10FAA69A10AC754E3B7DDE9178C22

2.ps1

9C91B5CF6ECED54ABB82D1050C5893F2

info3.ps1

3AAD3FABF29F9DF65DCBD0F308FF0FA8

info6.ps1

933633F2ACFC5909C83F5C73B6FC97CC

lower.css

B47DAF937897043745DF81F32B9D7565

lib.css

3542AC729035C0F3DB186DDF2178B6A0

bootstrap.css

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.

Weekly Cyber Risk Roundup: Cryptocurrency Attacks and a Major Cybercriminal Indictment

Cryptocurrency continued to make headlines this past week for a variety of cybercrime-related activities.

2018-02-10_ITT.pngFor starters, researchers discovered a new cryptocurrency miner, dubbed ADB.Miner, that infected nearly 7,000 Android devices such as smartphones, televisions, and tablets over a several-day period. The researchers said the malware uses the ADB debug interface on port 5555 to spread and that it has Mirai code within its scanning module.

In addition, several organizations reported malware infections involving cryptocurrency miners. Four servers at a wastewater facility in Europe were infected with malware designed to mine Monero, and the incident is the first ever documented mining attack to hit an operational technology network of a critical infrastructure operator, security firm Radiflow said. In addition, Decatur County General Hospital recently reported that cryptocurrency mining malware was found on a server related to its electronic medical record system.

Reuters also reported this week on allegations by South Korea that North Korea had hacked into unnamed cryptocurrency exchanges and stolen billions of won. Investors of the Bee Token ICO were also duped after scammers sent out phishing messages to the token’s mailing list claiming that a surprise partnership with Microsoft had been formed and that those who contributed to the ICO in the next six hours would receive a 100% bonus.

All of the recent cryptocurrency-related cybercrime headlines have led some experts to speculate that the use of mining software on unsuspecting users’ machines, or cryptojacking, may eventually surpass ransomware as the primary money maker for cybercriminals.


2018-02-10_ITTGroups

Other trending cybercrime events from the week include:

  • W-2 data compromised: The City of Pittsburg said that some employees had their W-2 information compromised due to a phishing attack. The University of Northern Colorado said that 12 employees had their information compromised due to unauthorized access to their profiles on the university’s online portal, Ursa, which led to the theft of W-2 information. Washington school districts are warning that an ongoing phishing campaign is targeting human resources and payroll staff in an attempt to compromise W-2 information.
  • U.S. defense secrets targeted: The Russian hacking group known as Fancy Bear successfully gained access to the email accounts of contract workers related to sensitive U.S. defense technology; however, it is uncertain what may have been stolen. The Associated Press reported that the group targeted at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms, or other sensitive activities, and as many as 40 percent of those targeted ultimately clicked on the hackers’ phishing links.
  • Financial information stolen: Advance-Online is notifying customers that their personal and financial information stored on the company’s online platform may have been subject to unauthorized access from April 29, 2017 to January 12, 2018. Citizens Financials Group is notifying customers that their financial information may have been compromised due to the discovery of a skimming device found at a Citizens Bank ATM in Connecticut. Ameriprise Financial is notifying customers that one of its former employees has been calling its service center and impersonating them by using their name, address, and account numbers.
  • Other notable events:  Swisscom said that the “misappropriation of a sales partner’s access rights” led to a 2017 data breach that affected approximately 800,000 customers. A cloud repository belonging to the Paris-based brand marketing company Octoly was erroneously configured for public access and exposed the personal information of more than 12,000 Instagram, Twitter, and YouTube personalities. Ron’s Pharmacy in Oregon is notifying customers that their personal information may have been compromised due to unauthorized access to an employee’s email account. Partners Healthcare said that a May 2017 data breach may have exposed the personal information of up to 2,600 patients. Harvey County in Kansas said that a cyber-attack disrupted county services and led to a portion of the network being disabled. Smith Dental in Tennessee said that a ransomware infection may have compromised the personal information of 1,500 patients. Fresenius Medical Care North America has agreed to a $3.5 million settlement to settle potential HIPAA violations stemming from five separate breaches that occurred in 2012.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2018-02-10_ITTNew

Cyber Risk Trends From the Past Week

2018-02-10_RiskScoresA federal indictment charging 36 individuals for their role in a cybercriminal enterprise known as the Infraud Organization, which was responsible for more than $530 million in losses, was unsealed this past week. Acting Assistant Attorney General Cronan said the case is “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.”

The indictment alleges that the group engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband dating back to October 2010. Thirteen of those charged were taken into custody in countries around the world.

As the Justice Department press release noted:

Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.  It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.

ABC News reported that investigators believe the group’s nearly 11,000 members targeted more than 4.3 million credit cards, debit cards, and bank accounts worldwide. Over its seven-year history, the group inflicted $2.2 billion in intended losses and more than $530 million in actual losses against a wide range of financial institutions, merchants, and individuals.

 

Italian cryptocurrency exchange BitGrail loses $170 million

One of the biggest problems with cryptocurrency exchanges is that they're a juicy, enticing target for high-tech criminals. Case in point, Italian exchange BitGrail, which lost $170 million worth of Nano tokens, a little-known digital coin previously called RaiBlocks. BitGrail is the second exchange that lost of massive amount of money this year -- and it's only February -- following Tokyo-based Coincheck, which lost between $400 and $534 million worth of coins in a cyberattack on its internet-connected wallet back in January.

Source: The Wall Street Journal

Coincheck hackers are reportedly trying to unload stolen cryptocurrency

Last week, hackers stole around $534 million worth of cryptocurrency XEM from Tokyo-based exchange Coincheck, and now, Reuters reports, the hackers behind the heist are trying to sell the stolen cryptocurrency. Jeff McDonald, vice president of the NEM Foundation, the company behind XEM, told Reuters that he had tracked down an account holding the coins and those in possession of the stolen XEM were trying to sell them on six different cryptocurrency exchanges. "He is trying to spend them on multiple exchanges. We are contacting those exchanges," said McDonald. He also told Reuters that he couldn't yet determine how much of the stolen coins had already been spent.

Via: Reuters

Coincheck loses $400 million in massive cryptocurrency heist

Tokyo-based cryptocurrency exchange Coincheck just made history, and not in a good way. It has lost around $534 million worth of NEM tokens, one of the lesser-known cryptocurrencies, after its network was hacked on January 25th, 12:57pm EST. The attackers remained undetected for eight hours, giving them enough time to steal 523 million tokens kept in a "hot wallet," a type of storage that's connected to the internet for easy spending. While the exact value of the stolen coins are unclear due to the ever-changing nature of cryptocurrency -- it's $400 million at the very least -- Coincheck might have already lost more than what Mt. Gox did a few years ago.

Source: CoinDesk, BBC, Bloomberg

Exploring the Correlation Between Bitcoin’s Boom and Evrial’s Capabilities

Many of the stealthiest cyberthreats out there spawn on underground forums, as malware authors leverage the space to sell unique variants to fellow criminals. And now there’s a new addition to the underground scene. Meet Evrial: a powerful, information-stealing Trojan which is currently for sale for 1,500 Rubles or $27 USD. Its author previously created another variant named CryptoShuffler, which allows cybercriminals to replace the Windows clipboard and steal files from cold cryptocurrency wallets, as well as passwords from programs/browsers. Its successor, Evrial, can steal browser cookies, swoop stored credentials, and monitor the Windows clipboard too — only now it can potentially hijack active cryptocurrency payments and send stolen money directly to a cybercriminal’s address.

Specifically, the Trojan is capable of monitoring the Windows clipboard for certain types of text, and if it detects specific strings, it can modify or even replace them with ones sent by the attacker. This could mean replacing legitimate addresses and URLs with ones under the attacker’s control; a regular Bitcoin address could suddenly become one belonging to a cybercriminal. If the target pastes that address into their app, thinking it’s the legitimate one, and sends Bitcoin, the cyptocurrency will soon be in the hands of the cybercriminal. Mind you, Evrial goes beyond Bitcoin, as it is also configured to detect strings that correspond to Litecoin, Monero, WebMoney, Qiwi addresses and Steam items trade URLs.

Evrial is just one of many Bitcoin-centric news stories lately, as cryptocurrency in general has been on practically everyone’s minds – which begs the question, is there a connection? Is the increased focus on digital currency inciting the creation of malware variants designed specifically to capitalize on Bitcoin’s boom?

In short – yes and no. Historically, cryptocurrencies have been a popular mechanism on underground markets for several years. Other digital currencies were used in the past but presented problems for bad actors due to their centralized nature. However, Blockchain technology, which powers cryptocurrencies like Bitcoin and is designed to be decentralized, allowed bad actors to protect their assets from law enforcement. Noticing this value, criminals on underground markets began to use this to their benefit well before the value of Bitcoin reached $1000+ a coin.

But soon enough Bitcoin value continued to grow and malware authors took notice, as they began to target Bitcoin wallets rather than simply trade in it. Ransomware exploded, holding victim’s files and machines hostage for almost exclusively Bitcoin payment. Malware that was traditionally sold as a scraper (to steal credit card information and passwords) was upgraded to include a cryptocurrency mining feature and was sold at a premium price.

Bad actor adoption of cryptocurrency has been both significant and quick, and notably much faster than the general population. Malware that uses, steals, and is sold with cryptocurrency is now the norm. And now as the general population’s interest in cryptocurrency has exploded, we’ve seen an increase in interest from malware authors as well. This interest has led to new malware behavior, such as Evrial’s ability to scan clipboards for cryptocurrency addresses. It’s had a major impact in how business is done in the underground.

However, it’s important to note that Bitcoin’s popularity presents its own problems. The volatile value has made the buying and selling of illicit goods problematic. Additionally, the pricing of a ransom is now askew. This has forced some markets to move to multi-coin platforms (namely incorporating Monero) as an alternative and some malware families to turn to other alt-coins to mine or steal.

All in all, cryptocurrency is no different than other motivators before it – when cybercriminals find the right opportunity to enhance their profitability, they capitalize on it. And when road blocks emerge, they find ways to maneuver around them. Now, the next step for cyber defenders is to keep their eyes peeled for what’s next, and eventually — outpace cybercriminals entirely.

To learn more about the fight against Evrial and other Trojans like it, be sure to follow us at @McAfee and @McAfee_Labs.

The post Exploring the Correlation Between Bitcoin’s Boom and Evrial’s Capabilities appeared first on McAfee Blogs.

Swisscoin [SIC] cryptocurrency spam

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday. From:    Florine Fray [Fray.419@redacted.tld] Date:    15 January 2018 at 10:51 Subject:    Could this digital currency actually make you a millionaire? Every once in a while, an opportunity comes