Category Archives: cryptomining

New Mac cryptominer uses XMRig

A new Mac cryptominer was discovered this week, after affected users saw their fans whirring out of control and a process named “mshelper” gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove.

The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.

The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.

The dropper

A “dropper” is what security researchers call the program that installs malware. Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, decoy documents users are tricked into opening, and other such things.

In this case, the dropper is still unknown, but we do not believe it’s anything sophisticated. Everything else about this malware suggests simplicity.

The launcher

A file named pplauncher is installed in the following location:

~/Library/Application Support/pplauncher/pplauncher

This file is kept running by a launch daemon (com.pplauncher.plist), indicating that the dropper must have had root privileges.

pplauncher is a rather large executable file (3.5 MB) that was written in Golang and then compiled for macOS. The sole responsibility of this process appears to be the fairly simple process of installing and launching the miner process.

Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.

pplauncher SHA256:
8f1938d082393713539abb9dfa8bfde8e1a09721f622e6e597d4560219ffca0d

The miner

The miner is the mshelper process, which is installed here:

/tmp/mshelper/mshelper

This process appears to be an older version of the legitimate XMRig miner, which can be installed on Macs via Homebrew. Getting the version information from the current XMRig gives the following results:

$ xmrig -V
XMRig 2.6.2
 built on May  7 2018 with clang 9.0.0 (clang-900.0.39.2)
 features: 64-bit AES

Requesting the same information from the mshelper process gives the following results:

$ /tmp/mshelper/mshelper -V
XMRig 2.5.1
 built on Mar 26 2018 with clang 9.0.0 (clang-900.0.39.2)
 features: x86_64 AES-NI

Clearly, mshelper is simply an older copy of XMRig that is being used for the purpose of generating the cryptocurrency for the hacker behind the malware. The pplauncher process provides the necessary command-line arguments, such as the following parameter specifying the user, found using the strings command on the pplauncher executable file:

--user=19531259765625
mshelper SHA256:
a00f6fbb2e00d35f938534e1c20ba2e02311536bcf60be2165037d68cba141b2

Mac cryptomining on the rise

This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware.

Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.

If you think you’re infected with this malware, Malwarebytes for Mac will remove it. We detect this malware as OSX.ppminer.

The post New Mac cryptominer uses XMRig appeared first on Malwarebytes Labs.

A look into the Drupalgeddon client-side attacks

Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability (CVE-2018-7600) followed by yet another (CVE-2018-7602) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.

These back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.

Rolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.

Sample set and web crawl

We decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from Shodan and was complemented by PublicWWW, for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm over 900 injected web properties.

Many of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.

Figure 1: Crawling and flagging compromised Drupal sites using Fiddler

Drupal versions

At the time of this writing, there are two recommended releases for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.

Figure 2: Drupal’s two main supported branches

Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.

Figure 3: Percentage of compromised sites belonging to a particular Drupal version

Payloads

A large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with XMRig cryptocurrency miners. However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.

Unsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.

Figure 4: Breakdown of the most common payloads

Web miners

Drive-by mining attacks went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It’s safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.

We are seeing the same campaign that was already documented by other researchers in early March and is ensnaring more victims by the day.

Figure 5: A subdomain of Harvard University’s main site mining Monero

Tech support scams (browlocks)

Redirections to browser locker pages—a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.

mysimplename[.]com/si.php
window.location.replace("http://hispaintinghad[.]tk/index/?1641501770611");
window.location.href = "http://hispaintinghad[.]tk/index/?1641501770611";

Figure 6: A compromised Drupal host redirecting to a browser locker page

Fake updates

This campaign of fake browser updates we documented earlier is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).

Figure 7:  A compromised Drupal site pushing a fake Chrome update

Web miners and injected code

We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection.

Figure 8: Collage of some of the most common miner injections

Snapshots

The following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.

Figure 9: Education (University of Southern California)

Figure 10: Government (Arkansas Courts & Community Initiative)

Figure 11: Political party (Green Party of California)

Figure 12: Ad server (Indian TV Revive Ad server)

Figure 13: Religion (New Holly Light)

Figure 14: Health (NetApp Benefits)

Figure 15: Conferences (Red Hat partner conference) 

Figure 16: Tech (ComputerWorld’s Brazilian portal)

Malicious cryptomining remains hot

It is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.

Compromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.

Malwarebytes continues to detect and block malicious cryptomining and other unwanted redirections.

Indicators of compromise

Coinhive

-> URIs

cnhv[.]co/1nt9z
coinhive[.]com/lib/coinhive.min.js
coinhive[.]com/lib/cryptonight.wasm
coinhive[.]com/lib/worker-asmjs.min.js?v7
ws[0-9]{3}.coinhive[.]com/proxy

-> Site keys

CmGKP05v2VJbvj33wzTIayOv6YGLkUYN
f0y6O5ddrXo1be4NGZubP1yHDaWqyflD
kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf
MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj
NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I
no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK
oHaQn8uDJ16fNhcTU7y832cv49PqEvOS
PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf
RYeWLxbPVlfPNsZUh231aLXoYAdPguXY
XoWXAWvizTNnyia78qTIFfATRgcbJfGx
YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3

Crypto-Loot

-> URI

cryptaloot[.]pro/lib/justdoit2.js

-> Keys

48427c995ba46a78b237c5f53e5fef90cd09b5f09e92
6508a11b897365897580ba68f93a5583cc3a15637212
d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702

EthPocket

eth-pocket[.]com:8585
eth-pocket[.]de/perfekt/perfekt.js

JSECoin

jsecoin[.]com/platform/banner1.html?aff1564&utm_content=

DeepMiner

greenindex.dynamic-dns[.]net/jqueryeasyui.js

Other CryptoNight-based miner

cloudflane[.]com/lib/cryptonight.wasm

FakeUpdates

track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba
click.clickanalytics208[.]com/s_code.js?cid=240&v=73a55f6de3dee2a751c3
185.244.149[.]74
5.9.242[.]74

Tech scams

192.34.61[.]245
192.81.216[.]165
193.201.224[.]233
198.211.107[.]153
198.211.113[.]147
206.189.236[.]91
208.68.37[.]2
addressedina[.]tk
andtakinghis[.]tk
andweepover[.]tk
asheleaned[.]tk
baserwq[.]tk
blackivory[.]tk
blownagainst[.]tk
cutoplaswe[.]tk
dearfytr[.]tk
doanythingthat[.]tk
faithlessflorizel[.]tk
grey-plumaged[.]tk
haddoneso[.]tk
handkerchiefout[.]tk
himinspectral[.]tk
hispaintinghad[.]tk
ifheisdead[.]tk
itshandupon[.]tk
iwouldsay[.]tk
leadedpanes[.]tk
millpond[.]tk
mineofcourse[.]tk
momentin[.]tk
murdercould[.]tk
mysimplename[.]com
nearlythrew[.]tk
nothinglikeit[.]tk
oncecommitted[.]tk
portraithedid[.]tk
posingfor[.]tk
secretsoflife[.]tk
sendthemany[.]tk
sputteredbeside[.]tk
steppedforward[.]tk
sweeppast[.]tk
tellingmeyears[.]tk
terriblehope[.]tk
thatwonderful[.]tk
theattractions[.]tk
thereisnodisgrace[.]tk
togetawayt[.]tk
toseethem[.]tk
wickedwere[.]tk
withaforebodingu[.]tk

The post A look into the Drupalgeddon client-side attacks appeared first on Malwarebytes Labs.