“Cryptojacking” campaigns misuse victims’ computational resources for mining illicit cryptocurrency profits. Below we present our forecast about malicious cryptominers in the upcoming year and release an updated free tool for using miners’ own logic to exterminate them.
Malicious Cryptominers Get Competitive
WaterMiner is a great example for an early executable-based mining attack. This primitive program checked whether a user was monitoring the CPU consumption on the system (Figure 1), and if not. it executed a modified the XMRig miner. Distribution was simple–the miscreant bundled the miner with a patch for the popular game GTA (AKA a mod). At the time, the balance between the difficulty of mining Monero and its price allowed this operation to remain reasonably profitable.
Figure 1: Window titles that will cause WaterMiner to stop mining to evade detection.
However, as more and more criminals realized that cryptojacking is a gold mine – the arena became increasingly competitive, more sophisticated campaigns such as GhostMiner took the lead in malicious cryptocurrency mining. The victims were no longer gamers downloading dubious third-party mods; instead, the attackers started to focus on compromising Windows servers for mining activities. They infected their targets by using public, yet effective, exploits such as CVE-2017-10271. Post-exploitation, instead of using only a slightly modified versions of XMRig, this generation of cryptojacking attacks used fileless techniques, unpacking the code into memory using a combination of opensource PowerShell tools such as PowerSploit (Figure 2).
Figure 2: Two PowerShell frameworks wrap the payload which is unpacked directly into the memory at runtime.
As competition for resources increased, malicious cryptominers began fighting for control over valuable systems. For example, GhostMiner included an entire module just for killing and removing any competitor installed on the same infected system (Figure 3).
Figure 3: GhostMiner detected and removed other miners from the system.
Next, as the number of easily-infected Windows servers diminished, attackers began attacking Linux servers. These attacks were similar to their Windows counterparts, first using an exploit to gain access, eliminating a competitor, and then starting the mining operation.
The present landscape of malicious cryptominers is a mix of complexities, ranging from the simplest amateur miners like WaterMiner to the more sophisticated ones that leverage exploits and target servers instead of home PCs. Here, for example, one user shares his concerns about a server infected using the very same techniques that Linux miners used in mid-2018. Even a relatively simple .NET-based miner 1mS0rry, which first appeared in April 2018 is still active and lucrative in 2019.
The Increasing Pressures of Malicious Cryptomining
Industry dynamics will continue to pressure malicious cryptominers into becoming more competitive and evasive.
To better understand the future of malicious cryptomining, let’s start with the observation that mining cryptocurrency is becoming more challenging: First the computational effort required for each unit of a coin is increasing. Second, the value of the coins dropped dramatically in the second half of 2018.
Take for example the Monero address: 4AbjKdQkedGZXvzm6VxMJb1zLB2CAmCmXdoCisRsQFAUPs4TWFePDUcZzk5ui4EdZXT3uaXXtssqPCoKQPTz7PeZNkKASkm, which is associated with a malicious cryptomining campaign that abuses compromised Windows servers. Using minexmr.com we can see that this campaign mined Monero (XMR) in a rate of 100K hashes per second in December 2019 (Figure 4). This means that the miscreant’s “revenue,” even when assuming the C2 server consumes neglectable resources, is only about $570 per month.
Figure 4: The revenues from this campaign of 100KH/s are about $570 per month.
The value of cryptocurrencies has fallen dramatically. For example, only a year ago the value of XMR was ten times of its current value in January 2019. Some miners, not necessarily malicious ones, try to solve this issue by juggling between coins, selecting the one with the best exchange rate and lowest effort required. However, devaluation is still a problem for most, if not all cryptocurrencies.
Furthermore, security vendors are becoming increasingly effective at detecting simple implementations of miners. In 2018 this is what drove attackers to use fileless techniques and other evasion techniques in malicious cryptominers.
2019 will raise the bar for those who want to keep their cryptojacking profitable and effective. Servers will still be a prime target due to their massive computational power, but the infection and propagation techniques are likely to evolve. Attackers will shift from the currently-used exploits such as CVE-2017-10271 (against WebLogic server), CVE-2017-0143 (ETERNALBLUE) and CVE-2017- 9805 (against Redis) to new ones.
In parallel, cryptojacking malware will keep accumulating both evasion techniques against security products and functionality to eradicate rivaling miners installed on the same system. We already started seeing such efforts in late 2018, as a miner targeting Linux servers using a Redis exploit made sure that no one else will be able to infect the host using the same technique. To do this, it added a rule to the built-in iptables firewall to block connections to the relevant port (Figure 5).
Figure 5: Malicious miner protected the compromised server with iptables firewall rules.
Exterminate Malicious Miners with a Borrowed Knife
An ancient Chinese stratagem suggests finding a way to persuade a third party to attack one’s enemy. It refers to this principle as killing “with a borrowed knife.”
Inspired by the idea of a borrowed knife, the Minerva research team released a free PowerShell script called MinerKiller. This tool uses malicious miner’s competitor-fighting logic to exterminate such miners from the system. This tool is unrelated to the enterprise-ready way in which Minerva’s commercial solution Anti-Ransomware Platform fights malware, except the notion that we can use the strength of malicious software against it.
The latest version of MinerKiller incorporates addition IOC and even basic vaccination against some jackpotting attacks by creating a hidden Task Manager process. Furthermore, given the rise in cryptojacking on Linux servers, Minerva created a similar bash script for Linux.
Both scripts are available on GitHub: