Cryptomining malware is fun

GEC: Discuss gaming, computers and electronics and venture into the bizarre world of STGODs.

Moderator: Thanas

Post Reply
User avatar
Ace Pace
Hardware Lover
Posts: 8456
Joined: 2002-07-07 03:04am
Location: Wasting time instead of money
Contact:

Cryptomining malware is fun

Post by Ace Pace »

So a few months ago I started tracking a bunch of Russians (because that's who they are) who've spent their time writing up a basic worm that mines a crypto-currency known as Monero.
So other than self-promoting (hey, I think it was a fun piece of research), it's also interesting to look at the Monero exchange rate vs BitCoin and USD and notice how this is a classic pump and dump scam. Someone drives up the exchange rate of a crypto-currency (strong PR backing, whatever) and someone uses the fact that mining the currency is currently quick and simple and whoom, a couple of hundred dollars of free profit every few months.

This is less likely to happen to BTC simply due to being ungunned/outmanned in the ASIC war but in the lesser crypto-currencies this is very simple to pull off.

The blog post and i'll quote the fun parts and no diagrams.
Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.

We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware.

Attack Description
On January 10 2016, GuardiCore Global Sensor Network detected an automated attack uploading suspicious files to FTP hosts. Usually, uploading files to a vulnerable FTP server would go unnoticed in organizations but our Sensor Network identified an anomalous behaviour where identical incidents continued to pile up, arriving from all over the world.

Since its first release, the malware has evolved rapidly. Till today, we’ve seen two different variants of PhotoMiner and over a dozen versions, indicating a rapid pace of evolution. The first variant was compiled on December 9, 2015 and included the core miner and basic propagation abilities. The second variant was released February 3, 2016 and quickly became the dominant version we can observe in the wild.

Spreading and Infecting
Over time, PhotoMiner added new capabilities including a unique multi-stage infection mechanism. First, insecure FTP servers over the world are compromised. Then, innocent websites hosted alongside the FTP servers are engineered to infect their visitors with malware. Finally, unsuspecting website visitors are infected with malware that does not only mine crypto-currency, but also seeks to infect additional FTP servers and systems in local networks.

PhotoMiner uses two types of attack techniques:

The primary attack method takes advantage of insecure FTP servers and clueless users. Since websites are frequently accessible over FTP, the operators of PhotoMiner are able to easily infect website source code and from there, innocent users. This method poses a long term danger to website security.

This is a simple two-stage attack;

By brute forcing random IP addresses and working off a user/password dictionary, weakly protected FTP servers are located and attacked.
Once a successful login attempt is made, a copy of the malware is uploaded to each writable server. At this point, each and every file capable of being rendered to a user (such as HTML, PHP and aspx files) is infected with the following string:

At this stage, rendering the page will cause a vulnerable browser to serve as a download. A careless user will click Open and let the malware in. Recent variants of the malware have upgraded this attack by adding server-side code injection and attempting to install a Linux based miner.

The target server IP, its credentials and the list of infected files are sent to the malware’s backend servers. With this information, the attackers can later login to the infected FTP servers, infecting more files and pivot into additional victims.

The second method is based on attacking Windows endpoints and servers reachable in the local area network using the following steps:

PhotoMiner uses built-in Windows systems tools such as ‘arp’ and ‘net view’ to read the ARP cache and to scan the local network segment using the BROWSER protocol.
Next, it attempts to brute force a connection over SMB. With each successful connection, PhotoMiner attempts to drop copies of itself into every accessible remote startup location. After any successful copy, it will use WMI scripting to execute local copies.

Some variants stealthily open a public Wi-Fi access point with the hardcoded name of “Free_WIFI_abc12345” which can lure innocent users into the network and get them infected.

Malware In Depth
PhotoMiner is built in a modular fashion, creating a standalone executable focused on mining Monero and a complex wrapper that is responsible for the persistence mechanism and further infections. This wrapper is comprised of two main variants with multiple sub versions:

The first variant img001.scr is unique in its use of NSIS, a custom scripting language.
Built for installers, NSIS is a perfect fit for writing simple installers including malware. The code is easy to read and debug, enabling the attackers to easily iterate and add features

The second variant photo.scr is a native binary that implements the img001.scr functionality in native code
Both variants include multiple sub versions where differences range from bug fixes to changes in the infection technique. Despite the multitude of versions, they follow the same order of operations. As such, we will describe them together, mentioning distinct abilities only when required.

During the initialization stage, PhotoMiner performs householding tasks such as persistence mechanism installation and collecting configuration data for the miner: To install a persistence mechanism, the PhotoMiner registers as a startup program using the following:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
%HOMEPATH%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
While basic, this technique does work and today does not automatically mark a program as “malicious”.

Configuration data is acquired by communicating over standard HTTP with a list of predefined hostnames, all serving a generic configuration file. Currently the given configuration is a list of Monero pools and wallets from which the malware randomly picks a recipient. This configuration file is scrambled using a basic reverse-dictionary. This means that for each scrambled character, a matching character is retrieved from a hardcoded dictionary, while non scrambled characters are safely skipped over.

At this stage basic details about the computer such as operating system version and IP are sent to C&C servers. PhotoMiner connects with C&C servers to communicate its progress rather than accepting “commands” and infact does not include any remote access capabilities. Our attackers have built a resilient backend, spread over multiple domain names and using VPS servers rotated across different hosting providers. However, thanks to several mistakes made by the attackers such as reusing servers and IP addresses the different campaigns are tied together through shared servers.

After initialization, the malware “spins off” the miner as a separate process and goes on to spread itself. This minimises the danger posed by antivirus programs to the miner itself. The mining module itself is a packed version of BitMonero, the core implementation of the Monero worker and is a legit program which is not likely to attract unwanted attention.
In before anyone comments, this is technically very easy. The hard part was using my workplaces sensors to collect the thousands of samples needed to understand the worms behavior and trying to figure out how widespread this infection is.
Brotherhood of the Bear | HAB | Mess | SDnet archivist |
User avatar
madd0ct0r
Sith Acolyte
Posts: 6259
Joined: 2008-03-14 07:47am

Re: Cryptomining malware is fun

Post by madd0ct0r »

The development of the ecosystem is fascinating. Is this a first of its kind or a spinoff of bitcoin viruses?
"Aid, trade, green technology and peace." - Hans Rosling.
"Welcome to SDN, where we can't see the forest because walking into trees repeatedly feels good, bro." - Mr Coffee
User avatar
Ace Pace
Hardware Lover
Posts: 8456
Joined: 2002-07-07 03:04am
Location: Wasting time instead of money
Contact:

Re: Cryptomining malware is fun

Post by Ace Pace »

madd0ct0r wrote:The development of the ecosystem is fascinating. Is this a first of its kind or a spinoff of bitcoin viruses?
The first non BTC miner? I'm quite sure it isn't, given the easy framework for creating these things. But Monero is uniquely suited for this.
Brotherhood of the Bear | HAB | Mess | SDnet archivist |
User avatar
Borgholio
Sith Acolyte
Posts: 6297
Joined: 2010-09-03 09:31pm
Location: Southern California

Re: Cryptomining malware is fun

Post by Borgholio »

madd0ct0r wrote:The development of the ecosystem is fascinating.

Image
You will be assimilated...bunghole!
User avatar
Ace Pace
Hardware Lover
Posts: 8456
Joined: 2002-07-07 03:04am
Location: Wasting time instead of money
Contact:

Re: Cryptomining malware is fun

Post by Ace Pace »

You laugh but I've built such labs. They're amazingly fun to play with.
Brotherhood of the Bear | HAB | Mess | SDnet archivist |
User avatar
White Haven
Sith Acolyte
Posts: 6360
Joined: 2004-05-17 03:14pm
Location: The North Remembers, When It Can Be Bothered

Re: Cryptomining malware is fun

Post by White Haven »

Never mind salt water, that's more akin to a plutonium aquarium...
Image
Image
Chronological Incontinence: Time warps around the poster. The thread topic winks out of existence and reappears in 1d10 posts.

Out of Context Theatre, this week starring Darth Nostril.
-'If you really want to fuck with these idiots tell them that there is a vaccine for chemtrails.'

Fiction!: The Final War (Bolo/Lovecraft) (Ch 7 9/15/11), Living (D&D, Complete)Image
User avatar
InsaneTD
Jedi Knight
Posts: 667
Joined: 2010-07-13 12:10am
Location: South Australia

Re: Cryptomining malware is fun

Post by InsaneTD »

So fun to play with.
Post Reply