September Malicious Cryptocurrency-Mining Attacks Showcase Current Malware Techniques and Capabilities

September Malicious Cryptocurrency-Mining Attacks Showcase Current Malware Techniques and CapabilitiesA spate of cryptocurrency-mining malware that affected Windows systems, Linux machines, and routers have been identified last August to September of this year. The malware variants employed a variety of methods – from the use of rootkit to MIMIKATZ – to hide and spread their malicious mining activities.

Malware authors seem to be adding new features and complexity to their mining campaigns, on top of fileless techniques and exploit kits currently being employed, as these recent attacks are more likely a continuation of several incidents discovered during the first half of 2019, making malicious cryptocurrency-mining malware a predominant threat.

In this entry, we enumerate some of the cryptocurrency-mining malware detected from August to September, reviewing some of the techniques and malware variants employed.

Skidmap cases

During the last days of August to the start of September, our honeypot caught two instances of Skidmap malware being used in malicious mining. We published a report on one of the cases that used the domain pm[.]ipfswallet[.]tk/pm[.]sh and notably used rootkit to hide its malicious mining activities.

As mentioned earlier, cryptocurrency-mining malware are developing into more complex attacks, and Skidmap further demonstrates this trend. Skidmap is a Linux malware that also targets routers. In our report, we noted the use of kernel-mode rootkits to hide its cryptocurrency mining behavior in the Skidmap variant. An attacker can also use these rootkits to gain access to an affected system. Since Skidmap root access is necessary for this campaign to work, it likely needs to use attack vectors that would allow it to obtain this access. This could be in the form of certain exploits or misconfigurations.

We then started seeing a second wave of attacks from September 18 to 22; this time, using an almost identical malware variant (detected as Trojan.Linux.SKIDMAP.UWEJY). The only difference of this second case is in the domain it uses – pm[.]cpuminerpool[.]com. It also used the same backdoor component detected by Trend Micro as Backdoor.Linux.PAMDOR.A. The backdoor component is a malicious version of pam_unix.so, which is the module used for standard Unix authentication. The malicious version would accept a specific password for any user, including the malicious actor behind the attack.

Bulehero

Early in August, we also came across a malware from the domain cb[.]fuckingmy[.]life, which was confirmed as a Bulehero variant, detected as Trojan.Win32.BLUEROH.RPG. Bulehero takes advantage of several vulnerabilities, including those in ThinkPHP, Tomcat (CVE-2017-12615), and Weblogic in order to spread to other systems.

For lateral movement, the malware drops a MIMIKATZ component, which it uses to collect user credentials in order to access systems and turn them into Monero-mining nodes much like in other cryptocurrency-mining campaigns. The open-source tool is no stranger to malicious cryptocurrency-mining campaigns. We also saw its use in combination with Radmin to infect and propagate using the Windows SMB Server Vulnerability MS17-010.

Talos has reported on a similar September Bulehero case, which they linked to a cybercriminal group dubbed Panda. And more recently, we are seeing further Bulehero activity in early October.

GhostMiner

Almost the same time as the above cases were detected, we published a report on a GhostMiner variant, a cryptocurrency-mining malware notable for its use of Windows management instrumentation (WMI) objects for its fileless persistence among other capabilities. The reported GhostMiner variant was also observed modifying particular infected host files used by other cryptocurrency-mining malware, Bulehero among them.

Defending against cryptocurrency-mining malware

As these attacks demonstrate, authors behind malicious cryptocurrency-mining malware have continually and aggressively worked to improve their campaigns, employing new techniques that can hinder the quick detection of such campaigns. For systems and IoT devices not to lose their power and value to malicious cryptocurrency-mining campaigns, users must be aware of new attacks and trends in this rapidly developing threat. Vulnerabilities are also a serious consideration when it comes to cryptocurrency-mining malware. As described above, the right kind of exploit can prove the success of Bulehero, Skidmap, and other similar campaigns.

Users and integrators should always adopt best practices to defend against malicious cryptocurrency-mining campaigns . Here are a few of them:

  • Apply network segmentation. Splitting a network into segments can help prevent and minimize the effects of a cyberattack. This is especially useful for large enterprise networks.
  • Update and apply patches as soon as they are available. A cardinal rule when it comes to any network’s security is to apply updates and patches. This can prevent exploits and improve the overall security of a network. If this isn’t possible for some devices and legacy systems virtual patching is also a viable option.
  • Configure and setup devices securely. Ensure that the settings and credentials of each device and system is geared towards strong security to avoid accidental online exposure and brute force attacks.

Trend Micro solutions powered by XGen™ security, such as ServerProtect for Linux and Trend Micro Network Defense, can detect related malicious files and URLs and protect users’ systems. Trend Micro Smart Protection Suites and Trend Micro Worry-Free™ Business Security, which have behavior monitoring capabilities, can additionally protect from these types of threats by detecting malicious files, thwarting behaviors and routines associated with malicious activities, as well as blocking all related malicious URLs.

The Trend Micro Deep Discovery Inspector protects customers from Skidmap and Bulehero threats respectively through these DDI rules:

  • 2573: MINER - TCP (Request)
  • 4245: PHPSTUDY - HTTP (Request)


Indicators of Compromise (IoCs)

SHA256Detection
00b1212cf55999fa8cea8a1a787566b4d99dc81b2fe596fd61964791f273b2ce Trojan.Win32.BLUEROH.RPG
56acceebf74b371ee692697e6c1deaa9c8e4bcb5b4f89c4a1b7cca895f7b7e4e Trojan.Linux.SKIDMAP.UWEJY
81de9fc33ab05928f9abca627435b3fa40a3470e01dc435dddae0e7bec640274 Trojan.SH.SKIDMAP.UWEJY
d50fd8996435b4e8d74ab824ba4c3cf4e54558dd4fd5da9abe3269ea82a1eda2 Backdoor.Linux.PAMDOR.A
Malicious URLs
pm[.]cpuminerpool[.]com
hxxp://pm[.]cpuminerpool[.]com/pc
hxxp://pm[.]cpuminerpool[.]com/pm[.]sh
hxxp://pm[.]cpuminerpool[.]com/miner2
hxxp://cb[.]fuckingmy[.]life/download[.]exe
hxxp://cb[.]fuckingmy[.]life/
hxxp://li[.]bulehero2019[.]club:63145/cfg[.]ini
hxxp://bk[.]oiwcvbnc2e[.]stream:63145/cfg[.]ini
hxxp://bk[.]kingminer.club:63145/cfg[.]ini
hxxp://bk[.]heroherohero[.]in:63145/cfg[.]ini
mi[.]oops[.]best:35791
mx[.]oops[.]best:35789
rp[.]oiwcvbnc2e[.]stream
0x[.]un5t48l3[.]host
darksoul[.]un5t48l3[.]host
185[.]250[.]240[.]236
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.