A spate of cryptocurrency-mining malware that affected Windows systems, Linux machines, and routers have been identified last August to September of this year. The malware variants employed a variety of methods – from the use of rootkit to MIMIKATZ – to hide and spread their malicious mining activities.
Malware authors seem to be adding new features and complexity to their mining campaigns, on top of fileless techniques and exploit kits currently being employed, as these recent attacks are more likely a continuation of several incidents discovered during the first half of 2019, making malicious cryptocurrency-mining malware a predominant threat.
In this entry, we enumerate some of the cryptocurrency-mining malware detected from August to September, reviewing some of the techniques and malware variants employed.
During the last days of August to the start of September, our honeypot caught two instances of Skidmap malware being used in malicious mining. We published a report on one of the cases that used the domain pm[.]ipfswallet[.]tk/pm[.]sh and notably used rootkit to hide its malicious mining activities.
As mentioned earlier, cryptocurrency-mining malware are developing into more complex attacks, and Skidmap further demonstrates this trend. Skidmap is a Linux malware that also targets routers. In our report, we noted the use of kernel-mode rootkits to hide its cryptocurrency mining behavior in the Skidmap variant. An attacker can also use these rootkits to gain access to an affected system. Since Skidmap root access is necessary for this campaign to work, it likely needs to use attack vectors that would allow it to obtain this access. This could be in the form of certain exploits or misconfigurations.
We then started seeing a second wave of attacks from September 18 to 22; this time, using an almost identical malware variant (detected as Trojan.Linux.SKIDMAP.UWEJY). The only difference of this second case is in the domain it uses – pm[.]cpuminerpool[.]com. It also used the same backdoor component detected by Trend Micro as Backdoor.Linux.PAMDOR.A. The backdoor component is a malicious version of pam_unix.so, which is the module used for standard Unix authentication. The malicious version would accept a specific password for any user, including the malicious actor behind the attack.
Early in August, we also came across a malware from the domain cb[.]fuckingmy[.]life, which was confirmed as a Bulehero variant, detected as Trojan.Win32.BLUEROH.RPG. Bulehero takes advantage of several vulnerabilities, including those in ThinkPHP, Tomcat (CVE-2017-12615), and Weblogic in order to spread to other systems.
For lateral movement, the malware drops a MIMIKATZ component, which it uses to collect user credentials in order to access systems and turn them into Monero-mining nodes much like in other cryptocurrency-mining campaigns. The open-source tool is no stranger to malicious cryptocurrency-mining campaigns. We also saw its use in combination with Radmin to infect and propagate using the Windows SMB Server Vulnerability MS17-010.
Talos has reported on a similar September Bulehero case, which they linked to a cybercriminal group dubbed Panda. And more recently, we are seeing further Bulehero activity in early October.
Almost the same time as the above cases were detected, we published a report on a GhostMiner variant, a cryptocurrency-mining malware notable for its use of Windows management instrumentation (WMI) objects for its fileless persistence among other capabilities. The reported GhostMiner variant was also observed modifying particular infected host files used by other cryptocurrency-mining malware, Bulehero among them.
As these attacks demonstrate, authors behind malicious cryptocurrency-mining malware have continually and aggressively worked to improve their campaigns, employing new techniques that can hinder the quick detection of such campaigns. For systems and IoT devices not to lose their power and value to malicious cryptocurrency-mining campaigns, users must be aware of new attacks and trends in this rapidly developing threat. Vulnerabilities are also a serious consideration when it comes to cryptocurrency-mining malware. As described above, the right kind of exploit can prove the success of Bulehero, Skidmap, and other similar campaigns.
Users and integrators should always adopt best practices to defend against malicious cryptocurrency-mining campaigns . Here are a few of them:
Trend Micro solutions powered by XGen™ security, such as ServerProtect for Linux and Trend Micro Network Defense, can detect related malicious files and URLs and protect users’ systems. Trend Micro Smart Protection Suites and Trend Micro Worry-Free™ Business Security, which have behavior monitoring capabilities, can additionally protect from these types of threats by detecting malicious files, thwarting behaviors and routines associated with malicious activities, as well as blocking all related malicious URLs.
The Trend Micro Deep Discovery Inspector protects customers from Skidmap and Bulehero threats respectively through these DDI rules:
Indicators of Compromise (IoCs)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.