CoinMiners are Evasive - BsidesTLV

CoinMiners are Evasive
A deep dive into the uncharted territory of CoinMiners stealth tactics
Omri SEGEV MOYAL
Co-Founder &VP Research
@GeloSnake
MINERVA Labs
Thomas ROCCIA
Security Researcher,AdvancedThreat Research
@fr0gger_

Introduction
What will be discussed in the talk:
The rise of CoinMiners
CoinMiners EvasionTactics
CoinMinersTurf Wars
DefensiveTactics
Predictions
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
CryptoCurrency Interest
Source: Google Trends

The Rise of CoinMiners
Source: Google News

Business Model
Mining relies on GPU, CPU,ASICS...
Solo mining is no longer profitable.
Both malicious and legitimate
miners turn to public pools.
Cybercriminals highjack victim
machines to create large mining
botnets.

Most Currency Mined
Monero - cyber criminals most
mined currency
Relatively high mining profit
returns
Strong anonymity features
Number one currency for web
based mining
Many open source easy to use
tools

InfectionVectors
Traditional malware
Adding mining functionality
Malicious documents and spams
Trojanized software and plugins
Worms
Exploiting web and local vulnerabilities
Using brute force
WebMining
Highjacking legitimate website
Iframe and redirects via advertisement
Source: McAfee

What’s the big deal?
Source: Comino.com

Evasion techniques can be define as follow:
CoinMiners are Evasive
(1) All the digital techniques used by a (mal||soft)ware to avoid, static,
dynamic, automatic, human analysis in order to understand its
behavior.
(2) All the digital techniques used by a malware to avoid (1) and to
evade security solutions, security configuration as well human
detection to perform malicious action the longer on the infected
machines.
(3) Evasion techniques are classified as follow: Anti-Sandboxing,
Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-
Disassembly, Process Injection, Network Evasion, Obfuscation
(encoding, encryption…), Morphism, Anti-Forensic, Anti-Machine
Learning.

Comes in trojanized online gaming
modes
Uses Google Drive to host the
malicious components
Source code found on Pastebin
WaterMiner | Modified video games on Russian
forum tainted with CoinMiner
Source: Minerva

Impersonate Intel or Oracle
software
XMRig commands are
Embedded in the payload
Stop mining when monitoring
program executes
WaterMiner | Hiding in a plain sight

Selling on blackmarket
Packed samples
Watching the clipboard to
replace wallet address (LTC,
BTC, XMR…)
Evrial | Watch over what you type
Source: McAfee

Evrial | Watch over what you type
Bitcoin Stealer
Cookie Stealer
Source: McAfee

Spreads via eternal blue SMB exploit
Run parallel to Wannacry
Managed to stay under the radar
UIWIX | Evasive Miner Exploiting ETERNALBLUE

Avoid running in virtual machines
Look for debuggers and forensics tools
Avoid running in eastern Europe countries
Look for cuckoo sandbox
Look for debuggers and forensics tools
UIWIX | For i in EvasionTactics: copy/paste i

XIAOBA | Redirecting security websites
XIAOBA Ransomware previously encrypted data now
deploy CoinMiner
Use fake icon
Infect HTML file with Coinhive link to mine
Redirect AV website to localhost
Disable safe mode, Registry
Delete .ISO and .GHO files
Infect others PE on the system to run the miner
<fail>Crash the system by infecting every exe</fail>
Inject Coinhive
script
Redirect AV
websites
Remove Backup file
Inject into EXE

XIOBA CoinMiner EvasiveTechniques
Fake 360Safe AV Edit etchosts
Html file modified
Registry disabled
Disable Safe Boot
XIAOBA | Redirecting security websites

Killing Competition
Mining requires resources
Some malware remove other threats
Some other patches the system

GhostMiner | Fileless powershell worm
Spread via exploits
Oracle’s WebLogic – CVE-2017-10271
MSSQL – bruteforce
phpMyAdmin bruteforce

GhostMiner | Fileless killer
Improved evasion over time
Switched to Powershell
Payload improved to only run in-
memory
Gen.1
Gen.2

GhostMiner | Anti-competition features
Eliminate competitors
Kill running miner process
Stop and delete miner services
Delete miner schedule tasks

GhostMiner | MinerKiller

Adylkuzz | Patching away competition
Adylkuzz used EternalBlue to spread but not directly embedded
Patched the vulnerability after infection
An old variant spreaded differently April 2017 Variant
June 2017 Variant
Source: McAfee

EvasiveTechniques
CoinMiner are also using
the following techniques:
Limit the CPU utilization
Enable mining on specific
hours
Enable mining process when
user is inactive
Hide behind taskbar (Pop
under techniques) Source: Minerva

EvasiveTechniques
CoinMiners continue to evolve by implementing evasion tricks
Miners studied implement only some of the evasion tricks
Most techniques used are Packers, Injection andAnti-Monitoring
Packer Fake App Anti-monitoring Anti-av Anti-sandbox Replace wallet Anti-dbg Anti-forensic Fileless Injection
Waterminer X X
Evrial X X
UIWIX X X X X X
XIAOBA X X X X X
GhostMiner X X X
Adylkuzz X

Detect theThreat
Monitoring high CPU activity
Miner killer
https://github.com/MinervaLabsResearch/BlogPosts/blob/ma
ster/MinerKiller/MinerKiller.ps1
Detect withYara Rules
https://github.com/advanced-threat-
research/IOCs/blob/master/MoneroMiner.yar
Monitoring traffic
Cryptocurrency Transaction
Mining traffic
Used CoinblockerList for websites
https://github.com/ZeroDot1/CoinBlockerLists

Detect theThreat | CoinblockerList

Detect theThreat

What to expect in the future?
Crypto Miner is a growing threat and could dominate theThreat
Landscape.
Other targets (SmartTV, IOT, ConnectedCar…?)
BankingTrojans targeting Cryptocurrencies (Dridex,Trickbot…)
MajorityAttack with Botnet Miners (Verge, BTCGold…)
Attack on internal Blockchain implementation (Sybil Attack)

Raise of Botnet Miner
Exploitation of weak ADB port (ADBMiner)
Open Port 5555
Source: Shodan

Majority Attack
Influence Blockchain integrity by forging block
Botnet that get control over 51% of the network
Generating block faster than the rest of the network
Creating its own block
Previous attack (Verge Coin, BTC Gold)
Honest Miner 49% Malicious Miner 51%
Block n Block n+1 Block n+2
Block n+3 Block n+4
Block n+3 Block n+4 Block n+5
Abandonned Blocks
Malicious Blocks

Quick Recap
Review of the CryptoMinerThreat Landscape
Review of the Malware EvasionTechniques
Look into the CryptoMiners Competition
Offered defensive tactics
Exploring future trends

Thank you!
Omri SEGEV MOYAL
Co-Founder &VP Research
@GeloSnake
MINERVA Labs
Thomas ROCCIA
Security Researcher,AdvancedThreat Research
@fr0gger_
Q/A

CoinMiners are Evasive - BsidesTLV

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CoinMiners are Evasive - BsidesTLV

Similar to CoinMiners are Evasive - BsidesTLV (20)

Recently uploaded

Recently uploaded (20)

CoinMiners are Evasive - BsidesTLV

Editor's Notes