CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
Streamlining Python Development: A Guide to a Modern Project Setup
CoinMiners are Evasive - BsidesTLV
1. CoinMiners are Evasive
A deep dive into the uncharted territory of CoinMiners stealth tactics
Omri SEGEV MOYAL
Co-Founder &VP Research
@GeloSnake
MINERVA Labs
Thomas ROCCIA
Security Researcher,AdvancedThreat Research
@fr0gger_
2. Introduction
What will be discussed in the talk:
The rise of CoinMiners
CoinMiners EvasionTactics
CoinMinersTurf Wars
DefensiveTactics
Predictions
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
CryptoCurrency Interest
Source: Google Trends
3. The Rise of CoinMiners
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Source: Google News
4. The Rise of CoinMiners
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Source: Google News
5. Business Model
Mining relies on GPU, CPU,ASICS...
Solo mining is no longer profitable.
Both malicious and legitimate
miners turn to public pools.
Cybercriminals highjack victim
machines to create large mining
botnets.
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
The Rise of CoinMiners
6. Most Currency Mined
Monero - cyber criminals most
mined currency
Relatively high mining profit
returns
Strong anonymity features
Number one currency for web
based mining
Many open source easy to use
tools
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
The Rise of CoinMiners
7. InfectionVectors
Traditional malware
Adding mining functionality
Malicious documents and spams
Trojanized software and plugins
Worms
Exploiting web and local vulnerabilities
Using brute force
WebMining
Highjacking legitimate website
Iframe and redirects via advertisement
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
The Rise of CoinMiners
Source: McAfee
8. What’s the big deal?
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
The Rise of CoinMiners
Source: Comino.com
9. Evasion techniques can be define as follow:
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
CoinMiners are Evasive
(1) All the digital techniques used by a (mal||soft)ware to avoid, static,
dynamic, automatic, human analysis in order to understand its
behavior.
(2) All the digital techniques used by a malware to avoid (1) and to
evade security solutions, security configuration as well human
detection to perform malicious action the longer on the infected
machines.
(3) Evasion techniques are classified as follow: Anti-Sandboxing,
Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-
Disassembly, Process Injection, Network Evasion, Obfuscation
(encoding, encryption…), Morphism, Anti-Forensic, Anti-Machine
Learning.
10. Comes in trojanized online gaming
modes
Uses Google Drive to host the
malicious components
Source code found on Pastebin
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
WaterMiner | Modified video games on Russian
forum tainted with CoinMiner
Source: Minerva
11. Impersonate Intel or Oracle
software
XMRig commands are
Embedded in the payload
Stop mining when monitoring
program executes
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
WaterMiner | Hiding in a plain sight
12. Selling on blackmarket
Packed samples
Watching the clipboard to
replace wallet address (LTC,
BTC, XMR…)
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Evrial | Watch over what you type
Source: McAfee
13. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Evrial | Watch over what you type
Bitcoin Stealer
Cookie Stealer
Source: McAfee
14. Spreads via eternal blue SMB exploit
Run parallel to Wannacry
Managed to stay under the radar
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
UIWIX | Evasive Miner Exploiting ETERNALBLUE
15. Avoid running in virtual machines
Look for debuggers and forensics tools
Avoid running in eastern Europe countries
Look for cuckoo sandbox
Look for debuggers and forensics tools
BsidesTLV – 2018 - @GeloSnake - @fr0gger_
UIWIX | For i in EvasionTactics: copy/paste i
16. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
XIAOBA | Redirecting security websites
XIAOBA Ransomware previously encrypted data now
deploy CoinMiner
Use fake icon
Infect HTML file with Coinhive link to mine
Redirect AV website to localhost
Disable safe mode, Registry
Delete .ISO and .GHO files
Infect others PE on the system to run the miner
<fail>Crash the system by infecting every exe</fail>
Inject Coinhive
script
Redirect AV
websites
Remove Backup file
Inject into EXE
18. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Killing Competition
Mining requires resources
Some malware remove other threats
Some other patches the system
20. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
GhostMiner | Fileless killer
Improved evasion over time
Switched to Powershell
Payload improved to only run in-
memory
Gen.1
Gen.2
21. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
GhostMiner | Anti-competition features
Eliminate competitors
Kill running miner process
Stop and delete miner services
Delete miner schedule tasks
24. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Adylkuzz | Patching away competition
Adylkuzz used EternalBlue to spread but not directly embedded
Patched the vulnerability after infection
An old variant spreaded differently April 2017 Variant
June 2017 Variant
Source: McAfee
25. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
EvasiveTechniques
CoinMiner are also using
the following techniques:
Limit the CPU utilization
Enable mining on specific
hours
Enable mining process when
user is inactive
Hide behind taskbar (Pop
under techniques) Source: Minerva
26. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
EvasiveTechniques
CoinMiners continue to evolve by implementing evasion tricks
Miners studied implement only some of the evasion tricks
Most techniques used are Packers, Injection andAnti-Monitoring
Packer Fake App Anti-monitoring Anti-av Anti-sandbox Replace wallet Anti-dbg Anti-forensic Fileless Injection
Waterminer X X
Evrial X X
UIWIX X X X X X
XIAOBA X X X X X
GhostMiner X X X
Adylkuzz X
27. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Detect theThreat
Monitoring high CPU activity
Miner killer
https://github.com/MinervaLabsResearch/BlogPosts/blob/ma
ster/MinerKiller/MinerKiller.ps1
Detect withYara Rules
https://github.com/advanced-threat-
research/IOCs/blob/master/MoneroMiner.yar
Monitoring traffic
Cryptocurrency Transaction
Mining traffic
Used CoinblockerList for websites
https://github.com/ZeroDot1/CoinBlockerLists
30. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
What to expect in the future?
Crypto Miner is a growing threat and could dominate theThreat
Landscape.
Other targets (SmartTV, IOT, ConnectedCar…?)
BankingTrojans targeting Cryptocurrencies (Dridex,Trickbot…)
MajorityAttack with Botnet Miners (Verge, BTCGold…)
Attack on internal Blockchain implementation (Sybil Attack)
31. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Raise of Botnet Miner
Exploitation of weak ADB port (ADBMiner)
Open Port 5555
Source: Shodan
32. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Majority Attack
Influence Blockchain integrity by forging block
Botnet that get control over 51% of the network
Generating block faster than the rest of the network
Creating its own block
Previous attack (Verge Coin, BTC Gold)
Honest Miner 49% Malicious Miner 51%
Block n Block n+1 Block n+2
Block n+3 Block n+4
Block n+3 Block n+4 Block n+5
Abandonned Blocks
Malicious Blocks
33. BsidesTLV – 2018 - @GeloSnake - @fr0gger_
Quick Recap
Review of the CryptoMinerThreat Landscape
Review of the Malware EvasionTechniques
Look into the CryptoMiners Competition
Offered defensive tactics
Exploring future trends
34. Thank you!
Omri SEGEV MOYAL
Co-Founder &VP Research
@GeloSnake
MINERVA Labs
Thomas ROCCIA
Security Researcher,AdvancedThreat Research
@fr0gger_
Q/A
Editor's Notes
Coin miner botnet is growing threat here is an example.