Guardicore - Illegal Mining, the Cyber Version

Illegal Mining, the Cyber Version

Illegal mining is a serious problem in the real world. Lately, it has also become popular with cyber attackers who manage to mine digital currency through untargeted attacks. Untargeted attacks are a common problem, not as attention grabbing as APTs, but still responsible for a large percentage of attacks. In this post, using Guardicore’s Data Center Security Suite, we’ll take a look at yet another type of untargeted attacks, as we first reported with Alex.  Our attacker “galaden666” is a Ukrainian gamer who makes money by mining a new digital currency called Litecoins (a variant of Bitcoins) on compromised servers by stealing their CPU cycles.

The Risk from Unauthorized Cryptocurrency Mining

New units of Cryptocurrencies are created and generated by “mining.” This is a computationally intensive task which requires a lot of processing power.
A cautionary estimate of a bot comprised of 2000 hosts using only middle range server CPU hardware would result in roughly 60 Litecoins a month, the equivalent of  $200. Considering that the average monthly salary in Ukraine stands at roughly $190, this is a pretty nice bonus for our attacker especially when the costs of the computations are borne by the victims.

Our attacker “galaden666” targets his victims by brute-forcing his way into Remote Desktop services of Windows Servers. Brute-forcing is usually the first stage of the attack (the target list can be supplied by a third party, selling a list of servers and passwords on the black market) while infection is done at later stages. In this case we will focus on the infection stage.

Tracking the attacker over RDP

Tracking the attacker over RDP

Attack Highlights

The first thing the attacker does is check that the “compromised” server has enough resources to contribute to his mining efforts and that no one else is logged. Anyone logged in might notice the configuration changes and the performance impact of the attack.

The attacker proceeds to drop a series of tools, some using MSTSC and some over HTTP downloads. Using Guardicore’s support for RDP connections, we can easily see the rest of the files the attacker holds in his PC, regardless of what he downloaded.

 

 

Summary of attackers file activity

Summary of attackers file activity

A close look at the downloaded files reveals a startup script for the Litecoin miner executable, standard tools (wget, RAR) and a script to ensure the miner is run upon startup.

 

 

 

 

 

 

Startup script providing us with attacker's email

Startup script providing us with attacker’s email

Tracking our attacker

Attackers final toolkit

Attackers “final” toolkit

possible future IP ranges to scan both in Europe and the United States.

Observing the different directories of files, we can see that the attacker is slowly perfecting his techniques and evolving his tools over a period of a few months. Some of the changes are trivial, others indicate a growing sophistication and change in objectives:

  • Switching the miner application, allowing for better use of CPU power.
  • Changing the miner executable name to svchost, masking it during a cursory sweep over running processes
  • Moving to VBS as a scripting language and allowing more complex tasks.
  • Repurposing existing applications to allow concurrent remote-desktop to servers, thus avoiding inconveniencing the sysadmin administrating the end point.
  • Adopting the use of commonly available malware such as “Schwarze Sonne RAT”.

Folder list of our attackers evolving toolkit

Folder list of our attacker’s evolving toolkit

Thanks to our attacker’s poor OPSEC, we could backtrace his steps to www.ex.ua, a Ukrainian file sharing website, where we tracked down the specific user (www.ex.ua/user/nefra).  Further mistakes on his end led to the disclosure of multiple versions of his files, some password protected and others clear to any viewer. These files include a partial list of his infected machines which primarily belong to Ukrainian servers and home machines, along with a list of

The most worrying change is a shift to using tools to find and exploit common SoHo routers. Running this tool with the bandwidth available to a modern data center machine would enable our attacker to quickly build up a substantial computation botnet and a DDoS machine he can later sell.

Mining for Profit

Guardicores Incident Response summary

Guardicore’s Incident Response summary

Analysing this attack we could clearly see that signature based detection is not enough to protect network hosts. Our attacker was able to make initial compromise by using commercial tools without requiring the use of malware. There are additional solutions on the market to detect these types of attacks, such as monitoring for CPU spikes or one-off RDP logins to servers from unknown IPs, but the alerts generated by these tools often go unnoticed or untreated, given the multitude of more pressing events in contemporary data centers.

In this case, GuardiCore’s Deception and Semantic Analysis technologies allowed us to detect the attack, analyse it and devise an appropriate response to mitigate it.

Appendix: List of related IOCs

Filename Size (in bytes) Hash (MD5)
coin-miner-x32.exe 1860096 a5a42bd2d0469cdbd44b12375edb1890
ccminer_sp.exe 18207480 be7a8832cf7d80a7533edc8a81a77b5e
ccminer_tpruvot.exe 38503672 e9df2f022a59d8a47554aef86903707c
cpuminer_x64_AVX.exe 2014968 4305bb1b8dbe18ba78da0feedaaefb4e
cpuminer_x64_AVX2.exe 2113272 a187358cc62eea9915de4e1ca1d974e7
cpuminer_x64_SSE2.exe 2042104 8dccca3ce79043c8bd8c39565cdc6c8c
l32.exe 751296 23dd6a7ea98dae69aaeacb4e2d42b19d
NiceHashMiner.exe 282872 6b3b3777fecff575a24ada90d97114ee
RouterScan.exe 2761728 1cab1c3f222ba9861888fc0036a4f29a
svchost.exe 1315328 1a587d17a73d21ad4328e2ac0cae9ac4
update.bat 1724 75af70fd76386e722b4e591039e70df6
server.exe 374784 f0ea057adf5f2085a554a33957d07311
ercs.exe 1419264 8b11325f4b729b7072c050035b454759
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image

‹ Back to Guardicore Blog