Illegal mining is a serious problem in the real world. Lately, it has also become popular with cyber attackers who manage to mine digital currency through untargeted attacks. Untargeted attacks are a common problem, not as attention grabbing as APTs, but still responsible for a large percentage of attacks. In this post, using Guardicore’s Data Center Security Suite, we’ll take a look at yet another type of untargeted attacks, as we first reported with Alex. Our attacker “galaden666” is a Ukrainian gamer who makes money by mining a new digital currency called Litecoins (a variant of Bitcoins) on compromised servers by stealing their CPU cycles.
The Risk from Unauthorized Cryptocurrency Mining
New units of Cryptocurrencies are created and generated by “mining.” This is a computationally intensive task which requires a lot of processing power.
A cautionary estimate of a bot comprised of 2000 hosts using only middle range server CPU hardware would result in roughly 60 Litecoins a month, the equivalent of $200. Considering that the average monthly salary in Ukraine stands at roughly $190, this is a pretty nice bonus for our attacker especially when the costs of the computations are borne by the victims.
Our attacker “galaden666” targets his victims by brute-forcing his way into Remote Desktop services of Windows Servers. Brute-forcing is usually the first stage of the attack (the target list can be supplied by a third party, selling a list of servers and passwords on the black market) while infection is done at later stages. In this case we will focus on the infection stage.
The first thing the attacker does is check that the “compromised” server has enough resources to contribute to his mining efforts and that no one else is logged. Anyone logged in might notice the configuration changes and the performance impact of the attack.
The attacker proceeds to drop a series of tools, some using MSTSC and some over HTTP downloads. Using Guardicore’s support for RDP connections, we can easily see the rest of the files the attacker holds in his PC, regardless of what he downloaded.
A close look at the downloaded files reveals a startup script for the Litecoin miner executable, standard tools (wget, RAR) and a script to ensure the miner is run upon startup.
Tracking our attacker
Observing the different directories of files, we can see that the attacker is slowly perfecting his techniques and evolving his tools over a period of a few months. Some of the changes are trivial, others indicate a growing sophistication and change in objectives:
- Switching the miner application, allowing for better use of CPU power.
- Changing the miner executable name to svchost, masking it during a cursory sweep over running processes
- Moving to VBS as a scripting language and allowing more complex tasks.
- Repurposing existing applications to allow concurrent remote-desktop to servers, thus avoiding inconveniencing the sysadmin administrating the end point.
- Adopting the use of commonly available malware such as “Schwarze Sonne RAT”.
Thanks to our attacker’s poor OPSEC, we could backtrace his steps to www.ex.ua, a Ukrainian file sharing website, where we tracked down the specific user (www.ex.ua/user/nefra). Further mistakes on his end led to the disclosure of multiple versions of his files, some password protected and others clear to any viewer. These files include a partial list of his infected machines which primarily belong to Ukrainian servers and home machines, along with a list of
The most worrying change is a shift to using tools to find and exploit common SoHo routers. Running this tool with the bandwidth available to a modern data center machine would enable our attacker to quickly build up a substantial computation botnet and a DDoS machine he can later sell.
Mining for Profit
Analysing this attack we could clearly see that signature based detection is not enough to protect network hosts. Our attacker was able to make initial compromise by using commercial tools without requiring the use of malware. There are additional solutions on the market to detect these types of attacks, such as monitoring for CPU spikes or one-off RDP logins to servers from unknown IPs, but the alerts generated by these tools often go unnoticed or untreated, given the multitude of more pressing events in contemporary data centers.
In this case, GuardiCore’s Deception and Semantic Analysis technologies allowed us to detect the attack, analyse it and devise an appropriate response to mitigate it.
Appendix: List of related IOCs
|Filename||Size (in bytes)||Hash (MD5)|