CryptoJacking —Journey of How Cryptomining Turned Evil?

This article discusses different Dark Shades of Cryptomining, which is always on rising since the inception of Monero (XMR). Here is the index of the following contents:-

1. Intro Crypto mining & Cryptojacking
2. The curious case of Coinhive
3. Mining scripts in action
4. Popular miners — a quick glance
5. Case study: Chminer — 3 in 1 miner setup
6. Incorporation of miners into silent rats
7. Infamous cryptomining campaigns
8. Some shady facts from underground
9. Scam assessment

This article tracks the shift of a revolutionary permissible service into a dishonorable act over a period of time which is commonly termed as CryptoJacking.

Intro Crypto mining & Cryptojacking

Cryptomining is propelling at an astronomical pace as cryptocurrencies are getting Bullish (probably after Tweets). Many State-Sponsored APT Threat Actors began to drive various Crypto Campaigns in order to reap profit silently. This includes infamous Cryptomining Campaigns such as Victory Gate, Lemon Duck and the list goes on…

However, there is a slight difference between Cryptomining and Cryptojacking.

CRYPTOMINING: Termed as a practice of mining on the user’s computer with their permission. This includes several scenarios such as Browser Mining, Owning a dedicated Crypto Farm etc.

CRYPTOJACKING: Can be termed as unauthorized mining on User’s/Visitor’s computer by channelizing their computational power for the actor’s profits. This includes Cryptomining Campaigns where Cryptominers are stealthily bundled with other malicious programs such as RAT or any Malware, to trigger the same once it gets executed on victim’s PC, Spear Phishing Emails (Drive-by-Mining) which redirects victims to Mining Hubs that auto executes malicious Javascript on users, BTC Clipper Programs which substitutes victim’s BTC Address with attacker’s BTC Address, Weaponizing Hacked Sites to drive the operation, Injecting Parked Domains, etc.

NOTE: There are countless projects on Cryptominers on code sharing sites like GitHub which are being weaponized in various Hacking Campaigns.

Let’s go back to the early days of Crypto Mining where malicious intentions were NOT originated, which can be traced back to early 2017 when CoinHive was born.

The curious case of Coinhive

CoinHive was a Browser-based miner who initially introduced Mining Scripts, which can be used as an alternative to place ads on the administrator’s site. This leverages the visitor’s CPU processing power to mine Monero(XMR). This is due to the simple Crypto Mining Algorithm, CryptoNight which is efficient in mining on CPU/GPU architecture.

1. CoinHive stormed the internet by the fall of 2017 and most of the sites started to incorporate the same as it is more adaptable than subscribing to an Ad package which frustrates users upon landing the targeted page.

2. It is reported that about 30K sites were running CoinHive scripts back in 2017 (as per PublicWWW).

3. When CoinHive began to appear on every site and began to exploit the user’s CPU power, the legality of CoinHive was questioned, which resulted in a new script titled “AuthedMine” which asks permission of the user before Cryptomining gets initiated. But this was less popular as netizens were more concentrated over CoinHive for greedy mining, which turned it into Cryptojacking.

4. As CoinHive was mining Monero (XMR) by default which uses CryptoNight Cryptomining Algorithm (at that time), XMR dropped the support for CryptoNight and adopted RandomX Algorithm in 2019, which eventually ended the CoinHive program. This switching is generally called Forking.

5. The reason behind RandomX adoption was: It was resistant to ASIC Mining (whereas ASIC Miners started to adopt CryptoNight) and favors more CPU/GPU mining with larger mining profits.

6. NOTE:- ASIC Resistant Algorithms plays a critical role in Mining Scenario to prevent Mining Centralization as any Group/Company can purchase a large number of ASIC Miners to mine and own the hashing power (which is used to mine Cryptocoins).

7. As a result, there is a steady decline in CoinHive usage. As per statistics, only 7K sites were running CoinHive in November 2019 which is again dropped to <2K sites as of 2021.

CoinHive Presence: PublicWWW

While analyzing further, it is found that Mikrotik HttpProxy employs the most number of Coinhive scripts totaling 12K websites as per BE.

14K Websites still runs CoinHive without knowing the project had been shelved

Mining Script in Action

1. As CoinHive Script was easy for anyone to tail via Code Inspection or External Code Search, it became a roadblock for the malicious users to infect the users without their knowledge.

2. Scripts that support mining have common terminologies in its code such as “throttle”, “start miner”, “var miner” which is easily discoverable.

3. Threat Actors began to switch to Mining Scripts which offers Code Obfuscation support to conceal the mining activities.

4. Attackers also make use of the “throttle” command to limit the CPU utilization of the victim to go undetected (as 100% Usage of CPU would notify the user after freezes).

Here are few Mining Scripts which were popular:-

cryptoloot.pro/lib/crlt.js
cryptoloot.pro/lib/crlt.js
statdynamic.com/lib/crypta.js
minero.cc/lib/minero.min.js
webminepool.com/lib/base.js
CryptoLoot.Anonymous
hashing.win/46B8.js
load.jsecoin.com
*/perfekt/perfekt.js
*/tkefrep/tkefrep.js
enaure.co/javas.js
lasimakiz.xyzz/sadig6.js
uvuvwe.bid/jo/jo/miner_compressed/webmr.js

It also encompasses several JS Miners (Websites) such as WebDollar, CoinIMP, CryptoLoot, JSECoin, etc. As time passed, Mining Scripts lost its charm (except a few) and became easily detected by various Cryptojacking Detection Models with deep inspection.

Now, let’s focus on few infamous Miners which are active in Working Environments.

Popular Miners — A Quick Glance

XMRIG: It is the Open Source Miner targeting Monero, which got released back in May 2017. This is the most stable version of XMR Mining as it also supports the latest Cryptomining Algorithm RandomX. This is why most of today’s Malware Miners pack XMRig in their module as it supports CPU/GPU Mining (unlike CoinHive).

CCMiner: This is an Open Source Project targeting CUDA compatible NVIDIA GPU processors, which came in 2015. It is also cross-compatible with both Windows & Linux Architecture. As it is a multi-coin miner which supports both ASIC and CPU, it depends upon the user to choose what to mine on a targeted machine.

CGMiner: Is an FPGA and ASIC Miner for Bitcoin, written in C. It is one of the oldest tools (2011) which is still in use in the Mining Industry. CGMiner is cross-compatible with Windows, Linux, and OS X. This is also being maliciously used by threat actors to deliver Keylogger programs to the victims. The same was being used in the HawkEye Keylogger Program.

CNRig: A high-performance CryptoNight CPU miner dedicatedly aiming at Linux rolled out in 2018. What makes CNRig stand out from other Miners was the Automatic Update and Backward Compatibility. In 2018, it is found by MalwareBytes that the same is being served, for Obfuscated CoinHive Shortlink targeting client browsers, from an address 5.45.79.15/monero/cnrig which is hosted in Netherlands.

There are various Miners such as Miner-C, XMR_Stak, BTT Miner which are used for both Legal/Illegal purposes. Some get retired early while some are long-standing by changing Mining Algorithms to maintain the supremacy in the Mining Ecosystem.

Case Study: Chminer — 3 in 1 Miner Setup

While surfing on Deep Web, I happen to see a Miner named CHMiner which is relatively new in the market as there are no active hashes recorded in VT or other sandbox environments (ATTOW).

CHMiner Advertised on a Russian Forum

From the post, it is evident that the actor (using handle “supoziss”, which is omnipresent in Russian Network) has started to advertise the tool since 6th May (2021). Following the trails, the same post can be found in various Russian Forums on the same timestamp.

As all the contents are in Russian, it is strange to see an Esperanto Word as his/her handle which means “Supposition”. A quick search was resolved by uncertainty.

Esperanto is an Artificial Auxiliary Language that originated in Russia

Following the link, navigate to a Russian Hosting Provider where CHMiner was hosted:-

ispcloud.online/chminer/

Apart from the above said location, the same is being circulated on various File Hosting Services such as Mega, GoFile, etc. It is also found that the actor maintains a YouTube Channel (Joined on April 6) and a Telegram Channel where the tool is directly shared (Created on April 20) before the official announcement on forums.

Let’s delve into the file contents:-

File List

It consists of 3 Folders with 2 Executables which are Builder (for new Bot) and Panel (to check Mining Activity remotely). We will shift our focus to the folder named “Clean Miners — FREE!”

File List 2

Upon opening the INFO Text file, it is found that the listed 3 Archive Files are Miners for 3 different Cryptocurrencies namely: Monero (XMR), Ether (ETH), and Raven Coin (RVN), which are password protected executables.

NOTE: You can see the timestamp of File Compilation which can be traced back to March 2021, where the initial packaging was done.

It is a surprising fact that the tool also supports Raven Coin (though there are Raven Miners, but not predominant).

Let’s check out few facts about RAVEN COIN:-

RAVEN | Credits: Ana Rabana (ArtStation)

Raven Coin does also supports CPU/GPU Mining and strictly against ASIC/FPGA, hence its ASIC Resistant.

It uses the KawPoW Cryptomining Algorithm which is a Proof of Work, favors CPU Mining.

Upon inspecting the Miner Files, it is found that that the listed Miners are popular ones that are using specific Mining Pools such as:-

XMRig: Monero (pool.hashvault.pro)
Phoenix Miner: Ether (eth-eu2.nanopool.org:9999)
NBMiner: Raven (rvn-eu1.nanopool.org)

NOTE: The miners listed are legal and have official support, but the usage of them for malicious purposes is not to be tied with the creators. Here, the actor had re-branded the same packaging along with Panel and Configuration that can be used by attackers to leverage Hidden Mining on Victim’s PC. Moreover, the filenames used by the actor are legitimate processes which can lure victims to run the executables without knowing the consequences.

XMRig Miner is disguised as “RtkSmbus” which is an Intel Chipset Graphic Driver Software. Raven Miner is shown as “nbdrivesllapi” whereas the official name is NB Miner and adding a “drive” keyword may add a trust factor to the fresh eyes. Similarly, Ether Miner Phoenix is shown as “NVSoundsAPI” where it can be assumed that the actor had signaled NV for NVidia in disguise for the public.

After unraring the files, checked the same within Sandbox Environment and found the following results:-

1. All 3 files were above 700MB+ in size, compressed at 5MB Archive Files (Actor used Good Compression Programs like WinRAR)
2. XMRig was rated as 7/10 potentially Malicious
3. NBMiner was clocked at 8/10
4. Phoenix Miner was rated at 1/10

NOTE: You can view the Triage Reports of the files on the hyperlinks listed above, for better understanding.

Now, in order to trace the actor, we have left with few vectors such as Website Whois which can be obtained as:-

WHOIS Record

From the record, it is evident that the actor (suspected) had purchased the domain very recently (as the file packing was done in March 2021 where the timelines are relatively getting attributed).

The state is Sakhalin Oblast instead of “Sakhalinskaya” as to where “Skaya” is used as a suffix for main places in Russia. There is one more factor that attributes to the same state, i.e. Phone Number.

TrueCaller Search

The name can be translated to “Pasha” which means “Small” which is a common name from Russia.

Another notable evidence of tracing the actor is via the “INFO” text file found among the Miners. If you recall my article, I mentioned the Miners that are being password protected.

Generally, there is a practice of using Online Pseudonyms as Passwords for Offensive Files that are being shared over Dark Web Forums. Here, the actor had used “password666” as a password for NBMiner. When we map the same, various profiles are being popped up such as Cracked Forum, Reddit, etc. Not linking up here, as the confidence to link the actor is low.

Let’s wrap up the tailing here for the moment, as the article would deviate away from the central point.

Incorporation of Miners into Silent Rats

As Cryptominers became popular with ASIC Resistant Algorithms, it grabbed much attention from the public including Threat Actors ranging from APT Threat Groups to Dark Web Scammers. Moreover, the positive vibe created by Crypto Celebrities like Elon Musk is an add-on for the Mining Industry.

As a result, many of the offensive tool developers started to incorporate Cryptomining as a default module into their Crimeware Kit.

Some of the prevalent products on the Underground Marketplaces are:-

ACE RAT

Site Offering

This RAT supports numerous functionalities such as Keylogging, USB Spread, Screen Capture, Mining Bitcoin, Doge, and Litecoin (BTC, DOGE, LTC). The developer also informed the upcoming support for XMR into the tool.

MURA1N RAT

Site Offering

This RAT started to appear in Russian Cyber Forums in April 2021. It encompasses various modules such as AV Evasion, Crypto Stealer, DDoS, XMR Miner, BTC Grabber, Keylogger, CryptoWallet Support, etc.

TOXIN Miner

Site Offering

This is a dedicated miner for Monero and Ether, advertised on a popular forum since April 2021.

More offensive applications frequently appear in different cyber spheres.

FACT:- There are dedicated Clipper Programs available which exclusively target Crypto Wallets installed on Victim’s machine to replace their Wallet Address with Attacker’s wallet address to hijack the same.

Infamous Crypto mining Campaigns

With the rise of Cryptocurrency (Esp. CPU Mining for XMR), many stealth campaigns got kickstarted which focused on Mining Monero. Some of them reaped a huge profit (directly proportional to the #bots).

Let’s see some of the notable Cryptomining Campaigns:-

Campaign Name: Lemon Duck (Python)
Year: December 2018
Target: Sharepoint, Exchange, IIS, Linux
Target Nation: China, Asia
Infection Method: Fileless Powershell Commands
Exploit (if any): CVE-2017-0144 (SMB Vuln), RDP BruteForce, EternalBlue, BlueKeep, ProxyLogon
Victim Count: Unknown
Campaign Name: VictoryGate 
Year: May 2019
Target: Windows
Target Nation: Peru, LATAM
Infection Method: AutoIT Scripts, DLL Injection, USB Spread
Exploit (if any): No
Victim Count: 35K+
Campaign Name: Smominru (Hexmen, Mykings)
Year: May 2017
Target: Windows, MS SQL, Telnet 
Target Nation: Russia, India, Brazil, Taiwan, US (Global)
Infection Method: RAT
Exploit (if any): EternalBlue, RDP Brute Force
Victim Count: 526,000+
Campaign Name: Beapy (C)
Year: January 2019
Target: Windows, Apache Struts, Tomcat, Oracle WebLogic 
Target Nation: Asia 
Infection Method: Phishing (Excel)
Exploit (if any): CVE-2017-5638, CVE-2017-12615, CVE-2017-10271, DOUBLEPULSAR, ETERNALBLUE, Powershell Command Invoke
Victim Count: Unknown
Campaign Name: Lucifer
Year: May 2020
Target: MS SQL, Windows, Linux, Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel
Target Nation: Global  
Infection Method: DDoS
Exploit (if any): CVE-2019-9081, ETERNALBLUE, ETERNALROMANCE, DOUBLEPULSAR, BruteForce
Victim Count: Unknown
Campaign Name: PGMiner
Year: December 2020
Target: PostgreSQL
Target Nation: Global  
Infection Method: Fileless Execution, RCE
Exploit (if any): CVE-2019-9193
Victim Count: Unknown

There are many botnet miners which are not covered here and the ones which are still uncovered that reap maximum profit from the bot army.

If you observe closely, there is an exodus of Threat Actor Groups towards Cryptojacking during recent times due to the High Success Rate. Some of the notable Groups are:-

1. TeamTNT
2. 8220 Gang
3. Outlaw
4. BISMUTH (Susp. Vietnam)
5. Rocke (China)
6. Pacha Group (China)
7. Tor2Mine

In the coming days, the number will surge as more novel groups would jump on the bandwagon.

NOTE:- Threat Groups are not explained due to the quick adoption of Threat Vector Changes (Dynamic) whereas Campaigns (static mostly) stands for a limited time frame which gets shuts down by Law Enforcement after finding the botnet origin & branches.

According to BE Search, XMR Miner is widely getting mined in:-

XMR Mining Setups

NOTE: It is evident that China is leading in both XMR Miner (as most of the Mining Pools are located in China) and Bitcoin Mining (acc. to Cambridge University Analysis). It can be assumed that the US, Netherlands, Finland, and Germany may be a part of Silent Miners (without consent/user’s knowledge), though there are only a few mining pools in the selected countries because Cryptomining is mostly concentrated in Asia.

Some Shady Facts From Underground

1. According to Offensive Users, ExploitKit with Miner will be more profitable (Chain Reaction starts with Exploitation)
2. RAT is not recommended with Miner as it has little profit
3. Legit Processes are being leveraged for Cryptomining such as svchst
4. Port 14433 & 14444 are generally used for Mining
5. Main Pools used by Monero Botnet are Nanopool and MineXMR
6. Crypter is used along with Miner for FUD (AV Evasion)
7. Nanopool from China encourages any Mining (both Legal and Illegal)
8. Actor adds mutexes to the miner and compresses the file for AV Evasion
9. supportxmr.com bans botnet activities (which is over 100)
10. Password is not required to join Nanopool unlike other pools (by default)
11. Actors uses .NET Obfuscator on it to decrease signature detections
12. Most RAT programs come with XMRig by default as a package:
    xmr-eu1.nanopool.org:14444
    pool.minexmr.com:5555
13. The miner automatically uses GPU if the computer has an Nvidia or AMD card and CPU otherwise
14. Cases where silent miner used in production like SCADA brought into public
15. C3pool from China also used mostly for malicious purpose as it does not get banned

SCAM ASSESSMENT

1. Look for the mining Algorithm, if it’s NOT suitable for CPU/GPU, then probably a Scam
2. NEVER accept any untrusted attachments via emails
3. ALWAYS patch critical vulnerabilities (if you are an IT Admin)
4. There are legit cloud miners but do NOT trust novice platforms. There are some instances where users funds are locked and the site underwent EXIT SCAM
5. Do NOT trust Celebrity Endorsement for a specific Cryptocurrency. Always Do Your Research.

Today, often most of the Cryptominers are flagged as Suspicious/Malicious by several AV Vendors, though it’s legit. Hence, we need to analyze Indicators of Behavior (IOB) instead of IOC (as we need to know the real agenda behind running cryptomining in any production server).

NOTE: There are still areas in Cryptomining such as Phone Mining, Pool Allocation, Region Supremacy in Mining, Faucet Site Mining, Cloud Mining, etc which we are NOT discussing in this article.

HASHES (CHMiner)

37644F03F0862D3F5B73019071C9F1D1B6E4171702F0D646A24C30B7CD9AD8D5 (ZIPPED — CHMINER)
B498F57E0DB74F18600DF9FEB4AC8B283D6A7F16DDE880CD68B9C9D72D6520CE (SERVER PANEL 5.3.5)
F616BB5891B1B369AF7144A3122E1FC095030B6F58A8EB1AB98126FD26FF430A (BUILDER CLIENT 5.3.3)
7D50D59B28E84FD0AAAC052801D31E75C3AD82E920EA122DE527D4D10CE6DDDC (RTKSMBUS.ZIP)
EEF3B83C1EB7FF9C4416A780FD3884ED42B8DE47BFF8D1815765C7DB4400FDCE (RtkSmbus)
FE5337B1F7E9CD9B8FD8D42FA6E820805B0AA06F38D0A6E497DA953815EC2832 (nbdrivesllapi zipped)
51F084C32E4AC5D30BEFC4F56C14315DBCE4671B462046BD68F5299D30D8CC2F (nbdrivesllapi)
29152F713E9807761CAEF57844685463CF8598D5BC3F044C0CDAF04F6EB5EDE7 (NVSoundsAPI Zipped)
F5CD0A6E3ABC218ED5537B192E7DAE074413598C4BA19991B5C50297F8E0CC5F (NVSoundsAPI)

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.