Open in app

Sign in

Write

Sign in

The PhotoMiner Campaign

The PM worm spreads through infecting websites hosted on FTP servers and mines Monero for profit. Observed in thousands of attacks this year, its unique infection mechanism and modular design allow it to remain on infected systems for years

GuardiCore
GuardiCore
7 min readJun 14, 2016

--

By Daniel Goldberg, Security Researcher at Guardicore

Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.
We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware.

Attack Description

On January 10 2016, GuardiCore Global Sensor Network detected an automated attack uploading suspicious files to FTP hosts. Usually, uploading files to a vulnerable FTP server would go unnoticed in organizations but our Sensor Network identified an anomalous behavior where identical incidents continued to pile up, arriving from all over the world.

PhotoMiner victims are predominantly from Asian countries, but no area is immune

Since its first release, the malware has evolved rapidly. Till today, we’ve seen two different variants of PhotoMiner and over a dozen versions, indicating a rapid pace of evolution. The first variant was compiled on December 9, 2015 and included the core miner and basic propagation abilities. The second variant was released February 3, 2016 and quickly became the dominant version we can observe in the wild.

Spreading and Infecting

Over time, PhotoMiner added new capabilities including a unique multi-stage infection mechanism. First, insecure FTP servers over the world are compromised. Then, innocent websites hosted alongside the FTP servers are engineered to infect their visitors with malware. Finally, unsuspecting website visitors are infected with malware that does not only mine crypto-currency, but also seeks to infect additional FTP servers and systems in local networks.

PhotoMiner uses two types of attack techniques:

The primary attack method takes advantage of insecure FTP servers and clueless users. Since websites are frequently accessible over FTP, the operators of PhotoMiner are able to easily infect website source code and from there, innocent users. This method poses a long term danger to website security.

This is a simple two-stage attack;

  • By brute forcing random IP addresses and working off a user/password dictionary, weakly protected FTP servers are located and attacked.
  • Once a successful login attempt is made, a copy of the malware is uploaded to each writable server. At this point, each and every file capable of being rendered to a user (such as HTML, PHP and aspx files) is infected with the following string:
An infected website serving up the malware

At this stage, rendering the page will cause a vulnerable browser to serve as a download. A careless user will click Open and let the malware in. Recent variants of the malware have upgraded this attack by adding server-side code injection and attempting to install a Linux based miner.

The target server IP, its credentials and the list of infected files are sent to the malware’s backend servers. With this information, the attackers can later login to the infected FTP servers, infecting more files and pivot into additional victims.

The second method is based on attacking Windows endpoints and servers reachable in the local area network using the following steps:

  • PhotoMiner uses built-in Windows systems tools such as ‘arp’ and ‘net view’ to read the ARP cache and to scan the local network segment using the BROWSER protocol.
  • Next, it attempts to brute force a connection over SMB. With each successful connection, PhotoMiner attempts to drop copies of itself into every accessible remote startup location. After any successful copy, it will use WMI scripting to execute local copies.
PhotoMiner disables hibernation

Some variants stealthily open a public Wi-Fi access point with the hardcoded name of “Free_WIFI_abc12345” which can lure innocent users into the network and get them infected.

Attackers lure website visitors by opening an accessible wifi access point

Malware In Depth

PhotoMiner is built in a modular fashion, creating a standalone executable focused on mining Monero and a complex wrapper that is responsible for the persistence mechanism and further infections. This wrapper is comprised of two main variants with multiple sub versions:

  • The first variant img001.scr is unique in its use of NSIS, a custom scripting language.
    Built for installers, NSIS is a perfect fit for writing simple installers including malware. The code is easy to read and debug, enabling the attackers to easily iterate and add features
  • The second variant photo.scr is a native binary that implements the img001.scr functionality in native code
Writing complex scripts that interact with the operating system is made simple using NSIS

Both variants include multiple sub versions where differences range from bug fixes to changes in the infection technique. Despite the multitude of versions, they follow the same order of operations. As such, we will describe them together, mentioning distinct abilities only when required.

During the initialization stage, PhotoMiner performs householding tasks such as persistence mechanism installation and collecting configuration data for the miner: To install a persistence mechanism, the PhotoMiner registers as a startup program using the following:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
  • %HOMEPATH%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

While basic, this technique does work and today does not automatically mark a program as “malicious”.

Configuration data is acquired by communicating over standard HTTP with a list of predefined hostnames, all serving a generic configuration file. Currently the given configuration is a list of Monero pools and wallets from which the malware randomly picks a recipient. This configuration file is scrambled using a basic reverse-dictionary. This means that for each scrambled character, a matching character is retrieved from a hardcoded dictionary, while non scrambled characters are safely skipped over.

Configuration file: Scrambled vs unscrambled

At this stage basic details about the computer such as operating system version and IP are sent to C&C servers. PhotoMiner connects with C&C servers to communicate its progress rather than accepting “commands” and infact does not include any remote access capabilities. Our attackers have built a resilient backend, spread over multiple domain names and using VPS servers rotated across different hosting providers. However, thanks to several mistakes made by the attackers such as reusing servers and IP addresses the different campaigns are tied together through shared servers.

After initialization, the malware “spins off” the miner as a separate process and goes on to spread itself. This minimises the danger posed by antivirus programs to the miner itself. The mining module itself is a packed version of BitMonero, the core implementation of the Monero worker and is a legit program which is not likely to attract unwanted attention.

Detecting and Preventing PhotoMiner Attacks

PhotoMiner may infect FTP servers regardless of the hosting software and use the full computing power of any victim Windows machine.

For endpoints, implementing recommended security policies will easily prevent attacks, such as application whitelisting and endpoint firewalls which prevent outbound connections. If not an option, up to date browsers will prevent drive-by downloads such as used here.

Deploy a security solution that provides in-depth visibility into the data-center such as Guardicore Reveal™ to immediately alert on these types of malware executed on a machine it protects.

FTP servers shouldn’t allow unauthorized connections by locking down allowed IP addresses and making sure strong user/password combinations are in use.

If an infected server is detected, verify its code files are sanitised and remove all copies of the malware from the server.

Conclusion

Infecting websites through unprotected FTP servers is a classic attack that seems to be gaining popularity once again. By creating an infection that is hard to disrupt, the writers of PhotoMiner have created a botnet that is undoubtedly here to stay.

A non-secure service facing the internet, such as an unprotected FTP server, is one of the most common ways attackers use to first penetrate an organization. Attackers currently using their botnet for mining may in the future use stolen credentials and infected machines to move laterally inside the data center and compromise the most valuable assets of the organization.

Originally published at www.guardicore.com on June 14, 2016.

Cybersecurity
Malware
Information Security
Digital Currency
Guardicore Labs

--

--

GuardiCore
GuardiCore

Written by GuardiCore

23 Followers
Editor for

Secure your data center from within — http://www.guardicore.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams