The cryptocurrency boom is underway. The talk of the town isn’t only about Bitcoin, the most popular form of digital cash. The value of some altcoins, including Monero (XMR), is steadily reaching new heights as well, adding more fuel to the furnace of the overall hysteria.
The flip side of this trend is that coin mining via malicious techniques is becoming a real scourge. Threat actors have grown proficient in weaponizing known software vulnerabilities to install Monero-mining malware on servers, PCs and even mobile devices beyond users’ awareness and consent. Below is a roundup of the top 10 strains of perpetrating code from this category that has been wreaking havoc recently.
A large-scale mining campaign using the malware codenamed PyCryptoMiner was one of the first incidents reported in 2018. This wave is unique in a way as it leverages Python scripts rather than malicious binaries to proliferate. The scripting language-based essence allows this culprit to slip below the radar of AV solutions and install a copy of open-source Monero-mining client on targeted machines. The threat actors have created a botnet of compromised Linux servers to mine the cryptocurrency. According to researchers’ estimates, they made $60,000 worth of Monero this way as of early January.
This one zeroes in on outdated web servers. In order to spot vulnerable machines, the perpetrators harness a TCP/IP stack fingerprinting utility called p0f. Once an unpatched Windows or Linux server is detected via this technique, they leverage cataloged exploits to inject RubyMiner malware and deploy the mining activity behind the scenes. According to Check Point, the black hats were able to infect about 700 servers during just one day.
3. PoC code targeting Oracle WebLogic servers
According to SANS, the campaign in question commenced in early December 2017. Two crews of cybercriminals took advantage of a proof-of-concept exploit for a vulnerability known as CVE-2017-10271 in order to compromise unpatched Oracle WebLogic servers and install cryptocurrency miners. One of the groups mined Monero and reportedly made 611 XMR (about $226,000 at the time). The other focused on mining digital cash called AEON and earned some $6,000 worth of the coins.
The Digmine malware was discovered around mid-December 2017 and turned out to be groundbreaking in terms of propagation. It has been making the rounds by means of booby-trapped files sent via Facebook Messenger. These toxic objects are disguised as videos but are actually EXE files that reach out to a C2 server and download a Monero mining application from it. Interestingly, the malware also installs a Chrome extension that automatically sends the same malicious file to all of the victim’s Facebook contacts.
The crooks behind a mining campaign dubbed Zealot make victims by mass-scanning the Internet for servers with specific unpatched vulnerabilities. The contamination chain involves two exploits purportedly used by the NSA for surveillance that were leaked by the Shadow Brokers hacking crew last year. These exploits, codenamed EternalBlue and EternalSynergy, take advantage of security loopholes in Apache Struts and DotNetNuke CMS and furtively install a Monero miner on poorly protected servers.
This offending program stands out from the rest as it goes bundled with gaming mods available on dedicated Russian web forums. These contagious mods conceal a modified edition of XMRig, an open-source CPU miner for Monero that’s gaining momentum in the cybercriminal underground. WaterMiner boasts sophisticated persistence mechanisms and is evasive enough to halt the mining routine when a victim opens Windows native Task Manager or third-party equivalents.
Another perpetrating program devised by a cybercriminal group dubbed CodeFork got into researchers’ spotlight in September 2017. The infection gained notoriety for its ‘file-less’ activity, which means that it is embedded into a target host’s RAM rather than be deposited on disk. This hallmark allows the pest to circumvent conventional detection mechanisms. Similarly to WaterMiner mentioned above, the CodeFork malware leverages a modified variant of the XMRig Monero miner to arrive at its goals.
The infamous NSA hacking tools dumped by the Shadow Brokers gang played into the hands of cybercrooks behind another cryptocurrency miner called Adylkuzz. Specifically, the threat actors leveraged two zero-day exploits – EternalBlue and DoublePulsar – to infect numerous computers with the Monero-mining app in question. The villains used these exploits to trespass on machines via unsecured SMB (Server Message Block) ports. The most interesting part is that Adylkuzz closed down vulnerable SMB ports after the attack, which in turn may have prevented the nasty WannaCry ransomware from infecting the machine as it spread in a similar fashion.
This one’s name is self-explanatory. Although it sounds somewhat vanilla, the malicious features on board make it one of the most competently crafted Monero miners as yet. CoinMiner is another example of file-less malware, therefore it boasts an extra layer of obfuscation to stay undetected on breached systems. It leverages the EternalBlue NSA exploit to sneak its way into computers and servers via open SMB ports. To top it off, the culprit abuses WMI (Windows Management Instrumentation) tools to communicate with its Command and Control server and persist on the host.
Loapi is a strain of Android malware that has a modular architecture and thus performs a variety of malicious functions. One of its goals is to download a Monero-mining virus onto a contaminated device without the victim’s consent. Loapi is propagating via trojanized Android applications promoted on shady app stores and pretending to be antivirus or adult tools. It obtains admin privileges on an infected device and deploys a Monero miner in the background. By the way, constant CPU load caused by the mining module will definitely overheat the infected gadget and make its battery bulge in mere days.
To recap, malicious cryptocurrency mining is the new black on the cyber-threat landscape. It is gearing up for a rise, starting to outperform the heavyweight underground economy behind ransomware. For instance, the recent move of the VenusLocker ransomware gang, where they abandoned extortion in favor of Monero mining, speaks volumes about the ongoing trend.
To stay on the safe side, users should apply operating system patches once they are rolled out and download software from official sources rather than third-party stores with a questionable reputation.
About David Balaban
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.