Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CoinMiner are Evasive - Bsides TLV

CoinMiner are Evasive - Bsides TLV

In this talk, we focused on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them. https://www.youtube.com/watch?v=bpaP5tBWPhE

This talk have also been presented at Codeblue Japan 2018 by Omri Segev Moyal (@gelosnake).


Thomas Roccia

June 27, 2018


  1. CoinMiners are Evasive A deep dive into the uncharted territory

    of CoinMiners stealth tactics Omri SEGEV MOYAL Co-Founder & VP Research @GeloSnake MINERVA Labs Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_
  2. Introduction What will be discussed in the talk: The rise

    of CoinMiners CoinMiners Evasion Tactics CoinMiners Turf Wars Defensive Tactics Predictions BsidesTLV – 2018 - @GeloSnake - @fr0gger_ CryptoCurrency Interest Source: Google Trends
  3. The Rise of CoinMiners BsidesTLV – 2018 - @GeloSnake -

    @fr0gger_ Source: Google News
  4. The Rise of CoinMiners BsidesTLV – 2018 - @GeloSnake -

    @fr0gger_ Source: Google News
  5. Business Model Mining relies on GPU, CPU, ASICS... Solo mining

    is no longer profitable. Both malicious and legitimate miners turn to public pools. Cybercriminals highjack victim machines to create large mining botnets. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ The Rise of CoinMiners
  6. Most Currency Mined Monero - cyber criminals most mined currency

    Relatively high mining profit returns Strong anonymity features Number one currency for web based mining Many open source easy to use tools BsidesTLV – 2018 - @GeloSnake - @fr0gger_ The Rise of CoinMiners
  7. Infection Vectors Traditional malware Adding mining functionality Malicious documents and

    spams Trojanized software and plugins Worms Exploiting web and local vulnerabilities Using brute force WebMining Highjacking legitimate website Iframe and redirects via advertisement BsidesTLV – 2018 - @GeloSnake - @fr0gger_ The Rise of CoinMiners Source: McAfee
  8. What’s the big deal? BsidesTLV – 2018 - @GeloSnake -

    @fr0gger_ The Rise of CoinMiners Source: Comino.com
  9. Evasion techniques can be define as follow: BsidesTLV – 2018

    - @GeloSnake - @fr0gger_ CoinMiners are Evasive (1) All the digital techniques used by a (mal||soft)ware to avoid, static, dynamic, automatic, human analysis in order to understand its behavior. (2) All the digital techniques used by a malware to avoid (1) and to evade security solutions, security configuration as well human detection to perform malicious action the longer on the infected machines. (3) Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti- Disassembly, Process Injection, Network Evasion, Obfuscation (encoding, encryption…), Morphism, Anti-Forensic, Anti-Machine Learning.
  10. Comes in trojanized online gaming modes Uses Google Drive to

    host the malicious components Source code found on Pastebin BsidesTLV – 2018 - @GeloSnake - @fr0gger_ WaterMiner | Modified video games on Russian forum tainted with CoinMiner Source: Minerva
  11. Impersonate Intel or Oracle software XMRig commands are Embedded in

    the payload Stop mining when monitoring program executes BsidesTLV – 2018 - @GeloSnake - @fr0gger_ WaterMiner | Hiding in a plain sight
  12. Selling on blackmarket Packed samples Watching the clipboard to replace

    wallet address (LTC, BTC, XMR…) BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evrial | Watch over what you type Source: McAfee
  13. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evrial | Watch

    over what you type Bitcoin Stealer Cookie Stealer Source: McAfee
  14. Spreads via eternal blue SMB exploit Run parallel to Wannacry

    Managed to stay under the radar BsidesTLV – 2018 - @GeloSnake - @fr0gger_ UIWIX | Evasive Miner Exploiting ETERNALBLUE
  15. Avoid running in virtual machines Look for debuggers and forensics

    tools Avoid running in eastern Europe countries Look for cuckoo sandbox Look for debuggers and forensics tools BsidesTLV – 2018 - @GeloSnake - @fr0gger_ UIWIX | For i in EvasionTactics: copy/paste i
  16. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ XIAOBA | Redirecting

    security websites XIAOBA Ransomware previously encrypted data now deploy CoinMiner Use fake icon Infect HTML file with Coinhive link to mine Redirect AV website to localhost Disable safe mode, Registry Delete .ISO and .GHO files Infect others PE on the system to run the miner <fail>Crash the system by infecting every exe</fail> Inject Coinhive script Redirect AV websites Remove Backup file Inject into EXE
  17. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ XIOBA CoinMiner Evasive

    Techniques Fake 360Safe AV Edit etc\hosts Html file modified Registry disabled Disable Safe Boot XIAOBA | Redirecting security websites
  18. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Killing Competition Mining

    requires resources Some malware remove other threats Some other patches the system
  19. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | Fileless

    powershell worm Spread via exploits Oracle’s WebLogic – CVE-2017- 10271 MSSQL – bruteforce phpMyAdmin bruteforce
  20. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | Fileless

    killer Improved evasion over time Switched to Powershell Payload improved to only run in- memory Gen.1 Gen.2
  21. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | Anti-competition

    features Eliminate competitors Kill running miner process Stop and delete miner services Delete miner schedule tasks
  22. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | MinerKiller

  23. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | MinerKiller

  24. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Adylkuzz | Patching

    away competition Adylkuzz used EternalBlue to spread but not directly embedded Patched the vulnerability after infection An old variant spreaded differently April 2017 Variant June 2017 Variant Source: McAfee
  25. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evasive Techniques CoinMiner

    are also using the following techniques: Limit the CPU utilization Enable mining on specific hours Enable mining process when user is inactive Hide behind taskbar (Pop under techniques) Source: Minerva
  26. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evasive Techniques CoinMiners

    continue to evolve by implementing evasion tricks Miners studied implement only some of the evasion tricks Most techniques used are Packers, Injection and Anti-Monitoring Packer Fake App Anti-monitoring Anti-av Anti-sandbox Replace wallet Anti-dbg Anti-forensic Fileless Injection Waterminer X X Evrial X X UIWIX X X X X X XIAOBA X X X X X GhostMiner X X X Adylkuzz X
  27. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Detect the Threat

    Monitoring high CPU activity Miner killer https://github.com/MinervaLabsResearch/BlogPosts/blo b/master/MinerKiller/MinerKiller.ps1 Detect with Yara Rules https://github.com/advanced-threat- research/IOCs/blob/master/MoneroMiner.yar Monitoring traffic Cryptocurrency Transaction Mining traffic Used CoinblockerList for websites https://github.com/ZeroDot1/CoinBlockerLists
  28. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Detect the Threat

    | CoinblockerList
  29. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Detect the Threat

  30. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ What to expect

    in the future? Crypto Miner is a growing threat and could dominate the Threat Landscape. Other targets (Smart TV, IOT, ConnectedCar…?) Banking Trojans targeting Cryptocurrencies (Dridex, Trickbot…) Majority Attack with Botnet Miners (Verge, BTCGold…) Attack on internal Blockchain implementation (Sybil Attack)
  31. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Raise of Botnet

    Miner Exploitation of weak ADB port (ADBMiner) Open Port 5555 Source: Shodan
  32. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Majority Attack Influence

    Blockchain integrity by forging block Botnet that get control over 51% of the network Generating block faster than the rest of the network Creating its own block Previous attack (Verge Coin, BTC Gold) Honest Miner 49% Malicious Miner 51% Block n Block n+1 Block n+2 Block n+3 Block n+4 Block n+3 Block n+4 Block n+5 Abandonned Blocks Malicious Blocks
  33. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Quick Recap Review

    of the CryptoMiner Threat Landscape Review of the Malware Evasion Techniques Look into the CryptoMiners Competition Offered defensive tactics Exploring future trends
  34. Thank you! Omri SEGEV MOYAL Co-Founder & VP Research @GeloSnake

    MINERVA Labs Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ Q/A