CoinMiner are Evasive - Bsides TLV

CoinMiners are Evasive A deep dive into the uncharted territory
of CoinMiners stealth tactics Omri SEGEV MOYAL Co-Founder & VP Research @GeloSnake MINERVA Labs Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_

Introduction What will be discussed in the talk: The rise
of CoinMiners CoinMiners Evasion Tactics CoinMiners Turf Wars Defensive Tactics Predictions BsidesTLV – 2018 - @GeloSnake - @fr0gger_ CryptoCurrency Interest Source: Google Trends

The Rise of CoinMiners BsidesTLV – 2018 - @GeloSnake -
@fr0gger_ Source: Google News

Business Model Mining relies on GPU, CPU, ASICS... Solo mining
is no longer profitable. Both malicious and legitimate miners turn to public pools. Cybercriminals highjack victim machines to create large mining botnets. BsidesTLV – 2018 - @GeloSnake - @fr0gger_ The Rise of CoinMiners

Most Currency Mined Monero - cyber criminals most mined currency
Relatively high mining profit returns Strong anonymity features Number one currency for web based mining Many open source easy to use tools BsidesTLV – 2018 - @GeloSnake - @fr0gger_ The Rise of CoinMiners

Infection Vectors Traditional malware Adding mining functionality Malicious documents and
spams Trojanized software and plugins Worms Exploiting web and local vulnerabilities Using brute force WebMining Highjacking legitimate website Iframe and redirects via advertisement BsidesTLV – 2018 - @GeloSnake - @fr0gger_ The Rise of CoinMiners Source: McAfee

What’s the big deal? BsidesTLV – 2018 - @GeloSnake -
@fr0gger_ The Rise of CoinMiners Source: Comino.com

Evasion techniques can be define as follow: BsidesTLV – 2018
- @GeloSnake - @fr0gger_ CoinMiners are Evasive (1) All the digital techniques used by a (mal||soft)ware to avoid, static, dynamic, automatic, human analysis in order to understand its behavior. (2) All the digital techniques used by a malware to avoid (1) and to evade security solutions, security configuration as well human detection to perform malicious action the longer on the infected machines. (3) Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti- Disassembly, Process Injection, Network Evasion, Obfuscation (encoding, encryption…), Morphism, Anti-Forensic, Anti-Machine Learning.

Comes in trojanized online gaming modes Uses Google Drive to
host the malicious components Source code found on Pastebin BsidesTLV – 2018 - @GeloSnake - @fr0gger_ WaterMiner | Modified video games on Russian forum tainted with CoinMiner Source: Minerva

Impersonate Intel or Oracle software XMRig commands are Embedded in
the payload Stop mining when monitoring program executes BsidesTLV – 2018 - @GeloSnake - @fr0gger_ WaterMiner | Hiding in a plain sight

Selling on blackmarket Packed samples Watching the clipboard to replace
wallet address (LTC, BTC, XMR…) BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evrial | Watch over what you type Source: McAfee

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evrial | Watch
over what you type Bitcoin Stealer Cookie Stealer Source: McAfee

Spreads via eternal blue SMB exploit Run parallel to Wannacry
Managed to stay under the radar BsidesTLV – 2018 - @GeloSnake - @fr0gger_ UIWIX | Evasive Miner Exploiting ETERNALBLUE

Avoid running in virtual machines Look for debuggers and forensics
tools Avoid running in eastern Europe countries Look for cuckoo sandbox Look for debuggers and forensics tools BsidesTLV – 2018 - @GeloSnake - @fr0gger_ UIWIX | For i in EvasionTactics: copy/paste i

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ XIAOBA | Redirecting
security websites XIAOBA Ransomware previously encrypted data now deploy CoinMiner Use fake icon Infect HTML file with Coinhive link to mine Redirect AV website to localhost Disable safe mode, Registry Delete .ISO and .GHO files Infect others PE on the system to run the miner <fail>Crash the system by infecting every exe</fail> Inject Coinhive script Redirect AV websites Remove Backup file Inject into EXE

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ XIOBA CoinMiner Evasive
Techniques Fake 360Safe AV Edit etc\hosts Html file modified Registry disabled Disable Safe Boot XIAOBA | Redirecting security websites

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Killing Competition Mining
requires resources Some malware remove other threats Some other patches the system

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | Fileless
powershell worm Spread via exploits Oracle’s WebLogic – CVE-2017- 10271 MSSQL – bruteforce phpMyAdmin bruteforce

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | Fileless
killer Improved evasion over time Switched to Powershell Payload improved to only run in- memory Gen.1 Gen.2

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | Anti-competition
features Eliminate competitors Kill running miner process Stop and delete miner services Delete miner schedule tasks

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ GhostMiner | MinerKiller

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Adylkuzz | Patching
away competition Adylkuzz used EternalBlue to spread but not directly embedded Patched the vulnerability after infection An old variant spreaded differently April 2017 Variant June 2017 Variant Source: McAfee

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evasive Techniques CoinMiner
are also using the following techniques: Limit the CPU utilization Enable mining on specific hours Enable mining process when user is inactive Hide behind taskbar (Pop under techniques) Source: Minerva

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Evasive Techniques CoinMiners
continue to evolve by implementing evasion tricks Miners studied implement only some of the evasion tricks Most techniques used are Packers, Injection and Anti-Monitoring Packer Fake App Anti-monitoring Anti-av Anti-sandbox Replace wallet Anti-dbg Anti-forensic Fileless Injection Waterminer X X Evrial X X UIWIX X X X X X XIAOBA X X X X X GhostMiner X X X Adylkuzz X

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Detect the Threat
Monitoring high CPU activity Miner killer https://github.com/MinervaLabsResearch/BlogPosts/blo b/master/MinerKiller/MinerKiller.ps1 Detect with Yara Rules https://github.com/advanced-threat- research/IOCs/blob/master/MoneroMiner.yar Monitoring traffic Cryptocurrency Transaction Mining traffic Used CoinblockerList for websites https://github.com/ZeroDot1/CoinBlockerLists

| CoinblockerList

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ What to expect
in the future? Crypto Miner is a growing threat and could dominate the Threat Landscape. Other targets (Smart TV, IOT, ConnectedCar…?) Banking Trojans targeting Cryptocurrencies (Dridex, Trickbot…) Majority Attack with Botnet Miners (Verge, BTCGold…) Attack on internal Blockchain implementation (Sybil Attack)

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Raise of Botnet
Miner Exploitation of weak ADB port (ADBMiner) Open Port 5555 Source: Shodan

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Majority Attack Influence
Blockchain integrity by forging block Botnet that get control over 51% of the network Generating block faster than the rest of the network Creating its own block Previous attack (Verge Coin, BTC Gold) Honest Miner 49% Malicious Miner 51% Block n Block n+1 Block n+2 Block n+3 Block n+4 Block n+3 Block n+4 Block n+5 Abandonned Blocks Malicious Blocks

BsidesTLV – 2018 - @GeloSnake - @fr0gger_ Quick Recap Review
of the CryptoMiner Threat Landscape Review of the Malware Evasion Techniques Look into the CryptoMiners Competition Offered defensive tactics Exploring future trends

Thank you! Omri SEGEV MOYAL Co-Founder & VP Research @GeloSnake
MINERVA Labs Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ Q/A

CoinMiner are Evasive - Bsides TLV

CoinMiner are Evasive - Bsides TLV

More Decks by Thomas Roccia

Other Decks in Technology

Featured

Transcript