How Cryptocurrency Mining Malware Evades Detection

The recent rise of cryptocurrency mining malware is driven not just because of its high-profit potential, but also because of its ability to remain undetected in a compromised system.

Early this month, Nova Scotia-based St. Francis Xavier University announced that it purposely shut down all its network systems in response to a cryptojacking attack, whereby attackers attempted to illicitly mine the cryptocurrency Bitcoin using the university’s collective computing power. 

The price of Bitcoin as of November 13, 2018 (8:30 AM GMT+7) is $6,370, way below the all-time high of nearly $20,000 in December 2017, but still way above the $317 price of Bitcoin way back in January 2015.

Mining Bitcoin, in order to be profitable, one needs to invest in a reasonable number of powerful computers and high electricity cost. Illicit cryptocurrency mining, also known as cryptojacking, hijacks the computing power of someone else’s without their consent to mine cryptocurrency such as Bitcoin.

Cryptocurrency Mining Malware Evasion Techniques

Many organizations continue with their usual IT operations without even realizing that the organization’s computers are illicitly used by cyberattackers for cryptocurrency mining.

Based on the combined data of several Cyber Threat Alliance (CTA)members, from 2017 to September 2018, illicit cryptocurrency mining increased by 459%.

Researchers at Trend Microrecently discovered a cryptocurrency mining malware that uses multiple techniques to evade detection. The cryptocurrency mining malware discovered by researchers at Trend Micro as Coinminer.Win32.MALXMR.TIAOODAM uses the following evasion techniques to make it harder for detection tools to discover it:

First, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it arrives on the victim’s computer as Microsoft Windows Installer MSI file. Windows Installer is a software program that’s used for installing and uninstalling software. Using a real Windows component, researchers at Trend Micro said, makes the cryptocurrency mining malware looks less suspicious and potentially allows it to bypass certain security filters.

Second, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it creates copies of the kernel file ntdll.dll and the Windows USER component user32.dll in %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server\{Random Numbers}. Researchers at Trend Micro theorized that this is done to prevent detection of the cryptocurrency mining malware’s application programming interface (API) – a set of programming instructions and standards for accessing a software application.

Third, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it comes with a self-destruct mechanism, a feature that deletes every file under its installation directory and removes any trace of installation in the system.

Fourth, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it comes with WiX, which stands for Windows Installer XML, a free software toolset for building Windows Installer packages from XML. Researchers at Trend Micro said that WiX is an added layer developed by the attackers to evade detection.

Initial infection of Coinminer.Win32.MALXMR.TIAOODAM could come from emails laden with malicious attachments and malicious URLs.

Early this year, attackers used multiple techniques in their cryptocurrency mining malware to evade detection, this time, in utilizing Tesla’s computing power to mine a cryptocurrency.

In February this year, RedLockreported that Tesla’s Amazon Web Services (AWS) cloud account was compromised by attackers through Kubernetes – an open source software used to deploy and manage cloud-based applications and resources. RedLock said that Tesla's Kubernetes wasn’t password protected, enabling attackers to execute from the Kubernetes a cryptomining command.

According to RedLock, the cryptocurrency mining malware used in the Tesla cryptojacking incident wasn’t initially detected as the attackers used the following evasion techniques:

First, the attackers configured the cryptomining malware to keep the CPU usage low to evade detection. CPU, which stands for central processing unit, is the component that performs most of the processing inside a computer. Unusual high CPU usage is a sign that computers are being used for cryptocurrency mining.

Illicit Bitcoin mining is typically discovered through unusual high CPU usage. It’s, however, not enough to check the CPU usage as guage for cryptocurrency mining as other cryptocurrencies have less CPU usage.

Aside from the illicit mining of Bitcoin, attackers are also drawn in hijacking the computing power of others to mine the cryptocurrency Monero (valued $105 as of November 13, 2018 at 10 AM GMT+7) as this cryptocurrency uses less computing power and anonymous compared to Bitcoin.

Second, attackers in the Tesla cryptojacking incident didn’t use a well-known public “mining pool” – a means by which cyrptominers share their computing power over a network and split the reward equally. By using an “unlisted” or semi-public mining pool, the attackers in the Tesla cyrptojacking incident was initially unnoticed.

Third, in addition to using an unlisted mining pool, the attackers in the Tesla cyrptojacking incident hid the true IP address of their mining pool server behind CloudFlare, a free content delivery network (CDN) service, making detection even more difficult.

Fourth, the attackers in the Tesla cryptojacking incident configured their cryptomining malware to listen on a non-standard port, making it difficult to detect unusual activity based on port traffic.

Prevention

Protecting your organization’s computers or network from cryptocurrency mining malware is important as this malware can damage your organization’s computers, negatively impact business operations and can lead to further cyberattacks.

Here are some measures to prevent attackers from using your organization’s computing power for cryptocurrency mining:

• Use email inspection tool that can detect malicious attachments and URLs.

• Monitor configurations. By monitoring configurations, exposed or unprotected software can be identified.

• Monitor traffic. By monitoring traffic, suspicious traffic can early on be identified.

XMRig: Cryptomining Malware that Works Even Without Web Browser 

The cryptocurrency market may have lost nearly 70% of its market cap from the all-time high of $835 billion in December 2017, but this hasn’t stopped malicious individuals from getting ready for the next cryptocurrency bullrun by spreading cryptocurrency mining malware into the wild.

In the past few months, Coinhive, a cryptocurrency malware that works on web browsers, has wrecked havoc on victims’ computers. But another cryptocurrency malware called “XMRig” is starting to make ripples, entering Check Point’s March 2018 top ten most wanted malwareindex in the 8^thplace for the first time after a 70% increase in global impact.

Coinhive, ranked number one in Check Point’s March 2018 top ten most wanted malware, is a malware that utilizes scripts in taking over some of the processing power on the computers of website visitors without their permission to mine the cryptocurrency Monero.

Cryptocurrency mining is a process of verifying a transaction and a means by which a new coin is released. In order for the transactions to be verified and coins to be released, computational powers of computers are used.

In an ideal world, owners of computers used for cryptocurrency mining should give their consent and should be compensated. Malicious actors bypass this consent aspect and reap all the financial gains for themselves.

What is XMRig?

The original XMRig is an open source code used to mine the cryptocurrency Monero on computers using Windows operating system. The XMRig open source code is in itself not malicious. There are currently 3 software available to mine Monero but XMRig it seems is a choice among malicious actors. 

There’s a demand for Monero as this cryptocurrency boasts of easier mining and untraceable transactions. As of April 20, 2018 (10:30 am GMT+7) one Monero coin is worth $245.

Malicious actors, however, use the XMRig code to conduct illicit mining of Monero cryptocurrency by hijacking the computational power of the infected computers. 

XMRig, used as a cryptocurrency malware, was first seen in the wild in May 2017. As of January 2018, Palo Alto Networksestimated that XMRig victimized nearly 15 million people worldwide. The actual number of victims, Palo Alto Networks said, could be much higher.

In September 2017,security researchers Peter Kálnai and Michal Poslušnýreported that crooks made over $63,000 worth of Monero by modifying legitimate open source Monero mining software XMRig.

According to Kálnai and Poslušný, the malicious actors didn’t apply any changes to the XMRig codebase apart from adding a new wallet address, new mining pool URL and commands to “kill all previously running instances of itself so as not to compete with its new instance” – a process that takes more than just a couple of minutes.

It’s not unusual for malicious actors to reuse codes. Attackers often don’t reinvent the wheel if they don’t have to.

Means of Propagation

Unlike CoinHive, the XMRig cryptocurrency malware doesn’t need a web browser in order to hijack the computational power of the infected computers to mine the cryptocurrency Monero.

Here are 2 methods used by malicious actors to hijack computational power of the infected computers to conduct illicit mining of Monero:

1. Exploiting Known Vulnerability in Microsoft IIS 6.0

According to Kálnai and Poslušný, one of the means by which malicious actors propagate XMRig malware is by exploiting CVE-2017-7269, a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003. By exploiting the vulnerability in Microsoft IIS 6.0, an unauthenticated, remote attacker can execute arbitrary code.

The code to exploit this vulnerability is publicly available. Microsoft hasn’t confirmed this particular security vulnerability and neither has it issued a software update for this vulnerability. Technically though, Windows Server 2003 has reached the end of life (EOL) and as such Microsoft no longer issues software updates.

2. Malvertising Campaign

Adf.ly is an advertising service that pays users when their URLs are clicked. According to Palo Alto Networks, victims were presented with these Adfly advertising URLs, clicked on the provided link, were redirected and found themselves downloading the XMRig cryptocurrency malware onto their computers.

Server Operating System (OS) Attacks

Servers are particularly attractive to attackers as these machines have more computing power, run 24/7 and connect to reliable power source. The reality is that many organizations still use outdated server OS like Windows Server 2003. These outdated server OS are susceptible to repeated exploitation and infection like the XMRig cryptocurrency malware. Cryptocurrency malware like XMRig can result in the slow performance of the servers, shorten the lifespan of these machines and more electricity consumption.

“Cryptomining malware has been quite the success story for cybercriminals, and XMRig’s rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve,” Maya Horowitz, Threat Intelligence Group Manager at Check Point, said in a statement. “Besides slowing down PCs and servers, cryptomining malware can spread laterally once inside the network, posing a major security threat to its victims. It is therefore critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”

How to Prevent XMRig Cryptocurrency Malware Attacks

Here are some of the ways to prevent XMRig cryptocurrency malware attacks:

1. Use Up-to-Date Software, Server OS 

In the case of Windows Server 2003, as the vendor, Microsoft in this case, has stopped issuing security updates, attackers then have a free pass on attacking this system, for instance, attacking a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003.

It’s therefore important to keep your organization’s OS server and all other software up-to-date.

2. Use Ad Blocker

Another way to prevent XMRig cryptocurrency malware is to use an ad blocker. With an ad blocker, you and your staff won’t anymore be susceptible to malvertising link that once clicked, redirects and downloads the XMRig cryptocurrency malware onto computers. An ad block blocks pop-ups, banners, video ads and other intrusive advertising, as well as malware.

Top 5 Cybersecurity Predictions in 2018

It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring.

Here are the top 5 cybersecurity predictions for 2018:

1. Cryptocurrency Mining

The growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335.

“Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones.

The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero.

Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns.

Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone.

“Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.”

2. Business Disruption

In 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks.

Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption.

“The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said.

Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix.

According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.).

3. Breach by Insiders

The 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches.

According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.”

4. Artificial Intelligence (AI) as a Double-Edged Sword

In 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity.

“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.”

5. GDPR

In 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.

GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification.

“In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said.

Happy 2018, and Stay Safe!

Bitcoin Popularity Gives Rise to Cryptocurrency-Themed Malware

Amidst the surge of Bitcoin’s popularity, other cryptocurrencies have also risen along with it.

As of December 4, 2017, Bitcoin is worth near $11,000. Other cryptocurrencies have also increased their value. For example, Monero cryptocurrency is now worth $201. Bitcoin was introduced in 2009 and Monero in 2014.

Contrary to popular perception, Bitcoin transactions aren’t anonymous. All Bitcoin transactions are public records and can be tracked. Monero, meanwhile, markets itself as an anonymous cryptocurrency, claiming that a single Monero coin can’t have its entire transaction history revealed.

Both Bitcoin and Monero are cryptocurrencies that need to be mined. Cryptocurrency mining is defined as the process by which transactions are verified. It’s also a means by which a cryptocurrency or digital coin is released. For their effort and use of hardware, miners are given a small share of the cryptocurrency.

In the past, anyone with a PC could mine Bitcoin. Nowadays, only those who own computers with huge computing power can mine Bitcoin. Monero, on the other hand, can be mined by just anybody with just the use ordinary desktops, laptops and even smartphones.

Cryptocurrency-Themed Malware

Candid Wuest, security researcher at Symantec, told the BBC that malicious software (malware) connected with cryptocurrency increases "tenfold". "There's been a huge spike," said Wuest, adding that this surge had been caused by the rapid rise in Bitcoin's value.

Malwarebytes' security researcher Jerome Segura, meanwhile, told the BBC that Malwarebytes blocked nearly 250 million attempts to place cryptocurrency malware on to PCs.

Adylkuzz Cryptocurrency Malware

Adylkuzz is a malware that installs the code used to mine the cryptocurrency Monero without the knowledge and consent of the computer owner.

The Monero mining code is maliciously installed by Adylkuzz into a computer by exploiting a Windows operating system vulnerability called “EternalBlue”. The ransomware WannaCry also exploited the same vulnerability in Windows operating system. Unlike WannaCry which can self-propagate on its own to infect others, Adylkuzz has no self-propagation capacity.

Monero mining – courtesy by Adylkuzz malware – operates in the background and users of compromised computers are unlikely to notice this unauthorized activity.

Cryptojacking

Cryptojacking refers to the malicious installation of crypto mining software in a website without the knowledge and consent of the owner as well as lack of knowledge and consent of website visitors.

Coinhive is a software that enables cryptocurrency miners to install Monero cryptocurrency mining code on a website using JavaScript. Coinhive operates on the premise that cryptocurrency mining can be a means for website owners to earn revenue, in lieu of advertising.

Once CoinHive is installed in a website, the CPU power of every site visitor is used for cryptocurrency mining. CoinHive requires a unique ID to which the crypto mining income is delivered. The more computers are compromised for crypto mining, the more Monero coins the attackers get. Earned Monero coins can easily be converted to Bitcoins by selling it to a number of trading exchanges that also allow anonymity.

There’s nothing wrong with utilizing cryptocurrency mining instead of the traditional advertising in websites. What’s unacceptable is when cryptocurrency mining code is installed without the authorization of the site owner as well as without the authorization of site visitors.

Early this month, one security researcher found Coinhive mining code on 2,496 online stores. It’s presumed that the installation of this crypto mining code on these online stores were done maliciously as these store owners are less likely to earn few extra money through crypto mining.

The researcher found that 85% of the 2,496 compromised stores are linked to only 2 CoinHive accounts, while the remaining 15% of the infected stores are linked to several unique CoinHive accounts.

In September of this year, Showtime websites – showtime.com and showtimeanytime.com – were found to be running Coinhive mining code. Following public exposure, the code has since been removed.

Malwarebytes' security researcher Segura, meanwhile, discovered a technique that allows attackers to use the CPU power of every site visitor for cryptocurrency mining even if the visitor closes his or her browser.

Malwarebytes tested this discovery using the latest version of Google Chrome browser. The researchers at Malwarebytes observed the following process:

1. Once a user visits a compromised website, the crypto mining code is then silently loaded.
2. CPU power of the site visitor is used for cryptocurrency mining activity.
3. Even when the user leaves the site and closes the Chrome browser, the CPU activity of the user still remains higher than normal as crypto mining continues.

Attackers fool users into believing that the browser is closed by hiding the browser under the taskbar's clock. Resizing the taskbar will reveal this still operational browser. Below is the screencap of the hidden browser.

“Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons,” Malwarebytes said. “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement.”

Coinhive, in a statement, said, “We're a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what's going on, let alone asking for their permission.”

How to Prevent Cryptocurrency Mining Attacks

Cryptocurrency mining is perfect for computers specifically meant for this purpose. Mining cryptocurrency, however, on desktop, laptops or smartphones on top of everyday usage has negative effects.

Crypto mining involves enormous calculations that ordinary computers aren’t meant to do. On smartphones, crypto mining can quickly deplete batteries. And across computing devices used for ordinary usage, crypto mining can decrease speed, efficiency and even damage the hardware.

Here are some tips on how to prevent cryptocurrency mining attacks:

Keep your Windows operating system up-to-date, to block, in particular, Adylkuzz malware as Microsoft already patched the vulnerability exploited by this malware.

To ensure that your browser stays close even after clicking the “x” button, run Task Manager and terminate running browser.