Cryptominer : Detecting a growing source of revenue for cyber attackers

In a context of securizing its digital environment, the increase in the price of electricity, and the cost of using resources in the cloud, Gatewatcher seeks to detect the illicit use of cryptominers on the networks.

Cryptominers, who are they ?


Cryptominers are legitimate software used to “mine” crypto-currencies by exploiting the resources of one’s machine. Specifically, it will hijack the processing power of an individual’s device and use it to mine cryptocurrency.

Like penetration testing tools such as Cobalt Strike or Brute Ratel , presented in the November issue of the Cyber Threat Barometer, cryptominers are often hijacked and used as malware by attackers. The objective is to deploy them on victim machines to “mine” on their behalf. Depending on the duration and the number of infected computers, these attacks can be very profitable for a low risk due to their discretion. Indeed, certain effects on the device may be observed, such as a reduction in certain performances, significant overheating of the device, and increased fan activity. However, these phenomena may be the result of other less serious technical problems. It is also a less impactful method than ransomware, which draws less attention.

It is still a scourge for organizations: the Chimaera campaign, launched by the TeamTNT group, earned $8100 in passive revenue by exploiting more than 10,000 infected endpoints on cloud environments. For this campaign, it was estimated that the cost to victimized companies exceeded $430,000, or $53 for every dollar mined.

Despite the fall of the cryptocurrency market, the exploitation of cryptominers for malicious purposes has not waned over the year 2022.

This growing popularity can be explained by different elements:

  • the increase in the price of electricity
  • the fact that cyber attackers do not have to pay for electricity because they do not have to use their own machines
  • the absence of the need for infrastructure (servers for data storage or beaconing)
  • the little technical knowledge required
  • the ease of their integration into a more impactful attack

 

While the deployment of cryptominers is mainly achieved through phishing, downloading pirated content, using malware disguised as legitimate resources, or exploiting vulnerabilities, some attackers are more resourceful. Some Docker container APIs have been deliberately misconfigured, publicly exposed and exploited on a large scale.

Also, some used Docker images stealing images of Linux distributions, for example, altered upstream. This last method allowed the attackers to deploy a non-negligible number of cryptominers, with some twenty million downloads of at least 30 images recorded.

Finally, some were also using downloads of apparently legitimate resources such as films, games or software, which were in fact infected.

Pool mining : for a shared and regular income


There are two families of cryptominers:

  • the so-called “in-browser” cryptominers that run in the background when a web page is visited
  • and the “binary-based” ones, which we hear about the most, and which will be subject to special detection methods. These malwares are directly installed on the system using the machine’s resources.

When mining crypto-currencies, there are two ways to do it: “solo mining” or “pool mining”.

Solo mining is a method of mining individually and usually requires a lot of computing power, whereas pool mining allows you to share your power with other machines in a mining pool. Not only does this second method not require a particularly large amount of computing power, but it also leads to more regular income by sharing the rewards between the different miners in the same pool.

 

When a cryptominer works in “pool mining”, he authenticates himself to a “pool server” which will then regularly send him, and to the other miners on the server too, calculations to be carried out: “jobs”. The pool server then replies with response proposals: “submits”. As soon as a new job is received, the miner abandons the previous one.

It is worth noting that for the same currency, there are a large number of “pool servers”. Each pool server exchanges different parameters with the client cryptominers, which varies the content of the packets.

The call for anonymity :


Of all the cryptocurrencies available on the market, « Monero » is the most attractive to attackers. It offers the greatest anonymity and untraceability of transactions. It is also one of the most profitable crypto-currencies by only mining with a CPU – Central Processing Unit, giving it a particular advantage since machines in corporate fleets often have limited computing power.

It is for these reasons in particular that the XMRig miner is the most rerouted cryptominer by attackers as it is the most developed software for mining Monero. Although it is the most popular among legitimate miners, it is often considered suspicious by antivirus engines to ensure detection in the case of malicious use

All of these elements make threat actors use pool mining on infected machines to mine Monero

Detecting the use of cryptominer :


In order to detect the malicious use of cryptominers, three use-cases can be distinguished:

  • The case of a phishing attack
  • The case of the exploitation of a vulnerability
  • The case of a malicious employee using company resources

Gatewatcher has different threat detection solutions. For these use cases, we make use of the Suricata rules provided by our partner ETPRO, updated daily, as well as our file analysis engine.

 

Use-case of a cryptominer deployment via a phishing attack

  • Scenario : a non-attentive victim clicks on a link and downloads malware.

The Suricata rules will act on:

  • the download of the malware from an attacker’s HTTP server
  • the HTTP headers of the server
  • the attacker’s domain resolution
  • the TLS certificate of the attacker’s server
  • the TLS SNI of the attacker’s server

This use-case can be completed with the downloading of a cryptominer disguised as a legitimate resource, which can take place as part of a phishing attack.

Regardless of the origin, if the traffic is in clear text, our malcore detection engine performs a multi-engine static and heuristic analysis of the file to determine its intent.

 

Use-case of a cryptominer deployment by exploiting a vulnerability

  • Scenario : a CVE is exploited by the cryptominer

Suricata rules will act on:

  • CVE-2021-26084 and CVE-2022-26134 on Confluence servers
  • the CVE-2021-44228 on Apache Log4j
  • CVE-2022-29464 on WS02 products

These four CVEs have been particularly exploited over the year 2022 to deliver cryptominers on the infected environments.

Similarly, we have Suricata rules for CVEs on IoT devices. Most recently, in late 2022, the Zerobot botnet was observed to exploit a significant number of CVEs on IoT devices, including the following CVEs that we detect:

  • CVE-2014-8361
  • CVE-2017-17215
  • CVE-2020-10987
  • CVE-2020-25506
  • CVE-2021-35395
  • CVE-2021-36260
  • CVE-2021-46422
  • CVE-2022-22965
  • CVE-2022-25075
  • CVE-2022-26210
  • CVE-2022-26186
  • CVE-2022-30525

In the case of a CVE infection, the cryptominer transferred to the infected machine, if the traffic is in clear text, is also analysed by our malcore detection engine.

 

Use-case of a cryptominer deployment via the action of a malicious employee

  • Scénario: the malicious employee uses company resources for personal use

Suricata rules will act on:

  • Downloading the malware/configuration file from known sources
  • The use of resources related to cryptocurrencies (such as checking one’s balance).

Therefore, these three use-cases come together when running the miner that communicates with the server.

The Suricata rules will act in this case on :

  • the DNS request to the pool server
  • the TLS certificate of the pool server
  • the TLS SNI of the pool server
  • the content of clear text communications between the client and the server

As an example, here is an example of a Suricata rule that matches on the resolution of subdomains *.nanopool.org, one of the most popular pool servers for Monero 

alert dns $HOME_NET any -> any any (”sg:”GW CURRENT_EVENT DNS query to public cryptomining pool domain (*.nanopool.”rg)”; dns_query; cont”nt:“.nanopool”org”; nocase; isdataat:!1,relative; sid:1000001; rev:1; classtype:trojan-activity; metadata: created_at 2023_01_31;)

 

Conclusion


Thus, these rules are effective in covering a large number of attacks. For the most experienced cyber attackers, however, it is still possible to bypass these rules by using certain concealment methods. For example, some attackers encrypt their communications and use proxy servers to hide the pool server they are communicating with, or set up their own pool server.

Gatewatcher is therefore studying a Machine Learning model based on metadata, and more specifically on the study of packet size and transmission frequency, in order to detect communications to a pool server, whether the flow is encrypted or not, and regardless of the server with which the client is communicating.

 

Like the Beaconing Detection Solution, Gatewatcher already has detection engines based on metadata, and will be able to use them to detect cryptominers.

 

Author : Hippolyte Cousin – R&D Engineer