CoinMiner Are Evasive - Omri Segev Moyal & Thomas Roccia

we are going now to start with our nerf next talk we are going to talk about going Niners and we are going to have our second international speaker from us and we're going to have our own armory from very active in the Israeli hacking community so welcome thanks

[Applause]

like all right so almost every Enterprise suffered at least one crypto mining related attack this year so how many of you raise your hand how many of you already have an experience with craft oh my no raise your hand more than expected right all right so thank you very much my name is Tomas Rocha I'm working as a security researcher in the McAfee advanced wet research team and really happy to be here today my name is Omri Tiger morale and I'm the co-founder and head of research at Minerva labs ok so what we will discuss today so mostly we will review together the rise of coal miner we all know that since sometimes there is a lot of crypto

miners or coal miners that infect your computer we will see also another view of the evasion techniques mostly used by a crop terminal which is interesting to notice here is the cryptocurrency interest in Google Trends and we can see that there is a huge peak in the in last December which was in the same time as the the Bitcoin peak another thing which is interesting is the interest come from mult and Marta is a tax haven so could be related as well we're also going to look about the kind of gang territorial wars between competing crypto miners and of course it's a b-side talk so we gotta have some defensive tactics something you can take home and improve your

security related to that and we also going to do some gambling on production so I did I missed all my vodka bet so maybe I'll get one good here so everyone heard about a story about crypto my nails every day we have a new one even the last two day we get new one as well there is one with docker attack so every day is a new as a new day for crypto my crypto minor and cyber criminals so basically even preparing this talk we were really overwhelm every time we went and tried to improve the the talk then there was a new attack coming up coming and up and there was one just yes two

days ago about the Dockers and basically someone is pretty smart embedded crypto minors inside docker images that were download by thousands of people my boy anyway so we will try to keep it up to date but you know if you just Google for crypto module funds are more recent attacks okay so let's talk about the business model used by Auto behind crypto my nose so mostly to mine crypto currency you need to use a computer resources but it's not any more profitable to mine in your own so that's why cyber criminal decided to move to crop to miners by infecting people and multiply the resources to mine cryptocurrencies there are also like legitimate miners they're

gonna choose public pools so they can share the resources with other miners so they can maximize the profit and also large botnets have bins we seen transition to using crypto miners as well ok so what about the most cryptocurrency mine at least used by cyber criminals all crop terminals yes it's money row so it's real interesting to see that because mana row of specific functionality such as it provides anonymous and anonymous for anonymity sorry for cyber criminals and it's also easy to implement and easy to use in your own tools which is interesting to notice as well is even money row claims the money regimes claims that 80% of the network a chouette is unknown meaning we

have 80% of the a shred network from money which could be potentially from a cyber criminal activity or at least Club to my nose another strong feature of Manero is that unlike a terraeum bitcoin the transaction are much more anonymous and also if you look at anyone with Bitcoin wallet you can see exactly how much money money or Bitcoin they have the transaction with much much it's much more complicated than that so when we're looking about the crypto miners is a malicious application or is a malware we need to separate it as a malware basically we want to know how it gets to our computers other computers or servers etc so we started investigating and we reach the same conclusion that

the majority of crypto miners attack are pretty much similar to any malware attack most of its together is less sophisticated they will use things like spearfishing malicious documents they will use warm sell of war mobility like exploiting brute forces or smb1 a chronic that I mentioned wanna fly here and also we seen that basically and we will speak about it more in more details soon they will start competing each other as well one more thing I forgot to mention is unlike malware there's one with the interesting fact they don't really need in some of them to infect the computer all they need is a JavaScript access to start mining with your browser so you can just browse to

somewhere they don't need an exploit they're running anything you will just stop your computer will start mining slow so the rise of coal miners again so we know that mining can damage your computer hardware but there is also some clever way to make you reach but also to warm your home and you and your cat so that's an example about how to mine cryptocurrency in your home which could be also really interesting I think it's one of their only efficient ways to actually use crypto miners okay so before to deep dive into the song use cases let's define what is evasion techniques so evasion techniques mostly all the techniques used to avoid dynamic static analysis human analysis

also in order to understand the behavior of software or malware and it's interesting to understand this concept because today in modern malware there is plenty of evasion techniques that are implemented to avoid detection and analysis so that's why we can classify the evasion techniques by the following so we have on T cell boxing or key antivirus etc etc there is plenty and there is new techniques that appears every day cool so we start with a quick intro and now let's dig in a bit more deeper so one of we're gonna do it by case studies this is the way we are gonna design it so one of the interesting fifth toe - that we've seen

called water miner basically a Russian author schooled with his friends and he putted crypto mine inside a GTA Mode something like that forgive me I can't translate Russian hundred-percent and basically what they did is it was chosen right so as soon as someone started to run the mode the crypto minor would have been installed on the sides kind of like a fake Oracle or Intel products it did some really cool evasive stuff so first of all XM rig if anyone doesn't know it it's an open-source tool to mine Manero XM rig needs some parameters to run or a config file so you can see which wallet you are how many threads etc what they did was

pretty smile was one of the first one to do it they took the parameters they took the code and embedded inside the main crypto minor payload so was it's not that easy to track and another really cheeky thing they did is you know the it's it was a mode for power users for people who were like cheat on games so whenever your machine starting to run slow what do you do you probably open task manager or if you're in Russia you're gonna open end here and basically what they did as soon as envy or test manager would have been open the crypto mining process would have run into a halt so basically it would have reduced the CPU and you

wouldn't see what's actually stealing your resources so by the way we've managed to track the author his name was Anton you remember the sole name I don't remember yeah it was name is that was Anton a we since Antone even of but he was in Russia so they couldn't really track him do anything to him but at least we've shamed him a bit every year is another crop terminal which is really interesting too so this one is coming packed so you can see there is some nice string into the packet file and if you if you reverse the the some pores you can you can see actually that this one is replacing the wallet address into the

clipboard which is real interesting because if you don't pay attention the malware will replace the wallet address that you copy past and it will replace this wallet by his own his own wallet sorry and we can see here that he is looking for several wallet address which has btc-e that6 cetera so this kind of marvel is really interesting and it comes from with other techniques such as also Bitcoin stealer so it will look for the registry for Bitcoin cutie it will steal the wallet and it will also have capabilities to steal the cookie into into the into the machine infected machine so this one is really interesting and it's a real case selling on several black market so it's still

interesting to study this kind of crop terminals so as I mentioned it can be a 2018 talk without mentioning wanna cry but we're not really gonna discuss right here when one okay first emerge then there was another pretty much similar you iwi eeks or whatever you want to pronounce it I'm really bad at pronouncing malware names but anyway at the same time Monica was exploiting your SMB is eternal blue whatever this was doing the same was originally originally originally I ran so much that shifted to crypto minor and basically the one of the reason that it was never really found was never detected probably how many of you have heard about this before how many of you heard about Warnock Roy

yep so basically what they did they we call it they crawl the web look for anything that's called evasive techniques some code they can still grab that code copy paste it put it into the mail to the main malware and basically the researchers and everybody were thinking it might have been one of our exploiting the SMEs that was actually ywi X I was really really evasive things like anti debuggers on T V M on T sandboxing etc so pretty smart and effective okay so let's talk about Java Java Surya adolfo to pronounce anyway this one is also using several evasion techniques so first of all is coming with a fakie code so which is a simple

trick used by malware it's also infecting every HTML file meaning it it inject a con I've JavaScript into a into each HTML file on the system so if you don't pay attention you run your HTML file in your web server on production and you mind cryptocurrencies it also have capabilities such as on chief forensic by deleting for example safe mode or the registry access it also delayed the backup the dot is oh and dodgy a show finally which is actually a fail this malware is infected every PE file into the system even the critical file resulting a crash of the system so here we have an example so it comes with the high cone of 360 safe which is not

Chinese antivirus we have an example about the HTML file modified into the infected machine here we have an extract with the antivirus yeah I forgot to talk about that Java is also redirecting or the antivirus website to the localhost to avoid any any gathering data about about it so we can see here the list we can see for example values total and also security website the registry disabled which is here and the disable safe good which is just here ok so we saw some example about evasion technique such as anti forensic and also injection etc but there is also a competition between crop to minors and we're going to talk about that right now so most of

the most of some crypto minor are using for example will browse the task manager to find for example and also threat and kill the process or they will patch directly the system to avoid any affection we are specific vulnerabilities you might asking yourself why does they care about competition so anyone who's done incident response probably found at least some computers with like 6 7 Trojans and they're all living together feasting from the information they can stay still but crypto mind is kind of like ransomware they can't live together because they make the money or for Mahmoud CPU they actually use and if someone else taking the CPU first the user probably going to get annoyed fares

fast and second they're gonna make less money so one of those crypto miners really evasive called ghost miner ghost miner was found spreading via WebLogic own abilities in oracle sm a brute-force PHP admin brute-force mostly focus on Windows system you can see a quick power shove test looking at how much network is actually created from a PowerShell this is the type of the communication now of course minor was they built almost completely in PowerShell so both the spreading and deploying the payload first of all they used and invoke reflective Pia injection from power sploit so you can easily inject now really interesting to see was the first generation of ghost miner wasn't really using PowerShell almost and it

was really easily detected by the majority of IVs and other tools and the second generation when he was very discovered wasn't detected almost at all at least from the products we've been able to test so it shows the evasiveness and how much important it is now for main topic here basically ghost miner was really really vicious against its competitors and whoever created this did a really major research they look for things like static names for other crypto miners they look for open-source tool they would delete and kill any process related to crypto miners kill any scheduled tasks delete services etc now what we did basically we reverse-engineer the code and we were able to create an open-source PowerShell

script that does actually the opposite is going to help red teamers and defenders to to fight against other people miners basically what happens here we have the this discussed XM rig miner running in the background and basically as soon as will run the miner killer script it will find that miner and kill life now if you do decide to use it it's up on github use it with caution may be one of the IT guys that actually deployed for miners will get annoyed by you or you kill supplications so again used with caution and you can see that the miner was killed right away all open source you can have a look at that regarding competition difficulties

and also another crop Tomiko to minors so this one was coming after the one aqua infection and spreading with the same vulnerability eternal blue it was actually not embedded directly into the the some parts but spreading manually and we can see here so we will reverse engineering the the some pores at McAfee and there is the first one we saw the some part was in up trail 2017 and after one acquire infection the one spreading with the eternal blue and we compared the same function the function of the the both samples and it was actually almost the same and this one he was willing to receive because it was using also a small batch script to patch the sed PO

to avoid any other infection via the eternal blue exploit it's kind of interesting what do you prefer getting around somewhere from the exploit or getting a crypto miners okay there is also also a very technique especially for crypto minor so for example they can use they can limit the CPU utilization to avoid detection so for example when you look at the when you look at the task manager you see the CPU but there is no over you say over over CPU usage so they can they can change that they can also enable the mining process on specific hours see if you go to lunch the malware will see that you are not in front of your computer and will mine we

start the mining process and and they can also for example I used mining process in several area so if you for example let your computer on during the night the miner can wake up and use the the resources of your computer so just to recap a bit what we saw in this presentation about the evasive techniques so mostly we can see that the the samples to die HDD for that presentation was using Packers like most of the malware but also process injection and also auntie Nitori which is makes sense because when you when you when you have a crypto miners what they want it's not to be detected so if they use ot monitoring techniques for example to disable the

the task manager or to disable the registry they will they will have more time to to mine to use the resources of your computer yeah we make kind of a small table here is showing the case studies in which evasive techniques each one of them used if anyone wants to research themself will be able to share their samples maybe you'll find some evasion tactics yeah so basically you know as I said we gotta give you some defensive to defensive tactics so one of the major thing we recommend is to Pony to office I CPU activity in your network and your device says it's not that easy but there's some really cool tools to do it basically either you found a crypto

miners you've got an application that's running really bad here you need to add some CPUs so it's not a bad thing to do anyway second thing there's a link here for the miner killer either you can take it and use it again with caution or you can understand what where the things that we're looking for and maybe build some tools yourself you can also find on our github yahwah rule for detecting money rule which is a basic one to detect Munir activity also it's good to monitoring your traffic for example miss not rules or this kind of tools you can monitoring your traffic for crypto currency transaction or mining traffic and there is also the current block

yoli's which is really cool because this list is actually getting all the website using crypto minor we just connive or others and it's actually a cool demo for that so it's basically it's basically just how to implement the list on on your firewall and then on to who you you create the routes or the or the crypto minor from specific website will be blocked by the by the firewall it's such a simple to simple obvious a simple task that you can do and you can spread it for your order network it's a good list on gear up it's basically maintained by a single guy in Germany crazy guy 0 dot but we should follow him and it's really really

effective because majority of crypto - do have some known domains this the less sophisticated ones so in this here you can basically see how we implemented in a little snitch and now it's easily to get it's blocking other crypto miners so basically if we're into the kind of the gambling here so what things we can expect in the future obviously at least from our perspective we see that crypto matters isn't gonna search even farther we see more and more attackers are using it we actually finger because the molero price and bitcoin price decreased a bit attackers have more incentive to get and find more computers and increase their botnets so it's something we're gonna see we probably gonna system or what we

call unhandled devices things that are less money - it looks like your raspberries your light bulbs your refrigerator gonna get attacked and probably gonna get deployed by crypto miners on them we can also see also we talked we talked about it a bit before there is also some move from cyber criminals so for example some minor we will present during this tour such as Joe acaba was actually originally a ransomware and giotto of decided to move to crop to crop to minor there is also some past example we Braddock's and trig boat which was starting to target cryptocurrency wallet and cryptocurrencies user regarding if we if we go further in in the future regarding the attacks into the

blockchain there is like the majority attack which was already the case with the verge coin and the BTC guard so I will go more in detail for for this one for it an example about our intent and devices were already starting to see kind of the first box of that trend is an ADB miner based looking for debug your ports for Android and then when it finds them probably like shout and stuff like that or scanning then the net they're gonna get install installing the miner which is interesting here is to observe the rise of botnet miner so it's it will be much more common to see botnet miner in the future because it's much more profitable for cyber

criminals regarding the majority attack so basically the majority attack will influence the blockchain integrity and with the rise of botnet magnetars it could be more common in the future so what is the majority attack exactly it's the case where cyber criminals or malicious actors will get more than 51% of the network meaning they can influence the the blockchain by forging their own blocks of create their own transaction or also can sell the real transaction so it with the rise of botnet miners it could be more more common in the future so just a quick recap because we went through some funds from some topic so we start with kind of the trend the rise of crypto - we then we then went to

bit into the rabbit all about some case studies about what are those evasive techniques they used we look at evasive techniques and competition between those the miners hopefully we offered some good and defensive tactics let us know if it worked for you and we went for a bit just right now and exploring some future trends all right thank you very much for your attention

so now we hope you enjoyed the talk so if you have any question feel free to reach out to us even after the talk on on Twitter or LinkedIn anyway so anyone have any questions I try it's gonna beautiful ones all right if anyone have any questions you can come to a softer and thank you