Rise of Coinminers

[Music]

thank you Andy can you guys hear me well in the front background cool coin miners detection search by 8500 percent in 2017 how many of you here experienced at least one corn miner related incident in a memoir based or web browsing based any answer yeah so obviously it's a big problem my main goal here today is to give you a set of tools and techniques to deal with this emerging threat my name is Omri Saiga of morale and I'm co-founder and head of research at Minerva into 2016 at my first encounter with coin miners and been tracking them ever since the rapid rise of this threat have pushed me to create this presentation to increase awareness and

help others fight it I would like to thank my research team at Minerva and other researchers such as bad pocket and zero dot taking a really strong part in this ongoing war coin miners are new surging threat one of the biggest sign for rapid emergence is multiples name for it just to name a few it's coin - Krypto - crypto jackin I heard some cursing in there and and so on I personally like to use coin miners when I speak about the overall problem malicious benign and crypto jackin when speaking about web-based in browser JavaScript attacks like wanna hive and crypto mining when speaking about malware based attacks so the rapid increase is usually related to Kona I've

as well corn I've started last year it's a framework and api's for developer to a JavaScript to basically copy and paste into the website and start earning profit from mining on users it's usually considered a malicious act malicious attack if the user didn't consent to start it if you use a consent it's more likely like an advertisement a replacement for advertisement if it's even and run without consent it's considered a malware an exploit or at least that's the way I see it the trend is also joined by mainstream fair trade actors like main boat operators switching from broads and trojan and banking Trojans to coin - crypto miners we also see a really clear shift from ransomware are

starting to use crypto miners as well probably because the ransom is dropping in profit bad reputations user don't think they're gonna get their files back anymore anyway user awareness increase of better security tools they need to find another way to make profit and it seems like coin miner is their new method to do it since we can cover all topics in this short presentation I will try to focus on the key most common similarities of crypto miners finding repeatable patterns is always good for defense if we know how to detect them we know how they look like we know how to prevent them as well so looking at similarities Manero is by far the most

common mined coin for malicious actors dub this XMR it has very strong anonymity features for example if you look in at Bitcoin comparing to it Bitcoin address resembles more of your home address wherein Manero your address is kind of more of the equivalent of a pillbox a virtual peer box as also when you look at bitcoins everybody can see how much coins you have in your wallet and what transaction you did before and how much you transmit or you got way more now it's much more hard to track the whole algorithms of this coin is much more sophisticated in its much newer as well in addition this is really one of the most critical facts why they

use Manero is that the mining algorithms for Manero is still quite profitable for CPU and as we all know boats are mostly relying on CPUs on computers and servers and if you look at bitcoins even GPU is not much profitable anymore so this is a key thing to understand if coin hive and other web-based services are also using Manero and XM are anything that can run javascript is basically it can be a target a victim of corn hive etcetera many attackers are like the benign users of coin hive will obfuscate the code into many layers but once you start to peel off those layers you start seeing that Rob rotten apple mostly corn hive similar services as well if you want to

get really into coin I've and similar in browser attacks there is a really good research by bad pockets I think it's the best research to date covering all this topic the usage of known services makes Cohen hive and similar crypto jackin quite easy to detect and prevent actually there is if you're not familiar with it coin block your list is a really good list of known IPs and domains related to crypto jackin attacks zero dot is doing a really good job at maintaining it almost daily if you can see the tweet this is from today where is diddle is last update really nice German guy so if you ever meet him give him a good kudos to me or buy him a beer

I was really helping the word against ripped or miners so basically one of the key features of critter crypto miners PC based crypto miners is XM rig and open-source tools that they are relying on it's basically not that easy to write your own efficient crypto mining coin mining tool so the attackers are moving to using XM rig because it's really easy to embed XM rig is supporting many types of operation systems like Windows Linux and Mac it's really easy to embed XM rig in your own code and it supports all the major public pools the joint mining pools so it makes it really really effective for attackers to use this to use this tool if you look on

the top left or right from your angle I've put it a really simple the RS signature this year is just a few lines but it will detect most unappreciated coin miners and X Emery and maybe some other tools that are relying on public polls in addition if you want to detect X Emmerich type of crypto miners they mostly use a common command line to basically to connect them and mining pools to decide how many threads they want to run etc and this is making them really prone for detection however in both cases most sophisticated attackers will do two things like malware more advanced malware they will pack their code so you won't be able to just scan

static signatures on it however that TR signature is probably also really effective if you run it against memory and also they will tell instead of running the exome rig as a standalone dll for example or PE process they will embed the XML code in their own code and the parameters as well so it won't be that easily detectable there isn't for xme common command line is that it needs to support major mining pools the reason for both benign and malicious actors users to use mining pools is because to to mine alone it's really hard it's based on luck and you need a lot of hash power if anyone anyone here did some mining alone if

have you been profitable yeah so mining pools really give you the benefit of easy calculate how much profit what you can make and for attack is speaking about really large BOTS that's really good and stable income but the relying on public pools makes them easy to detect on the network as well most of the major mining pools domains and IPS are known and you can use lists like a coin block your list or I've also shared he in a link at template or a sample to detect on with snort certain network activity and domains related to coin mining there's also a more advanced paid ones but this one pretty much works so feel free to use it for IT and

security teams coin miners are pretty much a pain in the ass sorry my language it's killing your CPU if you got servers it's gonna slow them down you're gonna see a lot of browsers stop operating they're gonna call the security and desktop team to check what it is but this is also quite of their biggest downfall because once for example the power user on windows sees that his machine or her machine start to really slow down what is the first thing they're gonna do the public on open task manager and see what is causing the slowdown the hiccups so our little friends in the coal mining malicious coal mining industry have developed ways to go around it they will constantly

look for this kind of processes and windows like task manager process Explorer and once that will be open the mining loop will go to halt and they will wait till the task manager is closed and then go back again so you'll find out some users will start the leader chrome or what is that causing my computer and they won't even they're gonna miss the the coin miner and I think one of the things you can actually try might be run task manager all the time but you can also try and deploy fake processes did anyone try to do that before to trick malware no all right you might you might shoot so getting into a

bit of some fun parts as researchers I very often get depressed where I try to hound on down Fred actors and I usually end up with nothing but when we do find someone and we're able to track a real persona behind a camp and it's usually really fun so when we first started looking at coin miners we thought that because of the privacy announcement of cryptocurrencies it will be really hard to find those attackers but we found it completely opposite and we think that's because crypto mining is really new technology and like defenders attackers are like are really prone to do some errors along the way to run mistake so just a few name a few of the stuff we

found is for example newbie mining pools you will you will need to use your email as authentication for the miners to authenticate your miner and some of the attackers will use personal emails and some even use more like disguise emails but are much easier to track if you look at any traditional malware if you ever find an email that's a really good place to start when you try dogs and attacker and we got the email right away some of them actually are even by mistake put in the password for the accountant in there so you can go and hunt if you want them I didn't tell you that so we might find some interesting stuff there's also some

really common more technical mistakes but pretty much not here to help attackers will help defenders so if someone really wants to know more about it please feel free to ask I might ask some background check so to make sure an attacker but will be happy to share so here's a little story during an investigation two crypto mining we found my malicious miner we called water miner water miner was mostly in Russia it was Trojan izing a GTA mode and basically once you start installing the mode running it it will be running alongside disguised to an Intel or Oracle but the attacker left a really nice few breadcrumbs in his source code which helped us lead to a real Russian

entity the whole story was published on bleeping computers the link is below so if you're gonna go and do a bit of deep deeper reading into it please go ahead so when when I first read in this title the first thing that came in my head is the Jerry Maguire scene of that show me the money show me the money so alright keep swinging in my head anyway doctor Thaksin crypto mining is fun but we really wanted to go deeper and understand why this phenomena is so big so we really want to track down how much money what is the profit or many Cincinnati for the attackers and what we thought is a can really completely

opposite than what we expected although XMR addresses are really hard to track mining pool statistics is really public so once you extract the wallet address and you can automate it you can do it really easily on a massive scale you can start communicate with the api's of those pools to communicate how much money was actually not money but how much XML was actually paid what's the hash rate and overall agents and so it was really interesting to see for example you probably noticed I love case studies so this is this case study about malware crypto mining campaign called photo miner photo miner was originally discovered by God eco and fire in 2016 the revelation of it didn't really

damage its overall Ronnie and as far as I know this is the longest and largest running crypto mining campaign when we did the automation and run around all the wallet addresses and around 500 samples we found out that the profit that made is going between 8 to 12 million US dollars from 2016 the reason of the big change is that the the XMR coin value is quite changing so sometimes they took the coin when it was 260 dollars sometimes 180 but we're looking at some couple of really good million dollars here so that really this feeling for us clearly showed why the big transition is going there is some money to be made here I may be not as

big as for the early run somewhere when people speaking about 80 million dollars or hundred and twenty million dollars etc but taking down on anonymity of XMR and the probability of the of them actually taking the money to somewhere they can use this looks really really big incentive now looking at the some of the strengths we wanted to pick up from those coin miners I use another case study it's called ghost ghost miner we started to look on after preventing an attack at a customer and we start Luka we saw a completely powershell script that the partial is propagating in the network and was using things like brute force and some exploit to go along but the interesting bit for

us in this attack is that lost minor it was vicious against its competitors it had many many set of tools to kill other miners apparently the competition is high it skilled processors with black players look for schedule tasks look for network activity and kill those poses as well so what we we did and the result of it is in the link below as well is a open source partial script that you can use in your network to eradicate coin miners and it's really really successful we still haven't found a coin miner that doesn't get it by that tool but please use with caution you don't want your IT guys to call and say hey you killed one

of my application or maybe their coin miners that they were running in the background so use with caution so a bit what next some good alright so I like to do predictions because first I know I never can really go wrong with them you know no one expect 100% it's so like defense and also it's kind of like a gambling thing so first thing I think we'll start to see is coin mods we're gonna start use proxies between them and the mining pool so the network will first be able to be obfuscated and second they won't be need to use those domains and get easily detected by the network second thing we didn't see yet

but we quite expecting is to see the version of bulletproof hosting we're gonna see probably malicious bulletproof pools they're gonna be hiding the data they probably gonna have more anonymized way to connect to them this is something we probably expect to see the pub Leo's gonna use things like DJs and things more advanced members are using malware is using we're probably gonna see also reducing in the mah in the CPU usage of the crypto miners it's probably gonna decrease profit and the for long term but indels in sorry for short term but in the long term is probably gonna going to increase their profit because they're gonna get less and less detected just to quit a quick recap we looked at

the simulator features on coin - for example XMR and the open-source tools they use the fact they used public pools and things like corn hive we looked at methods to detect and prevent them like coin blocker list we looked at network detection abilities and we also look how to track them down and DOX them so if you want to have some fun please go ahead and we looked at how to monitor the magnitude and how much effectives are those crypto - if you find a crypto minor you can easily go and check the size and how much profit they actually make and we also look at some coin miners self-defense or anti-competition tools that we can use in our advantage

so if you have any questions please go ahead if you didn't have time to ask I can ask me offline I'm pretty pretty easy to find and my details will be on the next slide yeah do you mind a bit closer I can barely hear you sorry yeah so DJ is for someone yeah I'm sorry ask if we spoke about DGA as a way to bypass Network detection DJ stands for domain generation algorithm and basically it's a way to not have a static domain so basically all of network detection use signatures on the name of the domain and DJ is basically a way to go around it to keep changing for example I think the

first usage was configured when it kept changing the domains it was using does this answer your question cool any other question don't be shy alright so thank you it was yeah

so let me repeat the question do you ask how do we get best practices for coin miners or yes there is some some really good sources I think what I'll do is I'll post on my Twitter account a follow up with some of the good sources coughing will be too long to name them here cool so thanks everybody am any questions anything I'll be around here and I always say you know like if you see me any pot let's drink your beer and have some fun