New Tricks of Cryptominers
Those familiar with the basic laws of economics know that a recession is often followed by growth. This natural cyclic pattern appears to hold true for the cryptocurrency markets as well. Having peaked at almost $20,000 in late 2017, Bitcoin’s price plummeted down to $4,000 in slightly more than a year’s time. What do we have now? Its value is quickly climbing back up, exceeding $11,000 as of early July 2019. Things look similarly auspicious for the other popular cryptocurrencies, too.
Whilst this new boom is a benign signal for investors, it is also an “attack” command for cybercriminals. Malicious cryptomining also referred to as cryptojacking, is at the core of all abuse in this ecosystem. To set this exploitation in motion, crooks deposit malware onto hosts in order to parasitize the processing power and thereby mine coins behind the victims’ backs. This incursion vector continues to be the case, but the hackers’ tactics have changed over time. Below are several examples of how sophisticated the present-day cryptojacking has become.
Malware making Linux cryptominer cross-platform
In a large-scale campaign that surfaced in late June 2019, perpetrators have been utilizing the malicious code to inject and run a well-known Monero CPU miner called XMRig on host computers. Although these attacks leverage a Linux variant of the miner, a clever trick allows the malefactors to deploy it on Windows and macOS systems. Instead of reinventing the wheel, they use virtualization software to execute the XMRig instance on machines regardless of the operating system.
The malware underlying this hoax is codenamed LoudMiner. It arrives with cracked VST (Virtual Studio Technology) applications. Researchers from ESET found more than a hundred booby-trapped solutions from this category that go bundled with the harmful payload in question. Most of them are tailored for macOS. VST apps tend to be resource heavy, so they are typically installed on powerful systems with plenty of CPU capacity to quench the attackers’ thirst for easy gain.
The furtive cryptocurrency mining process is performed on the Tiny Core Linux virtual machine. The total size of the XMRig and virtual machine combo can be greater than 100 MB. However, the victims are likely to overlook it being dropped by the LoudMiner malware, given that VST workstations typically have a lot of disk space under the hood.
The offending code establishes persistence on a host by invoking commands to make sure the Monero miner’s Linux image is launched at boot time and automatically restarted if terminated. On Macs, the infection can hide its shenanigans by pausing the surreptitious mining routine whenever the user opens the Activity Monitor. All in all, this raid may stay undetected for a long time and siphon off the hosts’ hefty processing potential to mine Monero for the ill-minded operators.
Persistence quirk of a cryptominer
Analysts from cybersecurity firm Sucuri have recently spotted a sample of coin mining malware that re-infects hosts even after being removed. The culprit zeroes in on 32- and 64-bit Linux installations, both servers and desktop machines. It was originally found on a web server whose CPU was running at its maximum, which is a telltale sign of cryptomining activity without any throttling in effect.
According to the researchers’ findings, the black hats utilize a Bash script that silently downloads the final-stage payload. It isn’t entirely clear how exactly this script ends up inside a target system, but the most likely entry point is an unpatched software flaw or credentials brute-forcing.
When first launched, the Bash script named cr2.sh performs a series of checks to find any instances of known cryptomining processes already running. If detected, these tasks are subject to instant termination. The next phase is to download the actual coin miner from the attackers’ command and control server. What makes the pest really stand out, though, is that it creates a cron job to check for the initial Bash script every minute. If it’s missing, the scheduled task will download and run it on the compromised system again. This way, the attack perseveres even if the user identifies the threat and eradicates all the troublemaking components from the host.
Multipronged cryptominer with backdoor and worm characteristics
A sophisticated strain of coin mining malware dubbed Plurox popped up on Kaspersky Lab’s radar in February 2019. Unlike garden-variety infections from this category, it behaves like a backdoor and has a modular nature. The former trait means that Plurox creates a loophole so that the attackers can access a compromised network at any time, and the latter feature allows for enhancements of the malicious functionality by means of specially crafted plugins.
On top of that, the malware was found to employ distribution mechanisms inherent to computer worms. Having hit one host, it can quickly pollute the entire LAN by abusing SMB (Server Message Block) and UPnP (Universal Plug and Play) protocols. Plurox adds the notorious NSA exploit called EternalBlue to the self-spreading mix as it downloads a dodgy SMB plugin from its C2 server. A shady UPnP plugin, in its turn, uses a port forwarding trick to infect other machines on the same network.
As soon as Plurox contaminates a host, it gathers details regarding the hardware configuration, and based on that, requests an appropriate cryptocurrency mining plugin from its command and control. The malware communicates with the server over the TCP protocol. The analysts discovered a total of eight downloadable modules intended for the mining job on computers with different processing capabilities. Furthermore, the harmful code can update, stop, and delete its plugins behind the scenes.
Plurox is undoubtedly one of today’s most complex cryptomining menaces out there. Researchers believe it is still a work in progress, judging from multiple debug lines found in its code. Therefore, as if the current deleterious features weren’t enough, it might be equipped with additional characteristics in the near future.
The bottom line
A recent trend in the wicked cryptomining world is the rise of Linux malware designed to drain the infected systems’ processing power in the background. These perils mostly target servers and high-end computers that can yield better and faster results for the crooks. It’s also worth mentioning that stealthy cryptominers are becoming harder to detect and remove, so the security community has yet to come up with an effective response for these disconcerting evolutionary changes. In the meanwhile, regular users and server owners should keep tabs on the CPU consumption by their machines. Regular system updates, best antimalware tools, reliable VPNs and strong passwords should also help.
Check the comment section for additional information, or share what you know or ask a question about this article, by clicking the 'View or Write Comment' button below.
Note: Some of the information in samples on this website may have been impersonated or spoofed.