Cryptocurrency-Mining Malware

ADB.Miner
 

ADB.miner is a botnet mainly comprised of Android smartphones, smart TVs, and tablets. ADB.miner spreads by infecting devices with exposed Android Debug Bridge (ADB) interfaces via port 5555. First detected in January 2018, ADB.miner is the first Android botnet to utilize port-scanning code borrowed from Mirai. This botnet delivers a Monero cryptocurrency miner and exhibits worm-like behavior as it self-replicates and converts compromised devices into scanners to locate additional victims. Approximately 5,000 devices have been impacted by this botnet at the time of writing, with the majority of victims located in China and South Korea.

Reporting

• February 2018: Android Devices Targeted by New Monero-Mining Botnet (Bleeping Computer)
• February 2018: Early Warning: ADB.Miner A Mining Botnet Utilizing Android ADB Is Now Rapidly Spreading; ABD.Miner: More Information (360 Netlab Blog)

FacexWorm

FacexWorm is a malware that spreads to Facebook users via a malicious link in a Facebook Messenger chat. When the link is clicked, it redirects the user to a fake YouTube page that gives instructions to install a YouTube-themed Chrome extension in the browser. First uncovered in August 2017, FacexWorm has expanded its capabilities to being able to carry out multiple malicious behaviors. First, the malware is designed to detect when a victim visits a website's login page for Google, MyMonero, and Coinhive, then steals and sends the credentials from the login form and sends it to its C2 server. When the victim visits one of the 52 cryptocurrency trading platforms that the malware targets, they will be redirected to a scam page which instructs them to send Ether cryptocurrency to the attacker for validation, with promises of getting the money back with interest. When the victim initially downloads the malicious extension, a JavaScript cryptocurrency miner called Coinhive that mines the Monero Cryptocurrency is installed. If a cryptocurrency-related website is visited by the victim, the attacker will change the receiving wallet address of a transaction to an address controlled by the threat actor.

Reporting

• April 2018: FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation. (Trend Micro)

HiddenMiner

HiddenMiner is an Android cryptocurrency-mining malware that poses as a legitimate Google Play update app. It uses infected devices to mine the Monero cryptocurrency until it uses up all of the device's resources and it eventually breaks. Sharing similarities with the Loapi Android malware, HiddenMiner forces the victim to activate the legitimate Google Play app as a device administrator, and once accepted, will start mining Monero in the background. The malicious app will attempt to hide itself on the infected device by using a transparent app icon and hiding the app from the app launcher. Since infected app having administrator privileges, it is very difficult for the user to remove of the malicious app; the user is required to remove administrator privileges first. HiddenMiner combats this by locking the devices screen when the user attempts the deactivation.

Reporting

• March 2018: Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure. (Trend Micro)

Kingminer

First discovered in June 2018, Kingminer is a Monero-mining malware targeting Windows Servers, particularly IIS and SQL servers. The actors behind the malware use various evasion methods to bypass detection. A windows .sct file is installed on the victim’s machine; upon execution, the file detects relevant CPU architecture, kills relevant .exe file processes, and downloads a payload ZIP file. In the second phase of the attack, the XMRig CPU miner runs and uses the victim’s entire CPU.

Technical Details

• Check Point provides technical analysis of the Kingminer malware here.

Kitty

Kitty is a cryptocurrency-mining malware that uses an open source mining software for browsers called “webminerpool” to mine the Monero cryptocurrency. The malware was first observed in May 2018 exploiting the well-known Drupalgeddon2 vulnerability that allows remote code execution on Drupal web servers. When the malware is installed on a server, a PHP file is written to the infected server disc that allows the threat actors to have a backdoor into the machine. The malware will then create a time-based job scheduler set to re-download and execute a bash script from a remote host every minute, allowing an attacker to re-infect a server, even if updates are attempted. A mining program, XMRig Monero miner, is then installed on the system. Along with the mining process on the infected server, Kitty also aims to infect web app visitors. To accomplish this, the malware searches for the common index.php file and writes the malicious JavaScript file me0w.js to it. Once the PHP file is infected, users visiting the infected web server's sites will be leveraged for cryptocurrency-mining.

Reporting

Loapi

Loapi is an Android malware variant that appears to have evolved from the Podec Android malware. Loapi has a sophisticated modular structure and components for a variety of functions, including: mining the Monero cryptocurrency, downloading and installing additional apps, launching distributed denial-of-service (DDoS) attacks, and injecting ads in the notification area, among others. The cryptocurrency mining function causes the device to overheat and overwork the phone’s components, causing the battery to bulge and the phone’s cover to deform. Loapi is found hidden in antivirus apps and adult-themed apps advertised on third-party app stores. The apps inundate users with pop-ups until the user provides them with administrative rights and allows them to uninstall legitimate antivirus apps from the device. To maintain persistence, the malware will close the Settings window if the user attempts to deactivate its administrator account and, if the user attempts to install an app that could detect the malware's presence, Loapi will display a fraudulent message on the screen claiming it detected malware and prompts the user to delete the app. Users will have to boot their device in Safe Mode to remove Loapi-infected apps.

Reporting

• December 2017: Jack of all trades (Secure List)

LoudMiner

LoudMiner is a Monero cryptocurrency mining malware that uses virtualization software to deploy a Linux XMRig coinminer variant on Windows and macOS systems via a Tiny Core Linux virtual machine. Audio protection systems are targeted for having high-end hardware and for being under constant load while processing audio content in order to conceal the cryptomining operation.

Technical Details

• Bleeping Computer provides technical analysis of the LoudMiner malware here.

MassMiner

MassMiner is a cryptocurrency-mining malware that has been observed to use worm like capabilities to spread through multiple exploits. First, to find a vulnerable system, MassMiner uses a reconnaissance tool called MassScan which can scan the internet in under six minutes. The malware looks for systems that still contain these three vulnerabilities; WebServer Exploit (CVE-2017-10271), EternalBlue (CVE-2017-0143), and Apache Struts Exploit (CVE-2017-5638). Once the malware infects a system, it begins the process of maintaining persistence. MassMiner will make copies of itself in the startup folder, and schedule tasks to execute its components. To avoid detection, a command is used to kill the Windows Firewall, making it able to talk to the C&C server. After the firewall is turned off, a configuration file is downloaded from the C&C server that specifies which server to get updates from, the executable to infect other machines with, and the wallet address to send the mined Monero cryptocurrency. The mining process is carried out by the malware utilizing the popular XMRig Monero miner.  Additionally, the malware installs the Gh0st RAT that communicates with the domain rat.kingminer[.]club.

Reporting

• May 2018: MassMiner Malware Targeting Web Servers. (Alien Vault)

MulDrop

MulDrop (Android.MulDrop.924) is an Android Trojan malware first observed in November 2016 by researchers at Dr. WEB. The Trojan is spread within apps that disguise themselves as legitimate games and other applications and is distributed by the Google Play and other application stores. One application it masquerades as is named “Multiple Accounts: 2 Accounts” which supposedly allows users to set up multiple accounts for games, email, messaging, and other software. As of November, the app is still available in the Google Play store and has received a relatively high user rating of 4.1. Part of the Trojan’s functionality is hidden in two modules, kxqpplatform.jar and main.jar, which are encrypted and hidden inside the icon.png PNG image located in MulDrop’s resource catalog. Once launched, the Trojan extracts and copies the components to its local directory and loans them to memory. The main.jar module contains advertising plug-ins to generate revenue. In some versions of MulDrop, the main.jar module contains the Triada Trojan, which leverages exploits to gain root access of the infected device.

Reporting

• August 2016: Android.MulDrop.924. (Dr. Web)

Norman

Norman is a recently discovered XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency, that employs evasion techniques to hide from analysis and avoid discovery. Most of the malware variants rely on DuckDNS, a free Dynamic DNS service. Norman is deployed into three stages: execution, injection, and mining. A mysterious PHP Shell connected to a command-and-control (C&C) server may not be associated with the cryptominer.

Technical Details

• For technical analysis and IOCs please review the Varonis blog post.
• The Threat Post provides further reporting here

Plurox

Plurox is a modular backdoor malware strain capable of mining cryptocurrencies and of spreading to other computers on the local network via SMB and UPnP plug-ins. The backdoor uses TCP protocol to communicate with the C&C server. Plug-ins are loaded and directly interfaced via two different ports, creating Plurox as it deploys miners on the targets’ computers and distributes other plug-ins for lateral movement on local networks.

Technical Details

• Bleeping Computer provides technical analysis of the Plurox malware here.

Prowli

The GuardiCore security team discovered a new botnet, dubbed Prowli, which has infected over 40,000 servers, modems, and IoT devices. The botnet leverages known vulnerabilities and brute-force attacks to infect devices for use in cryptocurrency mining and to redirect users to malicious sites. The targeted devices used for cryptocurrency-mining operations are infected with a Monero miner and the r2r2 worm, which then uses the infected devices to perform SSH brute-force attacks on new devices in order to expand the botnet. If Prowli compromises content management system (CMS) platforms that run websites such as Drupal, they are infected with a backdoor that allows the threat actor to inject malicious code into the website. This code directs users to a traffic distribution system (TDS) that then redirects victims to other malicious sites. Devices vulnerable to the Prowli botnet include CMS servers, backup servers, DSL modems, and IoT devices.

Reporting

• June 2018: Operation Prowli: Monetizing 40,000 Victim Machines. (GuardiCore)

PyRoMine

PyRoMine is a python-based crypto-mining malware discovered by FortiGuard Labs that takes advantage of Windows systems with the CVE-2017-0144 and CVE-2017-0145 vulnerabilities. The malware uses ENTERNALROMANCE, a remote code execution (RCE) exploit that abuses SMBv1 ports that are exposed to the internet. PyRoMine is designed to give the attacker SYSTEM privileges by first attempting to login with a hardcoded default username and password. If login is unsuccessful, the exploit will login as anonymous. Once in the system, the malware will create an administrator account with one of the hardcoded usernames and passwords located in the code of the malware that can be used to access the machine for further attacks. Along with the new account, PyRoMine will enable Remote Desktop Protocol (RDP) along with a firewall rule to allow traffic on port 3389. PyRoMine will download a miner file known as XMRig, software developed to mine the cryptocurrency Monero by utilizing the system's CPU power. The malware also creates a scheduled task for the system where it will start the malicious file each time the system starts. While the main purpose of this malware is for mining Monero, creating an administrator account and opening up RDP over port 3389 is an indication that future attacks may come once the system is exploited.

Reporting

• April 2018: Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner. (FortiGuard)

PyRoMineIoT

PyRoMineIoT is a cryptocurrency-mining malware recently discovered by Fortinet researchers spreading via malicious website disguised as a security update for the victim's internet browser. Contained on the fraudulent website is a downloadable update.zip file that contains a downloader agent written in C#. When this file is executed, it downloads more components, including an IoT scanner, ChromePass functionality, the ETERNALROMANCE exploit, and the XMRig Monero miner. The ETERNALROMANCE exploit is used against the SMBv1 vulnerability to spread the malware to targets with the protocol running on ports exposed to the internet. The legitimate software "ChromePass" is used to collect credentials from the Chrome browser, which are saves to an XML file and uploaded to DriveHQ’s cloud storage service. The IoT device scanner component scans for devices in Iran and Saudi Arabia with the login credentials “admin” for both username and password and saves the IPs of the vulnerable device to the malware's C2 server to retrieve later. Lastly, PyRoMineIoT installs XMRig, a software that mines the cryptocurrency Monero by utilizing a system’s CPU power, onto victim machines.

Reporting

• June 2018: PyRoMineIoT: NSA Exploit, Monero(XMR) Miner, & IoT Device Scanner. (Fortinet)

WinstarNssmMiner

WinstarNssmMiner is a cryptocurrency mining malware that was detected targeting Windows computers by Qihoo 360 Total Security over 500 times in a span of 3 days. Once a system is infected with the malware, it is difficult to remove, and will ultimately crash your computer if it detects that you are trying to remove it. Once a victim is infected, if the malware detects that system is running Avast or Kaspersky antivirus products, it will automatically quit to avoid any confrontation. If neither of those antivirus solutions are detected, two svchost.exe system processes are created and injected with malicious code. The first svchost.exe is created to carry out the mining process using the XMRig Monero Miner using four different mining pools that are utilized based on the parameters of the system. The second svchost.exe process watches for other antivirus processes that it can shut down to avoid detection, and also watches to see if the victim tries to stop the mining process. If the victim does try to stop the XMRig mining process, the malware crashes the system and requires a restart.

Reporting

• May 2018: CryptoMiner, WinstarNssmMiner, Has Made a Fortune By Brutally Hijacking Computers. (Qihoo 360)

Xbooster

Xbooster is a cryptocurrency-mining malware campaign discovered by Netskope that uses the popular XMRig Monero Miner to carry out its mining process. The malware spreads via drive-by download, in which a password protected zip file containing two executable files xmrig.exe and manager.exe is downloaded. Once unzipped, the xmrig.exe file begins uses the infected systems resources in order to begin the mining process. While the mining process is running, Manager.exe connects to a C2 server within AWS and downloads the DBupdater.exe file used for the exfiltration of the infected system's details.

Reporting

• May 2018: Xbooster Parasitic Monero Mining Campaign. (Netskope)