coinminersdetection surged by 8,500% in 2017€¦ · •stealth address -virtual p.o. box •ring...
TRANSCRIPT
![Page 1: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/1.jpg)
Coinminers Detection Surged by 8,500% in 2017
Source: Symantec
![Page 2: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/2.jpg)
Omri Segev-MoyalCo-Founder & VP of Research, Minerva Labs@GelosSnake
The Rise of Coinminers
Get these slides now at: https://tinyurl.com/rise-of-coinminers
![Page 3: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/3.jpg)
Source: Google Trends
Naming Convention?
![Page 4: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/4.jpg)
CryptoJacking is Everywhere
Source: similartech
![Page 5: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/5.jpg)
Source: malware-traffic-analysis.net
Jumping on the Wagon
![Page 6: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/6.jpg)
Finding Similarities
![Page 7: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/7.jpg)
• Stealth Address - virtual P.O. box
• Ring Signatures – transactions can't be tracked
• CPU still very effective
• Ease of use
XMR – Currency of the Day
![Page 8: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/8.jpg)
Source: @bad_packets - https://arxiv.org/pdf/1803.02887.pdf
CryptoJacking – Hiding in Plain Si(gh)te
![Page 9: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/9.jpg)
Source: zerodot1 - https://zerodot1.github.io/CoinBlockerLists/
CoinBlockerLists – It’s Free
![Page 10: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/10.jpg)
https://github.com/xmrig
XMRig - Relying on Open Source
![Page 11: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/11.jpg)
https://tinyurl.com/MinerSnort
Public Pools - Miners Unite
![Page 12: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/12.jpg)
Shhhhh They are Watching
![Page 13: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/13.jpg)
Catch Me If You Can
![Page 14: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/14.jpg)
• Using traceable email in public pools
• Uploading source code to public repos
• Hardcoded credentials in the payload
Source: Any.run
Common #OPSec Failures
![Page 15: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/15.jpg)
Source: https://tinyurl.com/BleepingWater
Case Study - Waterminer
![Page 16: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/16.jpg)
Show Me The Money
![Page 17: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/17.jpg)
• XMR transactions are anonymized but pools statistics are (often) not
• Monitor for hash rate, payments, running periods
• Shared backend technology
• Graphics!
Using Pools Data to Track CoinMiners
![Page 18: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/18.jpg)
Case Study - PhotoMiner
![Page 19: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/19.jpg)
Use Your Enemy’s Strength Against Them
![Page 20: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/20.jpg)
GhostMiner - Eliminating Malicious Mining Competitors• Kill running miners process
• Stop and delete miner blacklisted services by name
• Remove miners that run as blacklisted scheduled tasks by the task name
• Stop and remove miners by their commandline arguments
• Stop and remove miners by going through the list of established TCP connections,
Source: https://github.com/MinervaLabsResearch/BlogPosts/tree/master/MinerKiller
![Page 21: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/21.jpg)
What’s Next?
![Page 22: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/22.jpg)
Staying Ahead of The Curve• Solo mining and proxy between pools and infected machine
• Unique protocols (hiding traffic )
• Less CPU consuming, immediate versus on-going (nice miner)
• Targeting less tracked connected devices
![Page 23: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/23.jpg)
Recap
![Page 24: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/24.jpg)
What Did We Discuss
• Similar features of Coinminers
• Methods to detect and prevent this attacks
• How to track down and hunt for common opsec failures
• Monitoring Coinminer profits
• Using Coinminers anti-competition tools against them
![Page 25: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/25.jpg)
Q&A
![Page 26: CoinminersDetection Surged by 8,500% in 2017€¦ · •Stealth Address -virtual P.O. box •Ring Signatures –transactions can't be tracked •CPU still very effective •Ease of](https://reader033.vdocuments.mx/reader033/viewer/2022060901/609e403558ef6c36f669f948/html5/thumbnails/26.jpg)
Want to Share CryptoMiners Findings?Have Any Other Questions?
• Email me at
• Reach out to me on Twitter: @GelosSnake
• Get these slides now at: https://tinyurl.com/rise-of-coinminers