In 2018, the cybercriminals are depending on malicious cryptocurrency miners who are using advanced exploit kits to make money online. The case of WaterMiner in late 2017 became quite popular. The security aspect was stepped up by the companies by upgrading their detection capabilities. However, the cybercriminals, as observed in the past, always remain a step ahead of the security vendors.
Recently, the research team of Minerva had detected a new malware called GhostMiner that is ‘killing’ existing miners to become the sole miner of Monero (XMR). This way GhostMiner was earning more XMR and depriving other miners. The research team of Minerva dissected GhostMiner after it had stopped the entry of the mining malware at a customer site. Such malware, as described by the Minerva team are using advanced fileless techniques to mine cryptocurrencies. It is, therefore, becoming increasingly difficult to identify the mining malware. However, Minerva Labs have succeeded in saving the Monero miners by the turning the tables on GhostMiner and using their scripts to remove them.
How GhostMiner Affected Monero
- Using Advanced Fileless Techniques
The core activity of the mining malware, GhostMiner was executed by a compiled malicious Windows executable. PowerShell evasion frameworks like Invoke-ReflectivePEInjection and Out-CompressedDll gave the leeway to the executable to hide from the detecting agents. They used fileless techniques to mask the presence of GhostMiner. ps1, a PowerShell script had the role infecting new victims while another script of PowerShell (WM164.ps1 on x64 machines) was charged with mining Monero (XMR).
The path taken by GhostMiner successfully bypassed many security detectors and some of the analyzed payloads even remained fully undetected. However, the malware was detected by the same security vendors after the fileless technique was removed. Memory Injection Prevention of Minerva prevented the malware from making a fileless attack. Thus, the malware did not spread out and can no longer mine Monero (XMR) or any other cryptocurrency.
- GhostMiner Targeting New Victims
Neutrino.ps1 searched out and attacked servers that run MSSQL, phpMyAdmin, and Oracle’s WebLogic. The attack mainly focused on the WebLogic servers and thus randomly searched out IP addresses, created multiple TCP connections. The core component of this attack conversed with its C2 server over HTTP. The process included encoding requests and answers in Base64. The indicators used by Minerva to detect the malware attacking Monero miners show that GhostMiner had created the malevolent HTTP requests to hide in companies with Chinese speaking users. Not all the techniques used by GhostMinerare new but it is the first time that a malware has used all of them together. The research done by Minerva shows that the operators of GhostMiner put a lot of effort into assembling their code. The attack launched on the Monero miners clearly rings the bell of warning for the security vendors.
Minerva’s Fight Against the Malevolent Crypto-Jacking Software
GhostMiner started its Monero mining operations only after it had eliminated all possible competition that they detected. The research team of Minerva capably analyzed the techniques that were deployed by the malicious malware. The script that turned the tables on the mining malware was named as MinerKiller.
- PowerShell’s “Stop-Process-force” command was used to identify the running Monero miners and then eliminate them. They used a hard-coded blacklist to detect the miners.
- The extension exe was used to stop and remove miner blacklisted services.
- The researched team eradicated miners that run by the task name using exe as blacklisted scheduled tasks.
- Commandline arguments were interpreted, analyzed and then used to stop and eliminate the miners.
- Another strategy employed by Minerva was to go through the list of established TCP connections and identify the ports linked with the miners. The data were collected using
According to the Minerva team, one way of fighting mining malware like GhostMiner for the security vendors is by writing their own PowerShell scripts. It will help in identifying the unfamiliar tasks, services, and processes by arguments and TCP connections. These features will hopefully ward off any attempts of the cybercriminals in the mining process of cryptocurrencies.
We will be updating our subscribers as soon as we know more. For the latest on XMR, sign up below!
Disclaimer: This article should not be taken as, and is not intended to provide, investment advice. Global Coin Report and/or its affiliates, employees, writers, and subcontractors are cryptocurrency investors and from time to time may or may not have holdings in some of the coins or tokens they cover. Please conduct your own thorough research before investing in any cryptocurrency and read our full disclaimer.
Image courtesy of Bart via Flickr