In 2018, the cybercriminals are depending on malicious cryptocurrency miners who are using advanced exploit kits to make money online. The case of WaterMiner in late 2017 became quite popular. The security aspect was stepped up by the companies by upgrading their detection capabilities. However, the cybercriminals, as observed in the past, always remain a step ahead of the security vendors.
Recently, the research team of Minerva had detected a new malware called GhostMiner that is ‘killing’ existing miners to become the sole miner of Monero (XMR). This way GhostMiner was earning more XMR and depriving other miners. The research team of Minerva dissected GhostMiner after it had stopped the entry of the mining malware at a customer site. Such malware, as described by the Minerva team are using advanced fileless techniques to mine cryptocurrencies. It is, therefore, becoming increasingly difficult to identify the mining malware. However, Minerva Labs have succeeded in saving the Monero miners by the turning the tables on GhostMiner and using their scripts to remove them.
How GhostMiner Affected Monero
- Using Advanced Fileless Techniques
The core activity of the mining malware, GhostMiner was executed by a compiled malicious Windows executable. PowerShell evasion frameworks like Invoke-ReflectivePEInjection and Out-CompressedDll gave the leeway to the executable to hide from the detecting agents. They used fileless techniques to mask the presence of GhostMiner. ps1, a PowerShell script had the role infecting new victims while another script of PowerShell (WM164.ps1 on x64 machines) was charged with mining Monero (XMR).
The path taken by GhostMiner successfully bypassed many security detectors and some of the analyzed payloads even remained fully undetected. However, the malware was detected by the same security vendors after the fileless technique was removed. Memory Injection Prevention of Minerva prevented the malware from making a fileless attack. Thus, the malware did not spread out and can no longer mine Monero (XMR) or any other cryptocurrency.
- GhostMiner Targeting New Victims
Neutrino.ps1 searched out and attacked servers that run MSSQL, phpMyAdmin, and Oracle’s WebLogic. The attack mainly focused on the WebLogic servers and thus randomly searched out IP addresses, created multiple TCP connections. The core component of this attack conversed with its C2 server over HTTP. The process included encoding requests and answers in Base64. The indicators used by Minerva to detect the malware attacking Monero miners show that GhostMiner had created the malevolent HTTP requests to hide in companies with Chinese speaking users. Not all the techniques used by GhostMinerare new but it is the first time that a malware has used all of them together. The research done by Minerva shows that the operators of GhostMiner put a lot of effort into assembling their code. The attack launched on the Monero miners clearly rings the bell of warning for the security vendors.
Minerva’s Fight Against the Malevolent Crypto-Jacking Software
GhostMiner started its Monero mining operations only after it had eliminated all possible competition that they detected. The research team of Minerva capably analyzed the techniques that were deployed by the malicious malware. The script that turned the tables on the mining malware was named as MinerKiller.
- PowerShell’s “Stop-Process-force” command was used to identify the running Monero miners and then eliminate them. They used a hard-coded blacklist to detect the miners.
- The extension exe was used to stop and remove miner blacklisted services.
- The researched team eradicated miners that run by the task name using exe as blacklisted scheduled tasks.
- Commandline arguments were interpreted, analyzed and then used to stop and eliminate the miners.
- Another strategy employed by Minerva was to go through the list of established TCP connections and identify the ports linked with the miners. The data were collected using
According to the Minerva team, one way of fighting mining malware like GhostMiner for the security vendors is by writing their own PowerShell scripts. It will help in identifying the unfamiliar tasks, services, and processes by arguments and TCP connections. These features will hopefully ward off any attempts of the cybercriminals in the mining process of cryptocurrencies.
We will be updating our subscribers as soon as we know more. For the latest on XMR, sign up below!
Disclaimer: This article should not be taken as, and is not intended to provide, investment advice. Global Coin Report and/or its affiliates, employees, writers, and subcontractors are cryptocurrency investors and from time to time may or may not have holdings in some of the coins or tokens they cover. Please conduct your own thorough research before investing in any cryptocurrency and read our full disclaimer.
Image courtesy of Bart via Flickr
How Can Foreigners Get Loans in Singapore
Foreigners who are residing in Singapore and looking for financing could do so in the form of a payday loan. It is good to find out that you can borrow the money from a reputable lender and that the interest rates are low enough for it to be a viable option. Online lenders that specialize in doing business in the country can certainly help one. These online companies are not only reliable, but their service is fast.
At the same time, many cannot afford a high standard of living. Many individuals cannot afford essentials, such as a car or a house. It can be difficult for the majority of the working class to scrape through on their basic salary.
What defines a foreigner in Singapore?
A foreigner in Singapore means that you are not a permanent or natural citizen there. As a foreigner, you will not be holding a Singaporean passport. The rules can differ a little for foreigners and residents. Singapore, being a multinational hub, houses many foreigners within the city. Foreigners come to Singapore for the many attractions it offers. Many people come to Singapore for Work-related purposes. A lot many also come for vacations or to visit a friend or a relative. Some foreigners come with a plan to move to Singapore permanently, attracted by their lavish lifestyle. Singapore also…
Aluna.Social is a Compelling Social Platform for Crypto Traders and Investors
When one thinks about the social media landscape, the companies that first come to mind are most likely Facebook, Instagram, LinkedIn, and Snapchat. These platforms are a great way to stay connected with friends, families, and colleagues, especially when geographic distance is a factor. But, in addition to just chatting about life in general and sharing pictures, social media can be used to bridge the information gap that exists within the investment community.
Over the last decade, many trading offices have been established in large cities all over the world which allow solo traders and investors to pay a monthly fee in exchange for a workspace. The real benefit to trading in these offices is to participate in the free flow of trading ideas and information. Proprietary trading is one of the most challenging careers to be successful at and the exchange of ideas is almost required in order to succeed. Traders at hedge funds and investment banks work in teams so why shouldn’t remote traders?
While these trading offices are a great way to help bridge the information gap, Aluna.Social may provide an even better way, especially as it relates to cryptocurrency trading.
Aluna.Social, founded by Alvin Lee and Henrique Matias, is a multi-exchange social trading terminal for crypto traders and investors. The goal of the platform is to help newcomers shorten their learning curve,…
CoinFlip Scores Big with BRD Wallet Partnership
As the crypto markets move closer to mass adoption, one of the keys for future success will revolve around attracting as many market participants as possible. While many crypto users are extremely tech oriented, a lot of those on the sidelines are not. The cause of waiting on the sidelines could be due to a variety of reasons such as fear of the unknown, lack of knowledge, age, or a combination of all of the above. In order to entice new users to join the crypto revolution, crypto ATMs are rising up across the country. Of those, the largest and most influential crypto ATM company by a significant margin is CoinFlip.
In early October, CoinFlip announced on its Twitter that it had officially partnered with BRD Wallet to re-introduce their crypto ATM map. Now, BRD wallet users will be able to locate their nearest CoinFlip ATM and receive a 10% discount for both buys and sells. BRD brand awareness is growing quickly within the crypto community thanks to its innovative and entrepreneurial spirit. The team strongly believes in the value of financial freedom and independence, and want to empower people across the world by leveraging the possibilities that Bitcoin and other cryptocurrencies provide.
Cryptocurrencies are already making a huge difference around the world. Citizens of Venezuela, a country devastated by rampant inflation, have been using several cryptocurrencies…