Mining on a grand scale
Thursday, May 17, 2018
Many of our readers still remember the WannaCry outbreak. Several Anti-virus Times issues were devoted to the incident. Let us remind you of one fact:
In the course of the security research, a lab machine susceptible to the EternalBlue was connected to the Internet to infect it with WannaCry. But, to their amazement, instead of WannaCry, the lab machine was latched onto by an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. They repeated the operation several times with the same result: within 20 minutes of exposing the vulnerable machine to the open Web, it was enrolled in an Adylkuzz mining botnet.
Even though it was WannaCry that came to fame, the quiet miner Adylkuzz, which used similar infection techniques to compromise Windows PCs, outperformed it. Adylkuzz may have spread on an even grander scale because its infection campaign was waged from April 24 till May 2, 2017.
https://habrahabr.ru/post/328932
https://null0x4d5a.blogspot.ru/2017/05/behavioral-analysis-of-adylkuzz.html
So it turns out that while everyone was scared of WannaCry, Adylkuzz was much more successful at penetrating Windows computers. But media outlets didn't say a word about it.
A while ago, we mentioned the Trojan as an example to show that the media often pay much more attention to less common and less dangerous malicious programs.
Meanwhile, Adylkuzz was much more peculiar and headline worthy than WannaCry. And it generated income by mining cryptocurrencies. This advanced rogue application didn't merely launch a mining module but also compromised running processes.
Interestingly, Adylkuzz "took care" of the infected computers—once a system was compromised, it would close port 445 to prevent other WannaCry followers from infecting the computer.
In an infected system, Adylkuzz would look for its copies, disable them, stop SMB networking, determine the machine's IP address, and download its instructions and a mining component.
The image below shows a wallet involved in the attack. Here “Hash rate” indicates how quickly the bot is mining Menoro, while “Total paid” shows the equivalent of the total amount it has mined.
After successfully exploiting the SMB vulnerability, attackers would inject malicious code into the lsass.exe process, which is always running on Windows machines. This enabled the Trojan to persist in infected systems. Most tasks were performed using out-of-the-box Windows utilities or other malicious tools.
The virus makers also created a new user account, downloaded the required utilities and updated them if those found in the system proved to be outdated. Then the malware made sure that all the components would be launched automatically… And, of course, they used Mimikatz to collect user credentials and access other remote hosts to enrol them in the Monero mining botnet.
You can find out more about this here and here. Dr.Web detects the malware as Backdoor.Spy.3365.
Adylkuzz would gobble up all the available system resources for mining and tamper with the task manager process taskmgr.exe to make sure that it wouldn't reveal the upsurge in CPU and memory usage.
So it is more than just a "running application".
There exists another sophisticated mining application called CoinMiner (Dr.Web detects it asTrojan.BtcMine.1505). It also uses the EternalBlue exploit from the NSA hacking tools collection to delete or launch the backdoor in a system. However, WMI (Windows Management Instrumentation) scripts are used to perform its basic tasks. CoinMiner is not stored on a disk as a file and uses WMI to hide its presence. Specifically, WMI Standard Event (scrcons.exe) is used to run the scripts.
WMI is a basic Windows component facilitating the automation of daily routines, scheduling, system information gathering, file operation monitoring, etc.
And JScript can be used to run WMI routines.
And let's get back to WannaCry, which we discussed at the beginning of the issue. According to British cyber-security firm Kryptos Logic (https://www.bleepingcomputer.com/news/security/wannacry-ransomware-sinkhole-data-now-available-to-organizations), in March 2018 alone, as many as 100 million requests from 2.7 million unique IPs were sent to their WannaCry sinkhole/killswitch domain. Even though WannaCry is far from being the scariest malicious suite of programs, it lives on!
#mining #rogue_software #bitcoinThe Anti-virus Times recommends
- Miners aren't just Trojans and utilities. They can sneak into systems through loopholes like worms.
- Neglecting security basics can cost you dear. The examples of CoinMiner and Adylkuzz show that in order to protect a system from threats of this kind, updates must be installed in a timely manner.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
01:56:08 2018-07-30
vasvet
18:01:31 2018-06-16