A new Monero cryptomining campaign has been detected in the wild being spread and operating in a manner more consistent with ransomware and other attacks that retain a level of persistence than has been seen before.
Check Point researchers said these mining operations have
been on-going since mid-January using two specific trojans, Trojan.Win32.Fsysna
and an unnamed variant of a Monero cryptominer. Although the ultimate goal for
the malware is to create Monero, the malicious actors behind the attacks are
using some very “non cryptomining” tactics and software to accomplish their
mission. This includes propagation and persistence.
“The highlight of this variant is the use of legitimate IT administration tools, Windows system tools and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs,” wrote Check Point’s Richard Clayton, Check Point’s adding, “The actors behind this campaign possess enough skills and experience to make this a potentially severe attack on any organization with no so easy steps for remediation.”
Most trojan-based attacks are delivered via an email,
network, file, or application vulnerability, but it is not known exactly how
the miner is being injected, but Check Point did find the malware uses the Mimikatz
post-exploitation tool to spread laterally through a target system. For mining
operations size matters.
“Mining has always been about scale. The more machines
mining, the more the income. Once a single machine is breached in an
enterprise, lateral movement allows for large scale compromise which means more
machines mining,” Clayton said.
Once established miner begins a series of obfuscation and
persistence maneuvers. It is initially dropped into the User Temporary folder,
but immediately makes a copy of itself which is stored in the Windows Temp
folder for persistence. The malware then checks for older versions of itself
previously installed and stops them from running, eventually cleaning them from
the system, and then Netsh Windows utility to open the proper ports it needs
for connection to the mining network.
The next level of persistence happens when a second trojan
is dropped in the temp folder. This stops the first trojan from operating and
moves itself as a wmiex.exe to the systems folder where it is able to utilize
Windows’ own tools it creates a scheduled task to mimic a web server
application and run on startup. It then flushes the DNS cache and start the
scheduled task it has created.
The trojan also connects to the command and control server
and updates the server with the latest info from the infected machine and then
to make certain some money is created a Bitcoin Miner is also downloaded.
Overall, Check Point noted the software, tools and processes
in place make this campaign difficult to spot and stop.
“The use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage to the system and establish persistency would make these attacks harder to detect without increasing false positive detection in the organization,” Clayton wrote.