Advanced Targeted Attack Tools Found Being Used to Distribute Cryptocurrency Miners

by Cedric Pernet, Vladimir Kropotov, and Fyodor Yarochkin

Regular cybercriminals appear to be taking a page from targeted attack actors’ playbooks — or rather, toolkits — to maximize their profits from illicit activities like cryptojacking.

One of the differences between regular cybercrime and targeted attacks is intent: The former will almost always have immediate financial gain as its main motivation while the latter will have other goals, for example, intellectual property theft. Furthermore, the mindsets of the threat actors can be very different. Regular cybercriminals will typically need to think of how they can compromise as many individual devices as possible (for example, to deliver ransomware, coin miners, or banking trojans) while targeted attack threat actors will need to plan how to infiltrate and gain full access to corporate networks and remain as discreet as possible.

In addition, targeted attack campaigns often involve extensive planning as well as the creation and use of highly specialized tools. On the other hand, normal threat actors might not have the ability or resources to plan sophisticated campaigns and their tools are more generic in nature and are often available in underground markets.

However, we recently came across evidence of a large-scale cybercrime activity that appears to combine targeted attack tools and regular cybercrime: The attackers distribute typical malware such as cryptocurrency miners and ransomware by making use of sophisticated tools that were previously mostly seen in targeted attacks. In the cases we identified, the threat actors were using a package of tools from the Equation group (which was publicly leaked by the Shadow Brokers) to compromise a large number of machines running outdated versions of Microsoft Windows OS. The technique of using advanced tools to spread more ubiquitous types of malware is a trend we have been observing lately. In fact, earlier this month we found and analyzed a malware family we called BlackSquid, which made use of well-known exploits and vulnerabilities to drop a cryptocurrency miner. The findings we discuss in this entry reinforce our suspicions that entry-level cybercriminals are gaining easy access to what we can consider “military-grade” tools — and are using them for seemingly ordinary cybercrime activity.

The activity we observed involves a cybercrime campaign that targets companies across the globe to spread a cryptocurrency miner for monetary purposes. The campaign features some interesting characteristics. For one, it only targets companies — we did not find any instances of individual users being targeted. And for another, all of the compromised machines were running outdated versions of Microsoft Windows OS, still vulnerable to already patched vulnerabilities. In addition, the campaign uses Equation group tools to deliver a cryptocurrency miner to organizations around the world.

Infection and proliferation

One of the first binaries we detected on the infected machines seems to be the possible culprit of the attack — a variant of Vools (Trojan.Win32.VOOLS.SMAL01), which is an EternalBlue-based backdoor that is used to deliver cryptocurrency miners and other malware. We also found a number of other tools in the infected systems, mainly the password dumping tool Mimikatz and Equation group tools. The final payload deployed on compromised systems is a cryptocurrency miner. Using data from the Trend Micro Smart Protection Network security architecture, we can confirm that all of the compromised systems appear to be on internal segments of compromised networks.

While we could not confirm the origin of the infection, during our research we managed to find a sample that seems to be an installer which sends an HTTP request to the following server:

• log.boreye[.]com/ipc.html?mac={MAC address}&ip={IP address}&host={host}&tick=6min&c=error_33

However, we have been unable to retrieve any miners from the URL at the time of writing. Furthermore, the site is already inactive and have possibly been migrated to a different location by the threat actors behind the attack.

We identified a common file located in the main Windows folder of all the infected machines:

• C:\Windows\NetworkDistribution\Diagnostics.txt

The .TXT file extension used is just a trick to avoid detection. The file is in fact a ZIP archive file that contains several files (the Equation toolkit components), as shown in the image below. (Notice the presence of many familiar names such as EternalBlue and EternalChampion.) On the other hand, the DLL files, which we observed were being dropped on the target machine, match the contents of a folder in the same GitHub repository as the leak’s.

Figure 1. The files located inside the zip archive

All these files are freely accessible for everyone on the internet to use. Although the vulnerabilities they exploit have already been patched, they can still be used successfully on systems that have not applied the update.

The cryptocurrency miner

Since we began tracking it in March 2019, we found more than 80 different files in the wild that are involved in the campaign based on their hashes. All these files are variants of the open-source XMRig (Monero) miner, which is used at scale by numerous cybercriminals worldwide. These variants are detected as either Coinminer.Win32.MALXMR.SMBM4 or Coinminer.Win64.TOOLXMR.SMA.

Configurations from the samples we found reveal a number of mining servers such as the following:

• coco[.]miniast[.]com:443
• iron[.]tenchier[.]com:443
• cake[.]pilutce[.]com:443
• pool[.]boreye[.]com:53

Another one, though we do not have a sample, is log.miniast[.]com.

Interestingly enough, the first three domains were registered on March 17, 2019, which is the date the campaign started based on our observations. These domains were registered anonymously while the older domain boreye[.]com was registered on October 17, 2018 using an email address that has only been used to register that single domain. User credentials are needed to connect to the mining server, but only the password is needed to retrieve new hashes.

Figure 2 shows the configurations we observed with the miner binaries used by the attacker.

Note: The passwords have been removed.

Figure 2. Screenshot of the configurations used by the cryptocurrency miner binaries

As can be seen in Figure 2, the usernames used are very similar. In addition, they all use the same password, which is a good indication that the same threat actor handles all the samples. The miner always uses the name dllhostex.exe. Furthermore, the binary is always located either in the “system32” or in the “SysWOW64” folder of the infected Windows machine, depending on the miner variant.

The targets of the campaign

The campaign seems to be widespread, with targets located in all regions of the world. Countries with large populations such as China and India also had the most number of organizations being targeted. This seems to indicate that the threat actors weren’t selective with their victims, opting for a “shotgun” method of attack, rampaging through the internal networks of compromised organizations rather than seeking out individual targets.

Figure 3. Distribution of targeted organizations according to country

The campaign also targeted businesses across a wide range of industries, including education, communication and media, banking, manufacturing, and technology. Again, rather than concentrate on specific industries, the attackers happen to choose targets that used obsolete or unpatched software. A large majority (roughly 83%, including all versions) of affected computers were running Windows Server 2003 SP2. This was followed by Windows 7 Ultimate Professional SP1 and Windows XP Professional.

Conclusion

While it takes some skill to deploy a large-scale campaign, it requires almost none to use tools such as the sophisticated ones leaked from the Equation group. The easy availability of these tools in the underground cybercrime markets, where ready-to-use mining servers are also being sold, allow even run-of-the-mill cybercriminals the ability to make use of them for seemingly “regular” cybercrime activity. As we discussed in our  paper entitled “Security in the Era of Industry 4.0: Dealing With Threats to Smart Manufacturing Environments,” a number of industries depend on running significantly outdated systems, rendering them vulnerable to exploits despite the fact that the vulnerabilities already have patches.

The presence of automated attack platforms and the use of lateral movement techniques in compromised infrastructure for ubiquitous threats such as cryptocurrency miners and ransomware mean that even internal networks with vulnerable systems become easy targets for cybercriminals. The campaign we discussed in this post is only one of many we have observed in recent months. It shouldn’t come as a surprise to see more instances of non-professional threat actors using professional tools to make their attacks more effective. Given what we’ve observed, we cannot stress enough the need for organizations to update their systems as soon as possible to minimize risk and prevent these kinds of threats from affecting their systems.

Trend Micro Solutions

Trend Micro endpoint solutions such as the Trend Micro Smart Protection Suites and Worry-Free Business Security can protect users and businesses from threats such as cryptocurrency miners by detecting malicious files and blocking all related malicious URLs. Enterprises can also monitor all ports and network protocols for advanced threats with the Trend Micro Deep Discovery Inspector network appliance.

Indicators of Compromise (IoCs)

Network IOCs

• miniast[.]com:443
• tenchier[.]com:443
• boreye[.]com:80
• boreye[.]com:53
• pilutce[.]com:443

Coin miner sample hashes

The post Advanced Targeted Attack Tools Found Being Used to Distribute Cryptocurrency Miners appeared first on .

Read more: Advanced Targeted Attack Tools Found Being Used to Distribute Cryptocurrency Miners