Monero Coin Mining Malware


Lately, while reviewing and classifying samples, I have been seeing an increase in CoinMiners, specially CoinMiners oriented to mine Monero virtual coin. For this reason I decided to write a short article about virtual coin mining and this kind of malware.

 

Virtual Coin Mining

Blockchain technology is a complex world, and virtual currencies too. It is impossible to explain it in deep here. I would recommend these articles about bitcoin network and bitcoin mining:

http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html

http://www.righto.com/2014/02/bitcoin-mining-hard-way-algorithms.html

From the previous articles, we can read:

“transactions are recorded in the distributed database through mining. Transactions are grouped into blocks and about every 10 minutes a new block of transactions is sent out, becoming part of the transaction log known as the blockchain, which indicates the transaction has been made (more-or-less) official”

The task of mining is hard to perform. In the case of bitcoin, it is necesary to satify the condition of getting a hash (double sha256) with the new transactions concatenated with a value to calculate, and this hash must have enough number of zeros at the beggining.

Again from the articles, where it is very much better explained than my explanation 😀 :

“you first collect the new transactions into a block. Then you hash the block to form a 256-bit block hash value. If the hash starts with enough zeros, the block has been successfully mined and is sent into the Bitcoin network and the hash becomes the identifier for the block. Most of the time the hash isn’t successful, so you modify the block slightly and try again, over and over billions of times. About every 10 minutes someone will successfully mine a block, and the process starts over.

If you are lucky and you mine a block, the blockchain network gives a reward to you (an amount of the virtual currency).

 

Mining Pools

As we have commented, the task of mining it’s a very hard task. In addition you are compiting against other miners for mining a block and get the reward.

If you have a lot of specialized machines working on the task, you could try to mine by yourself, but if you are a user with limited resources, it’s almost impossible to mine a block. For this reason mining pools were implemented:

“Bitcoin mining pools are a way for Bitcoin miners to pool their resources together and share their hashing power while splitting the reward equally according to the amount of shares they contributed to solving a block.”

 

Bitcoin Mining in practice

If you mine by yourself, without mining pool, you would need the official bitcore client:

https://bitcoin.org/en/download

With this client you would become a node of the bitcoin network, you would download the blockchain (lot of gigas), and you would mine alone. If you mine a block, the full reward would be for you. But it’s really hard with common hardware.

The best option for an ordinary user to mine at home it is to use mining pools. Here it is a list of pools:

https://www.bitcoinmining.com/bitcoin-mining-pools/

For example we will choose https://slushpool.com for tests. We will register in the web and we will create a worker (it’s only a way to have multiple miners with the same account). When you create a worker you get a miner login. For example, my user is jvvallejo, and my worker’s name is worker1, so my miner login will be: jvvallejo.worker1.

Now we need a hardware and software to mine.

It is possible to buy hardware created exclusively for mining (antminers are the most famous machines for this purpose https://www.bitmain.com/), but you can mine easily with your computer and an special software.

Cgminer is a well-known software for mining:

https://github.com/ckolivas/cgminer

http://ck.kolivas.org/apps/cgminer

However latest versions of cgminer are very oriented to mining with special USB hardware. It is possible to compile a version of cgminer with CPU or GPU support. But for doing it faster, i will use another known miner, poclbm:

https://en.bitcoin.it/wiki/Poclbm

You could search guiminer too, a gui interface for poclbm.

Having a pool and having a mining software, it is easy to start to mine. With slush, the needed urls are:

URL: stratum+tcp://stratum.slushpool.com:3333
userID: userName.workerName (jvvallejo.worker1 in my case)
password: anything

We would call poclbm in this way:

poclbm.exe jvvallejo.worker1:anything@stratum.slushpool.com:3333 –device=1 –platform=0 –verbose -r1

With this, the miner will start to work. Depending on the computational power that you contribute to the pool, a proportional part of the mining reward is giving to you (usually, it is possible to consult statistics in the pool website).

The problem of mining with a computer, it is usually you won’t contribute with too much computational power and you will get low rewards. Somewhere, sometime, someone thought that he would get higher rewards with a lot of machines mining at same time, and mining malware appeared 🙂

 

Monero and other virtual currencies

Until now I have been talking about bitcoins because it’s the most known virtual currency, but there are a lot of them:

https://en.wikipedia.org/wiki/List_of_cryptocurrencies

For some reason, it’s coming a wave of different malware that are mining Moneros. Monero mining algorithm is named CryptoNight. Here you can read about it:

https://steemit.com/bitcoin/@knyaz/cryptonight-algorithm-and-how-to-mine-cryptocurrency-monero-bytecoin-etc

“CryptoNight is a proof-of-work algorithm. It is designed to be suitable for ordinary PC CPUs, but currently no special purpose devices for mining are available. Therefore, CryptoNight can only be CPU-mined for the time being.”

Currently, there are not hardware specifically made for mining Moneros. It is only possible to mine Moneros with a computer, and for this reason it is easier to mine blocks (there is lower competence). Probably that is the reason for malware authors to start to mine moneros.

Mining Monero is done exactly in the same way that mining Bitcoins. You need a Monero mining pool and a software for mining Monero.

Cpuminer it’s a well-known widely used miner for Monero:

https://github.com/OhGodAPet/cpuminer-multi

Moneropool.com is a known pool:

http://www.moneropool.com

In the case of this pool you don’t need to register. You give your wallet string as user parameter. In this way the pool knows what wallet it must transfer the reward.

We would call cpuminer in this way:

cpuminer.exe -a cryptonight -o stratum+tcp://mine.moneropool.com:3333 -u 1DfWX7343mTrBye1FRWm9evC3p4DtcdJIO7asdSk8lsieHVFe2SopjaIO4sfenc0ijedf6anleacjn3LCVXjVwPeiI39qsc -p anything

That is enough to start to mine Moneros in your computer.

 

Monero Mining Malware (samples analysis)

CoinMiners that i have analyzed use common malware methods (antidebugging tricks, worm behaviours, etc…), but the coin mining behaviour is very similar to that I have explained in the previous sections.

Until now i have not seen a mining malware implementing its own mining code or having its own mining pool in its own server.  Maybe they exist, but i have not seen them. The miners that i have seen are simplier: they drop a mining software such as cpuminer (probably packed with some packer) and they call the miner with parameters for mining with a pool.

 

Sample aba2d86ed17f587eb6d57e6c75f64f05

Let’s take a look to the sample aba2d86ed17f587eb6d57e6c75f64f05. Here you can find a report about this sample:

https://github.com/vallejocc/Malware-Analysis-Reports/blob/master/Trojan/Mupad_Microsoft/a30713271c6b283c39aeeba45c37adcf.pdf

It seems to be a simple worm with mining capabilities. Seeing the strings of the malware we could have an idea about malware behaviour:

Sin título

Basically we can see the malware starts a cpuminer process for mining Monero. It uses two well-known Monero mining pools: mineropool.com and minexmr.com.

The author’s wallet:

42n7TTpcpLe8yPPLxgh27xXSBWJnVu9bW8t7GuZXGWt74v \

ryjew2D5EjSSvHBmxNhx8RezfYjv3J7W63bWS8fEgg6tct3yZ

(Maybe public pools should implement blacklists of wallets to forbid malware wallets to work with the pool).

As part of the worm code, It seems to copy itself to all units a:\, b:\,… z:\.

It has a short user:password list:

Sin título

And it generates random ip addresses to connect with these login:passwords:

Sin título

When it finds a ftp to connect, it walks the ftp files, it uploads a file photo.scr, and it tries to modify php, html, etc…:

Sin título

Here is a list of files that it tries to modify:

Sin título

It’s a fast dissection of the sample aba2d86ed17f587eb6d57e6c75f64f05. We can see it is a simple worm with Monero mining payload. As we saw, it doesn’t use its own mining code, it uses wellknown mining tools. And it uses wellknown public pools.

 

Sample a30713271c6b283c39aeeba45c37adcf

A report about this sample:

https://github.com/vallejocc/Malware-Analysis-Reports/blob/master/Trojan/Mupad_Microsoft/a30713271c6b283c39aeeba45c37adcf.pdf

Again, this sample uses third party tools to mine Monero:

Sin título

This case it seems to be trying to use GPU in addition to CPU:

Sin título

 

Sample 4a3770627d1a0ae6c616a19f1645109e

We can see the analysis of hybrid-analysis here:

https://www.hybrid-analysis.com/sample/a3039a60a707e1009ba3b39fe799623609ed2781110dab211f28c736878cf877?environmentId=100

It is another Monero miner with similar behaviour, in the strings of the analysis we can find:

Sin título

 

Sample 04ac0581436c838fdeb59f0aa79d1de7

Another more:

https://www.hybrid-analysis.com/sample/21d69d32c5eb6c0b4781dcf872e1ddb8ba797b12c15c25b74d948d3cb8f02fd9/?environmentId=100

With similar behaviour:

Sin título.png

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s