Malicious cryptocurrency miners have been the latest ‘trend’ with cybercriminals. This is malicious software that gets installed onto a victim’s system that is able to use it’s processing power to mine a cryptocurrency coin. Thus, making money for the bad actor at the expense of someone else.

We’ve seen cryptomining capabilities inserted into the latest releases of malware that previously had used other means to extort money or use the computer resources of their victims in other ways. Notably, attack campaigns using Trickbot and the RIG Exploit Kit have dabbled in spreading malicious cryptocurrency miners. Malspam and malicious ad traffic have been leading to droppers. The possible infection methods extend beyond only running code within your web browser.

This blog post is going to highlight the infrastructure seen in some of the latest examples observed of the SupremeMiner, which is used to mine Monero on compromised systems. [Thanks to Brian Carter for helping to identify]

SupremeMiner

These panels were observed over a 3 month period. Let’s take a look at the panel interface. The original is in Russian and has been translated for the screen captures.

The login page:

Often times these types of panels have the default login/password still in use.

Once you’re logged in, you can see an overview of stats for all of the systems that have been infected with your cryptominer and are reporting back to the command and control server.

The ‘workers’ are infected systems. It gives IP address, last contact time, CPU info, video card info, OS info, and the version of the miner running. You can see the status of the miner. More information can be had by clicking on each system, like computer name, whether there is an antivirus installed on the system, if the miner is running with admin privleges and the installation path. The installation path is always in ProgramData within a temp folder.

A section for managing the stop/start/reload/update of the miner.

The ‘settings’ page where you upload your miner that will be distributed to the systems that are under your control.

Miner data:

'{
"id": "250f8bc28a1fdbf1",
"worker_id": ***
"version": "2.6.5",
"kind": "proxy",
"algo": "cryptonight",
"mode": "nicehash",
"ua": "xmrig-proxy/2.6.5 (Windows NT 6.3; Win64; x64) libuv/1.22.0 msvc/2017",
"uptime": 73648,
"donate_level": 1,
"donated": 0.0,
"hashrate": {
"total": [
0.0,
0.0,
0.01,
0.04,
0.03,
0.03
]
},
"miners": {
"now": 6,
"max": 6
},
"upstreams": 1,
"results": {
"accepted": 139,
"rejected": 0,
"invalid": 0,
"expired": 0,
"avg_time": 529,
"latency": 79,
"hashes_total": 2780139,
"hashes_donate": 0,
"best": [
2351176,
1249258,
1029529,
363489,
335290,
255804,
253072,
245201,
198027,
189233
]
}
}’

Country and ASN info for hosting IPs of the malicious panels:

199.188.200[.]110 – NAMECHEAP-NET – Namecheap, Inc., US 86400
185.212.148[.]203 – SUPERSERVERSDATACENTER, RU 86400
95.211.16[.]67 – LEASEWEB-NL-AMS-01 Netherlands, NL 86400
91.227.16[.]118 – EXIMIUS-AS, RU 86400
5.101.152[.]199 – BEGET-AS, RU 86400
77.222.61[.]130 – SWEB-AS, RU 86400
145.239.81[.]107 – OVH, FR 86400
185.125.219[.]236 – AS-MAROSNET Moscow, Russia, RU 86400
95.211.16[.]66 – LEASEWEB-NL-AMS-01 Netherlands, NL 86400
104.24.113[.]231 – CLOUDFLARENET – Cloudflare, Inc., US 86400
185.224.138[.]72 – AS-HOSTINGER, LT 86400

Requestor countries:

Thailand
USA
UK
Cyprus
Canada
NL
Morocco
Ukraine
Slovakia
India
El Salvador

Looking into the Infrastructure

In researching the hosting IPs of these panels, we wanted to see if there were any relationships between the infrastructure or systems being used between them. A force directed graph here shows relationships between hosting IPs and domain names of the panels:

Then we further enriched the data by pivoting to other known malicious domains we’d seen on the given hosting IPs. This graph shows how much each cluster grows.

Visibility

Malicious cryptominers running in your network could cause issues on business critical systems by hijacking processing power and causing system crashes. Not to mention, the system is no longer fully under your control and depending on the malware being used, modules can be executed to extract your private data or drop additional malware.

To gain visibility into cryptomining in your network, we have the ‘Cryptomining’ category that can be enabled in Cisco Umbrella. For more information please see this article.

Related IOCs

(not all IOCs are specifically meant to be a ‘block list’)


Malicious domains, panels:

e9658544844[.]ru
trainee148.temp.swtest[.]ru
russianminers.zzz.com[.]ua
belka.kl.com[.]ua
paliwi[.]xyz
statsu.zzz.com[.]ua
shara-reborn.kl.com[.]ua
zorabotminer.zzz.com[.]ua
zimbabwelubumi.zzz.com[.]ua
roninbleck.kl.com[.]ua
mygoa[.]ga
123meta.kl.com[.]ua
zanovo.zzz.com[.]ua
salut.kl.com[.]ua
122222.kl.com[.]ua
strvz.zzz.com[.]ua
sparkvpn[.]xyz
jopasosat.zzz.com[.]ua
wikiwoko[.]website

 

Hashes

a6f2655a055b4874ea1442d33d90c762fd9721d761c909fea53b424ce13bb0bc
226f96e4af4d4513f9a6dfcbd4a6edab63fba583b0e256c3ba60d3f51269d052
052443ac4ea5f6e4eeda13a7722b6face69d29238e54c4b7420a9b19e9e5aab1
dacdf46bb1b465b53ea5aa772b52e6f3d49bb345c65a29d40bf2f52014691878
f568853223edae69f56f921f99f4f24629f8be974814fa4b140974253a90a8f1
a4ae177a5cdaf550c468e3054f6f70f9c95325d5fa6ce8237b246e5674fb54bf
2f8537cf0bd25e563f7bd7e8055dbc7dc417958207be8b69b337f8678990d8bb
c9531c16678ff9efb4e3712febdc414574c4a0543e22df558f1a3ea32a47a820
1d7aea899f19dbe94adb11f06115bc0315cb0efdbfd71f0463250488415b83b6
9bb5372dfe1d5cf6ff78a8deb22ee2b7976936dad20bd90bf09d29424507ad14
1d450c2f4d2a8dedb2fb7dc7e952e1353b9afa7dec6fb6d8fb3bd09d61000c0b
ac11cd50164f35adfa3245c513e38f7856f15ccb001b2fa96d82c6e3f23a4aae
95951e9c3579dc14e0c97913db13df1c6e8e7928521a7ab64be1b060c0addfe0
c6c441b31720233f58fce63a0e6ff7c1e43457b21aa3af2a71aaa413446a0364
cf545a025f6be7e73dbaee3793cb034e21e4a5ec130214e9dfcc109aa1c68648
8faeea99bfa567ab89f7d0fbf526a2605c57b36f2510d44592cdacf212e3901e
0bfc4c3f29ef9270b4f1470d5b0199f64f62892d2994e459bf4cdcac4dbe02c8

C&Cs

5.188.231[.]110
5.8.88[.]59

This post is categorized in: