Malicious cryptocurrency miners have been the latest ‘trend’ with cybercriminals. This is malicious software that gets installed onto a victim’s system that is able to use it’s processing power to mine a cryptocurrency coin. Thus, making money for the bad actor at the expense of someone else.
We’ve seen cryptomining capabilities inserted into the latest releases of malware that previously had used other means to extort money or use the computer resources of their victims in other ways. Notably, attack campaigns using Trickbot and the RIG Exploit Kit have dabbled in spreading malicious cryptocurrency miners. Malspam and malicious ad traffic have been leading to droppers. The possible infection methods extend beyond only running code within your web browser.
This blog post is going to highlight the infrastructure seen in some of the latest examples observed of the SupremeMiner, which is used to mine Monero on compromised systems. [Thanks to Brian Carter for helping to identify]
SupremeMiner
These panels were observed over a 3 month period. Let’s take a look at the panel interface. The original is in Russian and has been translated for the screen captures.
The login page:
Often times these types of panels have the default login/password still in use.
Once you’re logged in, you can see an overview of stats for all of the systems that have been infected with your cryptominer and are reporting back to the command and control server.
The ‘workers’ are infected systems. It gives IP address, last contact time, CPU info, video card info, OS info, and the version of the miner running. You can see the status of the miner. More information can be had by clicking on each system, like computer name, whether there is an antivirus installed on the system, if the miner is running with admin privleges and the installation path. The installation path is always in ProgramData within a temp folder.
A section for managing the stop/start/reload/update of the miner.
The ‘settings’ page where you upload your miner that will be distributed to the systems that are under your control.
Miner data:
'{
"id": "250f8bc28a1fdbf1",
"worker_id": ***
"version": "2.6.5",
"kind": "proxy",
"algo": "cryptonight",
"mode": "nicehash",
"ua": "xmrig-proxy/2.6.5 (Windows NT 6.3; Win64; x64) libuv/1.22.0 msvc/2017",
"uptime": 73648,
"donate_level": 1,
"donated": 0.0,
"hashrate": {
"total": [
0.0,
0.0,
0.01,
0.04,
0.03,
0.03
]
},
"miners": {
"now": 6,
"max": 6
},
"upstreams": 1,
"results": {
"accepted": 139,
"rejected": 0,
"invalid": 0,
"expired": 0,
"avg_time": 529,
"latency": 79,
"hashes_total": 2780139,
"hashes_donate": 0,
"best": [
2351176,
1249258,
1029529,
363489,
335290,
255804,
253072,
245201,
198027,
189233
]
}
}’
Country and ASN info for hosting IPs of the malicious panels:
199.188.200[.]110 – NAMECHEAP-NET – Namecheap, Inc., US 86400
185.212.148[.]203 – SUPERSERVERSDATACENTER, RU 86400
95.211.16[.]67 – LEASEWEB-NL-AMS-01 Netherlands, NL 86400
91.227.16[.]118 – EXIMIUS-AS, RU 86400
5.101.152[.]199 – BEGET-AS, RU 86400
77.222.61[.]130 – SWEB-AS, RU 86400
145.239.81[.]107 – OVH, FR 86400
185.125.219[.]236 – AS-MAROSNET Moscow, Russia, RU 86400
95.211.16[.]66 – LEASEWEB-NL-AMS-01 Netherlands, NL 86400
104.24.113[.]231 – CLOUDFLARENET – Cloudflare, Inc., US 86400
185.224.138[.]72 – AS-HOSTINGER, LT 86400
Requestor countries:
Thailand
USA
UK
Cyprus
Canada
NL
Morocco
Ukraine
Slovakia
India
El Salvador
Looking into the Infrastructure
In researching the hosting IPs of these panels, we wanted to see if there were any relationships between the infrastructure or systems being used between them. A force directed graph here shows relationships between hosting IPs and domain names of the panels:
Then we further enriched the data by pivoting to other known malicious domains we’d seen on the given hosting IPs. This graph shows how much each cluster grows.
Visibility
Malicious cryptominers running in your network could cause issues on business critical systems by hijacking processing power and causing system crashes. Not to mention, the system is no longer fully under your control and depending on the malware being used, modules can be executed to extract your private data or drop additional malware.
To gain visibility into cryptomining in your network, we have the ‘Cryptomining’ category that can be enabled in Cisco Umbrella. For more information please see this article.
Related IOCs
(not all IOCs are specifically meant to be a ‘block list’)
