• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

The Coin Rush

Author avatar of Andrea KaiserAndrea Kaiser
Updated — March 28, 2020 • 4 minute read
View blog >

Malicious cryptocurrency miners have been the latest ‘trend’ with cybercriminals. This is malicious software that gets installed onto a victim’s system that is able to use it’s processing power to mine a cryptocurrency coin. Thus, making money for the bad actor at the expense of someone else.

We’ve seen cryptomining capabilities inserted into the latest releases of malware that previously had used other means to extort money or use the computer resources of their victims in other ways. Notably, attack campaigns using Trickbot and the RIG Exploit Kit have dabbled in spreading malicious cryptocurrency miners. Malspam and malicious ad traffic have been leading to droppers. The possible infection methods extend beyond only running code within your web browser.

This blog post is going to highlight the infrastructure seen in some of the latest examples observed of the SupremeMiner, which is used to mine Monero on compromised systems. [Thanks to Brian Carter for helping to identify]

SupremeMiner

These panels were observed over a 3 month period. Let’s take a look at the panel interface. The original is in Russian and has been translated for the screen captures.

The login page:

Often times these types of panels have the default login/password still in use.
Once you’re logged in, you can see an overview of stats for all of the systems that have been infected with your cryptominer and are reporting back to the command and control server.

The ‘workers’ are infected systems. It gives IP address, last contact time, CPU info, video card info, OS info, and the version of the miner running. You can see the status of the miner. More information can be had by clicking on each system, like computer name, whether there is an antivirus installed on the system, if the miner is running with admin privleges and the installation path. The installation path is always in ProgramData within a temp folder.

A section for managing the stop/start/reload/update of the miner.

The ‘settings’ page where you upload your miner that will be distributed to the systems that are under your control.

Miner data:

'{
"id": "250f8bc28a1fdbf1",
"worker_id": ***
"version": "2.6.5",
"kind": "proxy",
"algo": "cryptonight",
"mode": "nicehash",
"ua": "xmrig-proxy/2.6.5 (Windows NT 6.3; Win64; x64) libuv/1.22.0 msvc/2017",
"uptime": 73648,
"donate_level": 1,
"donated": 0.0,
"hashrate": {
"total": [
0.0,
0.0,
0.01,
0.04,
0.03,
0.03
]
},
"miners": {
"now": 6,
"max": 6
},
"upstreams": 1,
"results": {
"accepted": 139,
"rejected": 0,
"invalid": 0,
"expired": 0,
"avg_time": 529,
"latency": 79,
"hashes_total": 2780139,
"hashes_donate": 0,
"best": [
2351176,
1249258,
1029529,
363489,
335290,
255804,
253072,
245201,
198027,
189233
]
}
}’

Country and ASN info for hosting IPs of the malicious panels:

199.188.200[.]110 – NAMECHEAP-NET – Namecheap, Inc., US 86400
185.212.148[.]203 – SUPERSERVERSDATACENTER, RU 86400
95.211.16[.]67 – LEASEWEB-NL-AMS-01 Netherlands, NL 86400
91.227.16[.]118 – EXIMIUS-AS, RU 86400
5.101.152[.]199 – BEGET-AS, RU 86400
77.222.61[.]130 – SWEB-AS, RU 86400
145.239.81[.]107 – OVH, FR 86400
185.125.219[.]236 – AS-MAROSNET Moscow, Russia, RU 86400
95.211.16[.]66 – LEASEWEB-NL-AMS-01 Netherlands, NL 86400
104.24.113[.]231 – CLOUDFLARENET – Cloudflare, Inc., US 86400
185.224.138[.]72 – AS-HOSTINGER, LT 86400

Requestor countries:

Thailand
USA
UK
Cyprus
Canada
NL
Morocco
Ukraine
Slovakia
India
El Salvador

Looking into the Infrastructure

In researching the hosting IPs of these panels, we wanted to see if there were any relationships between the infrastructure or systems being used between them. A force directed graph here shows relationships between hosting IPs and domain names of the panels:

Then we further enriched the data by pivoting to other known malicious domains we’d seen on the given hosting IPs. This graph shows how much each cluster grows.

Visibility

Malicious cryptominers running in your network could cause issues on business critical systems by hijacking processing power and causing system crashes. Not to mention, the system is no longer fully under your control and depending on the malware being used, modules can be executed to extract your private data or drop additional malware.

To gain visibility into cryptomining in your network, we have the ‘Cryptomining’ category that can be enabled in Cisco Umbrella. For more information please see this article.

Related IOCs

(not all IOCs are specifically meant to be a ‘block list’)

Malicious domains, panels:

e9658544844[.]ru
trainee148.temp.swtest[.]ru
russianminers.zzz.com[.]ua
belka.kl.com[.]ua
paliwi[.]xyz
statsu.zzz.com[.]ua
shara-reborn.kl.com[.]ua
zorabotminer.zzz.com[.]ua
zimbabwelubumi.zzz.com[.]ua
roninbleck.kl.com[.]ua
mygoa[.]ga
123meta.kl.com[.]ua
zanovo.zzz.com[.]ua
salut.kl.com[.]ua
122222.kl.com[.]ua
strvz.zzz.com[.]ua
sparkvpn[.]xyz
jopasosat.zzz.com[.]ua
wikiwoko[.]website

Hashes

a6f2655a055b4874ea1442d33d90c762fd9721d761c909fea53b424ce13bb0bc
226f96e4af4d4513f9a6dfcbd4a6edab63fba583b0e256c3ba60d3f51269d052
052443ac4ea5f6e4eeda13a7722b6face69d29238e54c4b7420a9b19e9e5aab1
dacdf46bb1b465b53ea5aa772b52e6f3d49bb345c65a29d40bf2f52014691878
f568853223edae69f56f921f99f4f24629f8be974814fa4b140974253a90a8f1
a4ae177a5cdaf550c468e3054f6f70f9c95325d5fa6ce8237b246e5674fb54bf
2f8537cf0bd25e563f7bd7e8055dbc7dc417958207be8b69b337f8678990d8bb
c9531c16678ff9efb4e3712febdc414574c4a0543e22df558f1a3ea32a47a820
1d7aea899f19dbe94adb11f06115bc0315cb0efdbfd71f0463250488415b83b6
9bb5372dfe1d5cf6ff78a8deb22ee2b7976936dad20bd90bf09d29424507ad14
1d450c2f4d2a8dedb2fb7dc7e952e1353b9afa7dec6fb6d8fb3bd09d61000c0b
ac11cd50164f35adfa3245c513e38f7856f15ccb001b2fa96d82c6e3f23a4aae
95951e9c3579dc14e0c97913db13df1c6e8e7928521a7ab64be1b060c0addfe0
c6c441b31720233f58fce63a0e6ff7c1e43457b21aa3af2a71aaa413446a0364
cf545a025f6be7e73dbaee3793cb034e21e4a5ec130214e9dfcc109aa1c68648
8faeea99bfa567ab89f7d0fbf526a2605c57b36f2510d44592cdacf212e3901e
0bfc4c3f29ef9270b4f1470d5b0199f64f62892d2994e459bf4cdcac4dbe02c8

C&Cs

5.188.231[.]110
5.8.88[.]59

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella