By: Ronen Ahdut

Executive Summary

In the past, threat actors have used financial information they’ve acquired to either steal funds or sell the data online. The process was risky, however. Authorities could quickly detect these attacks and arrest the malicious actors. Fortunately for attackers, Bitcoin and other digital currencies have changed the game.

Introduced in 2009, Bitcoin slowly and surely gained threat actors’ trust. The rise of these cryptocurrencies led to the phenomenon of modern ransomware, and with them new variants aimed directly at digital currencies. Today, threat actors use several methods to infect devices with an array of what is known as “cryptominers”.

These applications attempt to use infected hosts’ resources to financially benefit threat actors, and they’re an intensive process. Cryptominers continuously run infected systems with a high workload over extended periods. This results in spikes of power usage and extreme grind on the systems themselves in a process called “cryptojacking”.

But how does the use of a digital currency benefits those actors? How do they stay anonymous? And, is Bitcoin the only currency for the task?

The following article will cover basic concepts in the Crypto world and analyze past and present cryptojacking and botnet campaigns, as well as demonstrate Cynet360’s ability to detect and remediate these threats.

Basic concepts

Cryptocurrency:

Cryptocurrency is a digital or virtual currency that is cryptographically secured, which makes it nearly impossible to counterfeit or double spend.

Blockchain:

Blockchain is the technology that enables the existence of cryptocurrency. Introduced in 1991 by Stuart Haber and W Scott Stornetta, it was originally designed to validate and prevent the tampering of document timestamps.

It was first used with bitcoin to validate transaction hashes. Each transaction is written on a block which is transmitted to the entire network. Other blocks (or “nodes”) verify the block, which is then added to the blockchain, and the transaction approved.

Coin miner:

A coin miner is a program that generates cryptocurrency by completing sophisticated tasks.

It will solve mathematical equations to verify blockchain hashes which provide cryptocurrency rewards.

Mining can leverage either the system CPU or GPU.

Cryptojacking:

Cryptojacking (or Cryptojacking malware) Is a malicious activity that happens when a compromised system is used to mine currency for a third party without the knowledge or consent of the infected host.

It will do so by embedding a miner to an existing malicious campaign or simply injecting the miner by itself.

The longer a miner is undetected, the more profit it can generate for the third party.

The process makes system resources unavailable for a user’s main business operations. It is also costly in terms of electricity usage. If a malicious actor integrates a worm into the cryptojacking malware, it could compromise an entire network.

This is the nexus of cryptocurrency and cybersecurity.

Anonymity in the crypto world

For many enthusiasts, privacy and anonymity are the major reasons for using cryptocurrencies. There is a misconception that currencies like Bitcoin are anonymous, but are they actually?

In reality, Bitcoin (and other similar cryptocurrencies) are pseudonymous. Here’s why:

Every single transaction is public, traceable, and permanently stored on the blockchain, thus making it discoverable.

all transactions are visible on websites like etherscan.io or blockchain.com

Recently, Polygon network was hacked and the attacker was able to steal crypto assets worth nearly 650M USD. When his wallet address was discovered, it was quickly labeled on websites like etherscan:

Graphical user interface, text, application, chat or text message Description automatically generated

The process whereby his wallet (and several other wallets) were discovered is called Blockchain analysis.

Blockchain analysis:

The process of inspecting, identifying, clustering, modeling and visually representing data from the blockchain is called Blockchain analysis.

With it, one can try and gain useful information regarding different actors who transact in cryptocurrencies.

while some companies offer blockchain analysis as a service, there are also tools that can trace a wallet or transaction history. Maltego’s CipherTrace can identify a wallet holder and possible location. CipherTrace can also score a wallet based on Its history and probable usage for Illegal activities. This lets the application score the wallet from 1 to 10 based on the risk score.

Other free tools are also available. “Orbit” Is a similar tool that will also visualize the results:

A picture containing diagram Description automatically generated

Orbit’s GitHub: https://github.com/s0md3v/Orbit

More about the use of orbit and transaction history visualization: https://miloserdov.org/?p=3231

Going back to the Poly attack, by applying Blockchain analysis we can find every transaction related to the attack. While there are some solutions available for attackers to launder the funds, it would take significant effort and could still likely be traced to the malicious actor.

Surprisingly, the hacker used this to communicate without exposing himself. They made a transaction to themselves and would add a not posted with the transaction. Here is the latest note he added to the Poly team, after returning all the funds:

Graphical user interface, text, application, email Description automatically generated

Here is a link to the transaction, the note could be found under “input data”, simply choose to view the binary as UTF-8, he has signed the note with: “YOUR CHIEF SECURITY ADVISOR”

Eventually the hacker returned almost all the stolen assets and was even offered a $500,000 bounty fee and a position as security advisor for Polynetwork.

Bitcoin Mixer\Tumbler

Even with everything we have already covered, Bitcoin remains a major payment method for ransomware gangs. The question is, how do they use it?

One way of achieving an extra layer of anonymity with “dirty” coins is by using a Bitcoin mixer/tumbler.

Bitcoin mixing is a service that operates on many different websites-most of them are on the darknet.
The mixer receives funds from a chosen wallet and mixes it with a pool of coins from other depositors. The result are coins made from bits of multiple sources. Here is a screenshot from “BestMixer” (one of many tumblers) that illustrates the process:

By sending their “dirty” bitcoin to a mixer, threat actors minimize the chance of being discovered while adding another layer of security. Even so, this doesn’t make coins completely untraceable (although it does complicate the process significantly). Mixers aren’t without risk, however.

If they’re a “centralized” service, they can be compelled by law enforcement agencies to provide details about transactions and users. In one case, Protonmail – a privacy-focused email company – was forced by Swiss authorities to provide a user account, leading to their arrest.

On the other hand, “decentralized” mixers offer much less reliability – they might simply not complete the mix. Would you send a stranger five million dollars on the darknet?

Another easier way around this issue is to use privacy friendly coins like Monero.

Monero:

While Bitcoin was the preferred payment method for ransom by threat actors, they needed to create a unique wallet for each victim to avoid being traced. This made the process of infecting multiple targets at once more time-consuming and made them lose money on network fees.
With all transactions being public on the blockchain, this can compromise the threat actor’s identity.

This is where Monero comes in.

Monero (XMR) is a unique cryptocurrency largely due to its validation. The XMR blockchain uses a process known as “Ring signature”, which creates several decoy addresses to form a “ring” around a real transaction. In turn, this makes identifying the sender or receiver nearly impossible. This process helps obfuscate transactions for better anonymity. Unlike other currencies, it is near impossible to decipher addresses, amounts, and history of Monero users.

XMRIG

XMRIG Is an open-source coinminer made for Monero.

The characteristics of Monero, combined with XMRIG being an open source and easy to modify, made XMRIG the go-t0o miner for Cryptojacking.

XMRIG uses either the system’s CPU or GPU as its resource for mining.

Correctly used by malicious actors and combined with a worm (or a large distribution platform such as torrents), XMRIG can be the base of an entire mining botnet without disclosing the destination address or wallet holder Identity.

According to “Coinwarz”, an average system will take approximately 432 days to mine one Monero. Multuply it with hundreds or thousands infected systems, and you have a very profitable operation.

This makes XMRIG use highly lucrative for malicious mining operations.

Most recent Cryptojacking attacks have used XMRIG as their miner of choice.

Threat actors have different approaches when it comes to miners. Some choose the stealthier approach while other just go all in.

How coin miners infect devices – three methods

Next, I will cover three different methods used to deploy and run a mining campaign together with an analysis of a botnet that has continuously evolved and shifted Its malicious payload from bankers to miners.

Crackonosh – The stealthy miner

The rise of cryptocurrencies in recent years has been matched by a growth in the number of malicious miners. One well known coin miner known as “Crackonosh” by Researchers from Avast is an XMR mining malware. First observed in the wild in 2018, Crackonosh has been used largely to deploy XMRIG on infected systems.

While other campaigns deploy miners as their secondary payload (or goal), Crackonosh’s sole purpose is the mining operation, and to do so it will try remaining as hidden as possible.

Distribution:

The name Crackonosho originated largely because of the malware’s distribution method (and likely Czech origin). Crackonosh uses cracked games and software as a distribution platform, and more specifically, torrented versions of these files. Muiltiple illegal cracked copies of these torrents have been uploaded to torrent-sharing sites. This includes hugely popular games such as Far Cry 5, GTA V NBA2K19, The Sims 4, Fallout 4, and hundreds of others.

Due to the nature of these Torrent websites, and with the right game chosen, “Crackonosh” could distribute itself over a large number of hosts.

To get a better understanding, here are the number of downloads for the games listed above, as seen on “KickassTorrent”, one of the world’s largest torrent sites (note that Torrents are also shared, not only downloaded, which likely leads to the larger numbers).

  • GTA V: Around 75K downloads for each major cracked release (Currently 64 torrents on the site)

Graphical user interface, text, application Description automatically generated

  • Far Cry 5: Between 5K to 25K downloads for each major cracked release (Currently 74 torrents on the site)
  • The Sims 4: Between 10K to 60k downloads for each major cracked release (Currently 245 torrents on the site)

Targeting gamers is also a clever idea, as they often use more powerful hardware that allows for faster XMRIG mining. Moreover, a stronger system might not be significantly affected, letting users continue to operate their devices and ignore any hidden coin miners.

But to do all that successfully, “Crackonosh” should remain hidden. So, how does It work?

Attack analysis:

Once the Infected Install executable is opened, it will also deploy Crackonosh on the system.

Once Installed, a scheduled task will be added and Crackonosh will deploy itself only after several system reboots. The malware’s goal is to avoid detection by the user and to avoid any suspicious activity being related to the illegal software that was installed.

Once the required number of reboots is achieved, Crackonosh will then force enter into “Safe Mode”, but why?
Windows safe mode will not open any third party programs, Including antivirus software.
Once in safe mode, Crackonosh will search and delete any defensive programs that might be in its way by using a predefined list of programs.
It will also disable Windows defender. When it’s done, a nice Defender Icon with a green V on it will be added as a smoke screen for the user.

Crackonosh slowly but surely does anything in its power to avoid detection and maintain a flow of its mining operation.

Below, you can see an example of Crackonosh disabling Windows’ Hibernation mode for continuous mining.

Crackonosh is also highly evasive. Once it detects a monitoring program (procmon, process hacker, etc), it will put itself to “sleep”. The same goes for debuggers:

Text Description automatically generated

Here is an example of an XMR wallet address query. The address was found Inside Crackonosh.
localmonero.co:

Graphical user interface, text, application, email Description automatically generated

According to the report by Avast, Crackonosh has already mined Monero worth more than USD 2,000,000, proving that the distribution method combined with the evasive techniques has made Crackonosh a highly successful campaign.

The fact that Crackonosh has managed to remain relatively unknown while successfully operating since 2018 is already a success for its authors.

Enter Cynet…

Cynet360 VS Crackonosh

Using a sample of the malware, we were able to test Its effectiveness against Cynet:

A screenshot of a computer Description automatically generated with medium confidence

As seen in our UI, Cynet blocks the file from downloading based on a ” Malicious Binary – Infected File – File Dumped on the Disk” alert.
A similar alert – “Malicious Binary-Attempt to run” – will be triggered once the file attempts to run on the system.

We were also able to detect previously mitigated attacks on our customers.
One alert was related to the Winlogui.exe file, responsible for dropping and activating the XMRIG miner:

As you can see, highlighted is a hash related to Crackonosh. In the process parameter you can see the pool details. This can help us find more data on the specific pool:

Graphical user interface, text, application, email Description automatically generated

We can see that in this specific pool only 0.7 XMR were paid (Approx. 180 USD) and that it has no active “Workers” or in our case, infected machines.

Note that this is only one pool out of many other used by the threat actors. We have witnessed larger sums paid.

Other pools were even blacklisted:

Graphical user interface, text, application Description automatically generated

Going back 24 months searching for activity related to Crackonosh, we have discovered that Cynet has successfully mitigated over 400 attempts to run on clients’ systems, with the latest activity taking place on Aug 30th 2021, meaning that this Is a still active and running campaign.

The creators of Crackonosh have made a remarkable effort to successfully operate undetected. The fact that this variant was only named and discovered after almost two years active Is amazing.

Based on our analysis we believe Crackonosh will remain a threat to consider, but due to the latest discoveries, and the fact that it is already labeled on Virustotal, we might see another phase in its evolution, different to current methods.

Crackonosh takes its time to safely deploy and takes an extra mile in attempt to stay hidden. Next we will analyze a different approach taken by threat actors.

MITRE ATT&CK TTP

 

ATT&CK Tactic ATT&CK Technique
Supply Chain Compromise –T1195 Compromise Software Supply Chain-T1195.002
Scheduled Task/Job-T1053 Scheduled Task/Job: At (Windows)-T1053.002
User Execution-T1204 User Execution: Malicious File-T1204.002
Boot or Logon Initialization Scripts-T1037 Logon Script (Windows)-T1037.001
Impair Defenses-T1562 Disable or Modify Tools-T1562.001
Resource Hijacking-T1496

Zeus/Zbot – A blast from the past

Zeus is one of several botnets that had an immense effect on botnet evolution.

First seen in the wild since 2007, Zeus infection occurs through three main attack vectors:

  • Social media campaigns with a malicious link
  • Drive-by Infections – Injecting a malicious code to legitimate product downloads/websites
  • Phishing email with a malicious code

Once the host is infected, Zeus can download its banking payload.

Zeus used a “man in the browser” attack. Whenever an infected host visits a banking website, Zeus will either take a screenshot of the credentials or log the keys inserted on the website and send them to the C2 server.

Zeus will also create a backdoor to the system, either to continue its attack on the host or to deploy another malware.
Zeus has recently started using the Cryptolocker ransomware as part of its infection on a network.

While seen first in 2007, 2009 was the year that Zeus becam more widespread, with an estimate of over 74,000 servers infected in the US alone. The malware’s victims include names like Amazon, Cisco, Bank of America, and even NASA.

In 2010 Zeus’ creator declared his retirement by submitting Zeus’ source code as his farewell gift. Since then many new Zeus variants have emerged, including: “Gameover”, “SpyEye”, “Ice” “IX”, “Citadel”, and the notorious “Panda banker”.

While all are based on the same code, each was unique in its way. “Gameover” did not have a C2 server; “SpyEye” could automatically transfer funds from the victim’s bank account; and “Shylock” allowed a connection to multiple C2 servers.

In 2018 another variant named “Zeus Panda” was seen distributing via Emotet as well.

Cynet 360 VS Zeus

A screenshot of a computer Description automatically generated

Graphical user interface, text, website Description automatically generated

Photo taken from Intenzer engine.

Cynet can successfully detect and remediate Zeus. In a way, Zeus was a base for modern Cryptojacking botnets.

Zeus has evolved several times and continues to do so today. There are constantly new variants with better abilities being released.

Now imagine what would happen if a threat actor used those abilities to spread a miner?

Allow me to introduce LemonDuck.

Lemon Duck – The “Guns blazing” miner

Lemon Duck is not new in the threat landscape. Since mid 2018, the malware has been a dangerous self-spreading botnet.

Lemon Duck has seen several stages of evolution. It started with a coin miner as its main payload, and later shifted into a malware distribution platform associated with credential theft, banking operation, backdoor abilities, and more.

One of the more known attack vectors chosen was a phishing campaign related to COVID-19:

Graphical user interface, text, application, email Description automatically generated

The attachment was a weaponized document containing a PowerShell script that would download Lemon Duck.

The latest attack vector is related to the Proxyshell vulnerability. Threat actors have been seeking and exploiting the latest vulnerability to run a PowerShell script to install lemon duck on the system.

But how does Lemon Duck operate once the initial script is downloaded?

LemonDuck sends an http request to its C2 server including the compromised host details. This alerts the C2 of the infection. Once approved it will download a second script, validate its hash and execute it on the host:

Graphical user interface, text, application, email Description automatically generated

The second script is highly obfuscated, with several different layers containing Base64, compression and is reversed (executed back to front). This is to delay and harden the process of analysis:

A screenshot of a computer Description automatically generated with medium confidence

After successfully de-obfuscating the script, we noticed it contacted the C2 again, this time to download and execute its payload on the host, including XMRIG.

The script again verifies the integrity of those files via an MD5 hash found In the script. If the hash does not match, the attack will probably stop.

Graphical user interface, text, application, email Description automatically generated

It will also collect information from the compromised host and enumerate open and available connections.

with the collected data, LemonDuck creates a TCP listener for use as bind shell:

It will also alter other network settings, set a new DNS address, disable windows defender, and eventually drop another config file for further execution:

Persistence:

LemonDuck will do its best to stay on the system and attempt to infect as many hosts on the network. It will execute a PowerShell script via WMI to set a scheduled task on the host to reinfect It:

Graphical user interface, text, application, email Description automatically generated

It will also look for and infect shared folders and removable media via an Infected LNK file.

Cynet360 VS LemonDuck

Cynet can successfully detect and remediate LemonDuck attacks:

A screenshot of a computer Description automatically generated with medium confidence

Conclusion:

LemonDuck is not shy. it will compensate its lack of stealth with very effective persistence and infection mechanisms, and with a massive effect multiplier in case of an infected DC or Exchange server as previously seen.

It is a great example of a malware evolution. It will exploit new vulnerabilities and will use recent events to always stay relevant and appealing to an unsuspecting user.

Based on its history, success, and recent events, we believe that LemonDuck will continue to spread and evolve as a threat in the future.

MITRE ATT&CK Techniques

ATT&CK Tactic ATT&CK Technique
Gather Victim Host Information-T1592 Software-T1592.002

Client Configurations-T1592.004

Obtain Capabilities-T1588 Malware-T1588.001

Exploits-T1588.005

Exploit Public-Facing Application-T1190
External Remote Services-T1133
Phishing-T1566 Spearphishing Attachment-T1566.001
Replication Through Removable Media-T1091
Command and Scripting Interpreter-T1059 PowerShell-T1059.001

JavaScript-T1059.007

Scheduled Task/Job-T1053 Scheduled Task-T1053.005
Software Deployment Tools-T1072
Windows Management Instrumentation-T1047
Boot or Logon Autostart Execution-T1547 Registry Run Keys / Startup Folder-T1547.001
Exploitation for Privilege Escalation-T1068
Obfuscated Files or Information-T1027 Software Packing-T1027.002
Impair Defenses-T1562 Disable or Modify Tools-T1562.001
Network Service Scanning-T1046
Network Share Discover-T1135
Replication Through Removable Media-T1091
Encrypted Channel-T1573 Asymmetric Cryptography-T1573.002
Data Obfuscation-T1001 Protocol Impersonation-T1001.003
Resource Hijacking-T1496

Conclusions, and a look into the future

In this article we have covered basic concepts in the cryptocurrency world, together with an introduction to the malicious act of Cryptojacking.

While previously botnets like Zeus were aimed at credential theft and banking, today most botnets use a mining capability either as the campaign’s main or secondary payload.

For Zeus operators, the stolen data had to be sold for them to profit, so they would also offer service to infect a network with a desired malware.

Cryptojacking botnets are different.

Because of the reasons mentioned in the article, we can understand why Cryptojacking is sort of a “perfect crime” for the threat actors. The financial gain is immediate, and due to Monero’s characteristics they can stay anonymous.

Like most of the IT world, Cryptojacking botnets are also moving to the cloud.

Several recent botnets seem to be aiming directly at cloud environments, these environments are relatively new to security teams which makes it even a better target for threat actors.

Recently Cryptojacking botnets were also seen targeting IOT’s, while malware like Crackonosh aims at quality over quantity, an IOT botnet usually acts the other way around.

IOTs are also a prime target. In 2016 the Mirai botnet launched an enormous DDos attack that eventually took down internet connection for most of the US East coast. It did so by using the default credentials as part of its attack vectors.
An IOT botnet aimed at Cryptojacking is the ultimate goal for threat actors. IOTs are everywhere, and as seen with Mirai, people tend to forget that these devices need to be updated or new passwords need to be set.

While Ransomware seems to be an organization’s worse fear, Cryptojacking can have a devastating effect as well. If not discovered and treated correctly, entire resources could be compromised, leading to a loss in performance, combined with a higher than usual electricity bill.

While writing this article, several new Cryptojacking botnets were discovered. Mozi botnet for example, with currently over 1.5 million infected nodes, has been spotted mostly in China.

An estimate by Kaspersky suggests that over 1.5 billion attacks on smart devices were made in the first half of 2021 alone, doubling last year’s number.

And while cloud and IOT environments might seem like the perfect goal for a botnet creator, threats like the discussed LemonDuck keep evolving and posing a risk for many organizations.

Cynet360 has proven its effectiveness with these threats by successfully detecting and mitigating them.