A new Monero cryptomining campaign has been detected in the wild being spread and operating in a manner more consistent with ransomware and other attacks that retain a level of persistence than has been seen before.
Check Point researchers said these mining operations have been on-going since mid-January using two specific trojans, Trojan.Win32.Fsysna and an unnamed variant of a Monero cryptominer. Although the ultimate goal for the malware is to create Monero, the malicious actors behind the attacks are using some very “non cryptomining” tactics and software to accomplish their mission. This includes propagation and persistence.
“The highlight of this variant is the use of legitimate IT administration tools, Windows system tools and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs,” wrote Check Point’s Richard Clayton, Check Point’s adding, “The actors behind this campaign possess enough skills and experience to make this a potentially severe attack on any organization with no easy steps for remediation.”
Most trojan-based attacks are delivered via an email, network, file, or application vulnerability, but it is not known exactly how the miner is being injected, but Check Point did find the malware uses the Mimikatz post-exploitation tool to spread laterally through a target system. For mining operations size matters.
“Mining has always been about scale. The more machines mining, the more the income. Once a single machine is breached in an enterprise, lateral movement allows for large scale compromise which means more machines mining,” said Marcel Afrahim, Check Point's software developer, cyber protections and analysis group. .
Once established the miner begins a series of obfuscation and persistence maneuvers. It is initially dropped into the User Temporary folder, and immediately makes a copy of itself which is stored in the Windows Temp folder for persistence. The malware then checks for older versions of itself previously installed and stops them from running, eventually cleaning them from the system, and then launches Netsh Windows utility to open the proper ports it needs for connection to the mining network.
The next level of persistence happens when a second trojan is dropped in the temp folder. This stops the first trojan from operating and moves itself as a filed called wmiex.exe to the systems folder where it is able to utilize Windows’ own tools it creates a scheduled task to mimic a web server application and run on startup. It then flushes the DNS cache and start the scheduled task it has created.
The trojan also connects to the command and control server and updates the server with the latest info from the infected machine and then to make certain some money is created a Bitcoin Miner is also downloaded.
Overall, Check Point noted the software, tools and processes in place make this campaign difficult to spot and stop.
“The use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage to the system and establish persistency would make these attacks harder to detect without increasing false positive detection in the organization,” Clayton wrote.