By Oleg Kolesnikov and Harshvardhan Parashar, Securonix Threat Research Team
Figure 1: Persistent Cryptomining Jex Boss Initial Foothold Payload – Repeated Payload Execution Attempts
Cryptojacking is the unauthorized use of someone else’s computer to secretly mine cryptocurrency (also known as virtual or digital currency). According to a recent report from Fortinet , Cryptojacking attacks impacted over 28 percent of companies this year, a spike representing more than 15% increase from companies impacted in the last quarter of 2017.
Securonix Threat Research Team has been actively investigating and monitoring these attacks to help our customers understand the techniques used by attackers to enable effective early detection, mitigation, and response. Below is a summary of what we currently know about the attacks and our recommendations to help increase the chances of detecting/mitigating such attacks.
Figure 2: Cryptomining Payload Configuration Received From Command-And-Control (C2) Site
Cryptojacking Behaviors – Overview
Cryptojacking attacks are highly profitable and anonymous and can often involve not only external attackers, but also and internal rogue insider threats. The typical attack vectors used in the Cryptojacking attacks include compromising web sites , endpoints , and cloud infrastructure . Some examples of the recent high-profile publicly reported breaches involving cryptojacking attacks include Los Angeles Times, Tesla, Aviva, and Gemalto .
As can be seen from Figure 1, modern cryptojacking attacks often involve persistent adversaries that are continuously probing infrastructure using different approaches/payloads to inject the malicious cryptojacking payload, leveraging various attack vectors ranging from cloud misconfigurations to client-side or server-side vulnerabilities.
In most cases, the main objective of an attacker performing a cryptojacking attack is, following the initial infiltration, to quickly and secretly establish persistence that allows the attacker to run a second stage cryptomining payload continuously . The configuration for the second stage cryptomining payload is usually either dynamic and downloaded from a C2 site controlled by an attacker (Figure 2), or is hardcoded in the payload.
Figure 3: Wannamine Obfuscated Malicious VBScript
Some examples of commonly used cryptomining payloads as of June 2018 include:
- and others 
Based on the real-world cryptojacking activity observed by Securonix Threat Research Team in the wild, the cryptomining payloads mentioned above are often used by attackers on the exploited targets as-is. The payloads are usually renamed and set to be executed as part of a persistence mechanism available on the target, such as: a cron job, a scheduled task, a registry-based persistence, an WMI-based persistence, and other mechanisms.
In some cases, before deploying a second-stage cryptomining payload, attackers also implement a layer of obfuscation using a malicious VBScript (Figure 3) or powershell stager. The powershell stager configures the environment, checks for other cryptominer processes and shuts them down, then checks for anti-virus software.
Detection – Sample Securonix Spotter Search Queries
Below are sample Securonix Spotter search queries to assist with detecting some possible existing cryptojacking attack infections.
Endpoint Threat Detection and Response (ETDR) Process Monitoring (Trivial Process Name Conditions)
((rg_functionality=”Microsoft Windows” or rg_functionality=”Antivirus / Malware / EDR” or rg_functionality=”Endpoint Management Systems”) AND (destinationprocessname contains “xmrig” or destinationprocessname contains “minerd”or destinationprocessname contains “jce” or destinationprocessname contains “claymore” or destinationprocessname contains “cpuminer” or destinationprocessname contains “ccminer” or destinationprocessname contains “minergate” or destinationprocessname contains “ethminer” or destinationprocessname contains “mkxminer” or destinationprocessname contains “nsgpucnminer” or destinationprocessname contains “sgminer” or destinationprocessname contains “claymore” or destinationprocessname contains “xmr-stak” or destinationprocessname contains “excavator” or destinationprocessname contains “wannamine” or destinationprocessname contains “dofiol” or destinationprocessname contains “sharik” or destinationprocessname contains “coinminer”))
((rg_category contains “Endpoint” OR rg_category contains “ips” OR rg_category contains “ids”) AND (sourceprocessname contains “xmrig” or sourceprocessname contains “minerd”or sourceprocessname contains “jce” or sourceprocessname contains “claymore” or sourceprocessname contains “cpuminer” or sourceprocessname contains “ccminer” or sourceprocessname contains “minergate” or sourceprocessname contains “ethminer” or sourceprocessname contains “mkxminer” or sourceprocessname contains “nsgpucnminer” or sourceprocessname contains “sgminer” or sourceprocessname contains “claymore” or sourceprocessname contains “xmr-stak” or sourceprocessname contains “excavator” or sourceprocessname contains “bminer” or sourceprocessname contains “wannmine” or sourceprocessname contains “sharik” or sourceprocessname contains “dofiol” or sourceprocessname contains “coinminer” ))
ETDR Process Monitoring (Process Hash Conditions)
(rg_category contains “Endpoint” OR rg_category contains “ips” OR rg_category contains “ids”) AND (customstring3 = 57cda2f33fce912f4f5eecbc66a27fa6 or
customstring3 = 9621638daa908871e4d50a27bef014bb
customstring3 = a10157d0649cff753c01cd7bbf750608
customstring3 = 26e3021465a0a79547fbf78727b62512
Mitigation and Prevention – Securonix Recommendations
This section provides recommendations from Securonix to help customers mitigate and prevent attacks:
- Implement a company-wide coinblocker URL and IP Block list/blackholing in your firewall using the following: https://gitlab.com/ZeroDot1/CoinBlockerLists/issues/1
- Implement a user security policy requiring the use of a browser extension to block cryptomining such as Nocoin: (https://chrome.google.com/webstore/detail/no-coin-block-miners-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl?hl=en) or MinerBlock (https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl) Note: Firefox 63 update (releases in October 2018) is scheduled to add protection against cryptomining websites.
- Review the third-party components used by your company’s websites and add protection from third-party js library component cryptojacker injection by leveraging subresource integrity (SRI) and content security policy (CSP) tags such as crossorigin, integrity, require-sri-for etc.: <script src=”https://scotthelme.co.uk/js/jquery2.1.3.min.js” noncanonical-src=”https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js” integrity=”sha256-ivk71nXhz9nsyFDoYoGf2sbjrR9ddh+XDkCcfZxjvcM=” crossorigin=”anonymous”></script> Note: See https://scotthelme.co.uk/subresource-integrity/ and https://scotthelme.co.uk/content-security-policy-an-introduction/)
- Perform a review of the cloud storage sites (e.g. Amazon S3 buckets) used to deliver content for your company’s web sites for unusual changes related to potential cryptojacking modules. Also, consider an external review of the web components used by your organization for possible cryptojacking modules using PublicWWW: https://publicwww.com/websites/%22coin-hive.com%2Flib%2Fcoinhive.min.js%22+site%3Acom/.
- Review the types of instances used as part of your cloud infrastructure for instance types that may be unusual, such as Amazon Accelerated Computing/GPU instances (P3, P2, F1, *.xlarge, see https://aws.amazon.com/ec2/instance-types/).
Securonix Detection – Some Examples of Securonix Predictive Indicators
1.1 Recommended Data Sources
Below is a list of the recommended data sources to help you cover some of the key behaviors used in cryptojacking attacks:
- EDR: Endpoint logs such as Bit9/Carbonblack or sysmon, and auditd for container/docker infrastructure logs.
- PXY: Proxy logs
- CLO: Cloud services activity and performance/resource utilization logs such as Amazon AWS, CloudTrail/CloudWatch/Macie, EC2, IAM, S3 Access, Microsoft Azure, Google Cloud, and container logs (Docker/Kubernetes).
- IFW: Firewall logs
- OCU: Other/custom logs, particularly those related to performance monitoring of your infrastructure (e.g. *beats, Tanium*)
1.2 Examples of Relevant High-Level Behavior Analytics/Predictive Indicators
This section provides high-level examples of Securonix behavior analytics/predictive indicators based on some of the key attack vectors used in the latest cryptojacking attacks impacting endpoints and cloud infrastructure:
- Suspicious Process Activity – Rare Parent-Child Relationship For Host Analytic
- Suspicious Process Activity – Targeted – Executable File Creation Analytic
- Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic
- Suspicious Cloud Activity – Rare StartInstances/TerminateInstances Source Analytic
- Suspicious Process Activity – Rare Scheduled Task For Host Analytic
- Suspicious WMI Activity – Rare WMI Consumer For Host Analytic
- Suspicious Windows Activity – Unusual CPU Utilization Amount For Host Analytic
Other behavioral analytics/predictive indicators include: EDR-SYM6-ERI, EDR-SYM5-ERI, WEL-PSH-BPI, PXY-IPB1-TPN, EDR-SYM15-ERI, EDR-SYM35-BAI, EDR-SYM34-BPI, CLO-AWS10-BDI, WEL-WOT1-RUN, EDR-SYM25-RUN, WEL-WSH1-ERI, WEL-TAN1-BAI, WEL-TAN2-BPI, EDR-SYM36-BPI, and EDR-SYM37-ERI.
Note: It is important to keep in mind that there are many other attack vectors and log sources/data sources that need to be considered depending on the potential attack surface/infrastructure, such as web server, application, and container system logs.