As Darktrace regularly detects crypto-mining attempts the moment they occur on a network, we can estimate the cash flow stream a cyber-criminal earned on a laterally moving Monero-miner infection that Darktrace identified.
How it began
Last month, a customer’s device – which we will call patient zero – became infected with a Monero-miner. After a short time, patient zero started looking for accessible SMB drives by scanning the internal network for devices on port 445. As the device had not conducted any network scanning activity in the past, Darktrace flagged the process as an unusual network scan and an anomalous SMB enumeration:
Once patient zero identified accessible IPC$, ADMIN$ or C$ SMB drives, it transferred an executable to the drive. After the file transfer, the malware used PsExec to connect to the device and execute the malicious software. As patient zero had not made any SMB drive writes and had not used PsExec in this fashion before, alerts were raised immediately:
Spread and containment
The now-infected device started mining Monero and attempted to communicate over Tor2Web with Command & Control (C2) servers:
Using Darktrace, the security team identified the infection within minutes and assessed the complete extent of the infection in less than an hour. Within three hours from initial detection, the security team had run a clean-up script on their network which stopped the spread.
We have estimated the hypothetical revenue for this particular attack. To make the mining less detectable, some of the current Monero-mining malware applies restrictions to both the number of threads that can be used and the maximum CPU usage capacity. As a result, we have estimated the figures below on a worst-case scenario basis.
We know that 300 machines were infected and that the Monero miners were running for around 4 hours.
Mining profitability is commonly measured in the amount of hashes calculated per second per CPU core or GPU. This number, known as hashes per second (H/S), can differ based on the hardware used. A common number on the lower end of the scale for H/S on a single CPU is 20 H/S for the CryptoNight algorithm used to mine Monero.
GPUs, being more efficient for the CryptoNight algorithm, can yield 2-3x the H/S rate of CPUs and beyond. Keeping with a worst-case scenario basis, we will assume all infected devices had only 2 CPU cores and no GPUs, meaning a single infected machine yielded 40 H/S. This leads us to the following calculation: 300 infected devices x 40 H/S = 12000 H/S.
A Monero-mining revenue calculation tool produced the following results: with a Monero price of $202.43 at the time of infection (disregarding electricity costs), the criminal would have earned roughly $15.85 in 24h. As the miners only ran for around 4 hours, the resulting revenue would have only been $2.64. So how is this profitable?
It’s a numbers game
Cryptocurrency-mining operations are designed to last for months, not hours. If this infection had gone undetected, the criminal would have earned $15.85 per day, or $475.62 per month. Furthermore, victims with larger networks are much less likely to notice the infection. As attacks spreading this kind of malware are often indiscriminate in nature, they will often hit thousands of organizations at the same time, giving them the capacity to generate much more than just half a dollar.
Last month Darktrace identified an advanced malware infection on a customer’s device, which used a sophisticated Command & Control (C2) channel to communicate with the attacker. The attacker spent a lot of effort in engineering a C2 channel that was meant to stay covert for months.
The malware used changing domains generated by Domain Generation Algorithms (DGAs). It also sent HTTP POST requests to malicious IP addresses while using reputable domain names for the hostname of the HTTP requests in order to blend in with normal web browsing. The attacker effectively tried to make the C2 communication look like a user browsing the well-known car rental website sixt.com and the luxury watch manufacturer breitling.com . Without using blacklists or signatures, Darktrace instantly identified this anomalous behavior, and as a result, the security team immediately isolated the infected device.
Beaconing to DGA websites
A laptop appeared on the network and made anomalous HTTP requests. The initial HTTP requests were made to the DGA domain tequbvchrjar[.]com on IP address 66.220.23[.]114. Within the next two days, several hundred HTTP POST requests were made to either this domain or to jckdxdvvm[.]com or cqyegwug[.]com, all hosted on the IP 66.220.23[.]114. Darktrace identified this behavior as beaconing – repeated connections often used in C2 communication – to DGA-domains.
What made this even more suspicious is that the POST requests used 5 different Internet Explorer User Agents for the HTTP requests. This was unusual behavior for the laptop as Darktrace had previously only observed Google Chrome User Agents. Darktrace’s unsupervised machine learning identified the User Agents as new and in conjunction with the DGA-domains as unusual activity.
The beaconing followed a steady pattern during afternoon to evening hours when the laptop was being used. This is visualized in the following graph over several days:
Malicious beaconing to reputable domains
In addition to beaconing to the DGA-domains, the device made several hundred HTTP POST requests using the hostnames sixt.com and breitling.com. Both domains are rather well-known and no public record exists of these domains having been compromised. The HTTP POST requests were made without prior GET requests and continued for several days – this is highly unusual behavior and does not resemble a user browsing those websites.
Upon closer inspection it became clear that the malware used indeed the hostnames sixt.com and breitling.com for the HTTP requests – but it was sending the HTTP requests to IP addresses owned by the attacker, not to the IP addresses that sixt.com and breitling.com resolve to on non-infected devices.
The requests for sixt.com were sent to the IP 184.105.76[.]250 while the requests for breitling.com were sent to 64.71.188[.]178. These two IP addresses, as well as the IP address hosting the DGA-domains, were hosted in the same ASN, AS6939 Hurricane Electric, which made this behavior even more suspicious. It is unlikely that all domains would be hosted in the same ASN by chance.
The malware authors used the trick of beaconing to well-known hostnames to circumvent reputation-based security controls and domain-based filters such as domain-blacklists, and to divert attention from security analysts investigating the beaconing. After all, the behavior looked on the surface like a user was browsing rental cars and luxury watches.
Further rapid investigation
Darktrace quickly revealed more details about the C2 communication. All requests were made to suspiciously-looking PHP endpoints and returned HTTP status code 200, ‘OK’, in all cases. The following shows an example of requests to three domains.
Darktrace instantly alerted on this as anomalous behavior:
A PCAP was directly downloaded from the Darktrace interface to inspect the suspicious C2 traffic:
Actively developed malware strain
It appears that this malware strain is under active development.
Open source research suggests that malware that behaves similarly has been circulated at least since the end of 2016. Some sources have attributed the malware families Razy and Nymaim to the executables seen. However, little research on these strains exist and both malware strains are generic in nature. Below are two samples from 2016:
These pieces of malware likely represent a prior version of the malware identified by Darktrace. The 2016 version also communicated with sixt.com and breitling.com, but also made HTTP requests to carvezine.com and sievecnda.com. No DGA domains were observed in the 2016 version.
The PHP endpoints in the URI have also changed. In the version from 2016, the PHP endpoints always ended in ‘/[DGA-string]/index.php’. C2 traffic is often seen to be sent to ‘index.php’ endpoints. Defenders started monitoring the static URI Indicator of Compromise (IoC) ‘index.php’. The malware authors know this as well and have adapted their C2 communication accordingly. As shown in the above screenshots, the PHP endpoint is now in the format of ‘[DGA-string].php’. This further shows that legacy controls – such as static monitoring for quickly outdated Indicators of Compromise – do not scale in today’s threat landscape.
Although the malware authors intended for their implant to stay covert and defeat common security controls, Darktrace instantly alerted on the anomalous behavior. Darktrace’s detections could not have been clearer. The following graphic shows a part of the communication exhibited by the infected device around the time of the infection. Blue lines represent outgoing connections from the device. Every colored dot represents a high-level Darktrace alert:
Using no blacklists or signatures, Darktrace detected this highly anomalous malware behavior instantly. A piece of malware that was meant to stay covert for months was quickly identified using anomaly detection on network data.
Indicators of Compromise:
The last 12 months have shown tremendous volatility in the value of cryptocurrencies, of which Bitcoin is the most prominent example. At the start of 2017, Bitcoin lingered around the $2,000 mark before suddenly taking off, climbing to historic highs of close to $20,000 in December 2017. Demand has since subsided, and at the time of writing, the price of Bitcoin is near to $10,772.
While Bitcoin is the most popular cryptocurrency, numerous alternatives, often called ‘altcoins’ have emerged and grown in value in the last 12 months. For example, Dogecoin, originally created to be a spoof cryptocurrency after a widespread internet meme, reached a notable market capitalization milestone of $2bn in January 2018 .
Nowadays it is almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones or desktop computers. At this late state, it just takes too long to perform the relevant calculations, and the cost of electricity is higher than the anticipated revenue in most cases. Other altcoins such as Monero use different algorithms, making them viable alternatives for aspiring crypto miners. It is often still feasible to mine altcoins on commodity hardware and see a return on investment.
The value of most altcoins is closely tied to the value of Bitcoin and, in many cases, the relationship is broadly proportional – a rise in Bitcoin prompting a similar lift in the altcoins. Monero, which has been rapidly adopted by Darknet markets , has profited from this effect. While Monero was valued at around $10 in January 2017, its price has been pumped up to $419 a year later.
There is much that is still not clear about the cryptocurrency phenomenon. Debate as to its relative value and its status as a currency rages, and will not be resolved any time soon. However, from a cyber security perspective there can be no doubt that the combination of altcoins being mineable on commodity hardware, the fact that mining is now becoming profitable as a side-effect of Bitcoin’s rise, and a maturity in cryptocurrency-related tech has led to a surge in cryptocurrency-related attacks.
Darktrace has observed an abrupt increase of cryptocurrency-related attacks over the last 12 months. Both the frequency and the diversity of these attacks has grown significantly and largely mirrors the remarkable rise in the value of Bitcoin over that period.
Previously, cyber-criminals monetized their operations via banking Trojans/credit card fraud, selling stolen data and ransomware on the Darknet. However, criminals are notoriously adaptable and will follow the money wherever it leads, leading to an increase in cryptojacking’s popularity.
Cryptocurrency mining might not be as profitable as ransomware is upfront, but it can be secretly pursued for months without creating the havoc that characterizes ransomware attacks. Most users and security products might not notice a cryptocurrency miner being installed on a corporate device as it does not show obvious threats or messages to a user, except for an occasional increase in CPU or RAM usage.
Identifying these attacks can be very difficult for traditional security tools as they were not originally designed to catch this type of threat. Nor was Darktrace, but its approach – which relies on its evolving understanding of patterns of behavior – means that it can detect such attacks without having to know what to look for in advance.
Darktrace has detected a number of different attack vectors related to cryptocurrency attacks.
- Nefarious use of corporate resources
Darktrace has detected a range of incidents where employees were intentionally installing cryptocurrency mining software on their corporate devices to mine for personal gain. These employees do not have to pay for the electricity used to run the corporate device in the office – they are basically turning their employer’s electricity into cash by commandeering it for mining operations.
This is commonly seen as a compliance breach and increases the attack surface of a device that has mining software installed. It puts the corporate device at risk and also increases operational costs as the power consumption usually goes up for mining devices. The most popular cryptocurrency choices for this kind of mining in the last 12 months were Etherium and Monero – altcoins that can profitably be mined without the need for inordinate electricity.
- Coinhive drive-by mining
Coinhive is a technology that allows website owners to use their visitors’ computing power to mine a tiny fraction of cryptocurrency for the website owner. Visitors will experience a small increase in computer resource consumption while browsing the website. Some websites experiment with this model to create new forms of revenue streams alternative to advertisement and banner placements.
Coinhive usage is often not an opt-in process. Darktrace has observed various customer devices that regularly visit websites leveraging Coinhive technology. While the power consumption increase for a device browsing a website with Coinhive is ultimately negligible, the cumulative effect of a sizeable portion of the workforce unwittingly browsing websites using Coinhive results in increased power consumption cost for the organization as a whole.
- Malicious insider
A malicious insider compromised his employer’s website to put a Coinhive script on there. This then mined Monero for every visitor on the employer’s website for the malicious insider’s personal gain.
- Traditional malware
Cyber criminals are constantly looking to improve the return on investment of their operations. Reports suggest that criminals are starting to adjust their monetization methods based on the financial means of their targets. Suppose you can’t pay the fee extorted in a ransomware attack? They’ll just install a crypto miner on your device instead to ensure that the attack is not completely fruitless.
As malware authors become more sophisticated, they often deploy multi-staged malware that can swap weaponized payloads. Once malware has infected a system successfully, its authors can often decide what actions to take next. Encrypt the device and extort a ransom? Install a banking Trojan to harvest credit card details? Install more spyware modules to look for data exfiltration? Or, now, install a cryptocurrency miner.
These pieces of malware operate stealthily and often go undetected for several weeks. An infection might start with a phishing email that contains a macro-enabled document. As soon as a user enabled the macro, the malware will download a file-less stager that lives in memory and cannot be detected by traditional antivirus. Command and control communication is usually maintained via IP addresses that change on a daily basis in order to outrun threat intelligence and blacklisting attempts. As no obvious damage is done straight away, these attacks often stay under the radar for prolonged times, so long as self-learning technology such as Darktrace is not employed.
This becomes much more concerning as malware authors could swap one payload for another overnight if they deem it more profitable, switching from a furtive crypto mining Trojan to ransomware the next day. While we have not observed this kind of attack in the wild yet, it is plausible, and in cyberspace what can be done, will be done.
Revolutionary technologies like cryptocurrencies have both their dark and light aspects. For all of the creative energy released by the crypto-blockchain revolution, Bitcoin and its alternatives have quickly become the universal currency of the criminal underworld. Indeed, the former Chief Economist of the World Bank, Joseph Stiglitz – an adamant critic of cryptocurrencies – has said that the whole value of Bitcoin resides in its “potential for circumvention” and “lack of oversight”.
While Stiglitz’s case may be overstated, there can be no question that cyber criminals have sensed a new opportunity to make money. A lot of organizations still regard crypto mining as a compliance incident. This can lead to grave consequences as a cryptocurrency mining device might lead to more severe incidents that can have a serious effect on business operations.
This kind of threat is difficult to detect as no obvious damage is done. However, with Darktrace’s machine learning we can correlate even the weakest indicators of such an attack into a compelling picture of threat. While traditional tools may struggle to see these deviations, Darktrace can pinpoint the changes in behavior effected by cryptocurrency miners without having to rely on any blacklists or signatures.
The algorithms made famous by Conficker almost a decade ago are continuing to frustrate the security community.
A function of some advanced malware, Domain Generating Algorithms (DGA) rapidly generate new domains as a means of evading security personnel. This process is known as ‘domain fluxing’ and provides an alternative means of communication with the attacker’s command-and-control servers. They are very difficult to detect using a traditional security approach.
Darktrace’s AI and machine learning are designed to detect threats without any pre-existing knowledge of attacker targets, tools, or capabilities. While traditional security tools depend on specific Indicators of Compromise to identify malicious activity, Darktrace instead focuses on behavioral changes that may point to an active compromise. Detection of Domain Generating Algorithms is just one example of Darktrace’s ability to pinpoint attacker C2 communications through the identification of behavioral anomalies.
DGA identification in action
Darktrace recently saw an employee of a healthcare company connecting a personal laptop to the corporate network. The employee was asked by another member of the organization to troubleshoot the laptop as a favor. Unbeknown to the employee, and despite the fact that anti-virus was installed, the laptop was compromised by an unknown strain of malware.
On joining the network, the compromised laptop made DNS queries for domains that Darktrace classified as 100% rare for the environment. These domains appeared to be dynamically generated as they were all between 25 to 30 characters long and used multiple top-level domains. Darktrace immediately triggered a high-scoring domain fluxing alert due to the sudden increase in failed DNS requests for abnormal domains.
Additional domain fluxing alerts were triggered within 30 minutes of the device joining the network. The only reason that this highly suspicious activity was allowed to persist for that period of time was that the security administrator was at lunch.
The security administrator was informed of the situation on his return and immediately performed incident triage with Darktrace. The administrator was able to rapidly assess the device’s connection history using Darktrace’s native filters that are designed to detect scanning, lateral movement, C2 communications, and egress. He then identified the location of the compromised laptop, disabled its internet access, and physically removed the device from the network.
The total time from initial connection to identification, containment, and removal of the compromised, rogue device was approximately 67 minutes. The administrator left the following comment for the Darktrace analyst team:
Darktrace’s AI approach focuses on identifying anomalies in evolving patterns of behavior. Although the laptop was new to the network, no other device was seen making a high volume of failed DNS requests for similar DGA domains. Darktrace immediately identified this activity as anomalous and generated an alert within 14 seconds of the device joining the network.
By employing Darktrace, a single analyst was able to discover and assess a compromised, rogue device operating within the network environment in just over an hour. What’s more, with Antigena (Darktrace’s autonomous response solution) in place, all suspicious behaviors would have been temporarily suspended, in real time. Alternatively, the administrator could have manually authorized Antigena’s proposed actions via the Darktrace Mobile App.
No extensive analysis of distributed log files, PCAPs, or other security tools. No prior knowledge of the attacker’s infrastructure or the malware. Darktrace AI identified DGA domains that were being produced on the fly, without help. That’s the level our security technology must perform at if we are to keep on top of all the new tech in the modern attacker’s toolkit.