The amount of illegal cryptocurrency mining that is now taking place makes keeping track a difficult task, but here is a quick roundup of what was has been spotted over the last few days.
- Cisco Talos has detailed a six-month long investigation into a specific mining campaign that used phishing scams, tied to Google Ad words to lure victims that stole tens of millions of dollars.
- Meanwhile, Trend Micro has found and explored miners exploiting two vulnerabilities found in Apache CouchDB to install cryptominers on systems.
- A third method making news from IBM X-Force is the Trickbot trojan being used to create a man in the middle attack to steal credentials from people as they purchase bitcoin.
Talos' research found the criminal grop, dubbed CoinHoarder, buying Google Ad Words linked to search terms associated with cryptocurrency, such as blockchain or Bitcoin wallet. The ads then appear near the top of a search page as an advertisement for a Bitcoin wallet site. However, the link provided in the ad takes victims to a professional looking, but malicious, landing page, such as blockchain.info. Once on the landing page the victim is served phishing information in the person's native language, as based on the IP address that would enable the thieves to remove bitcoin from their wallets.
“The reach of these poisoned ads can be seen when analyzing DNS query data. In February 2017, Cisco observed spikes in DNS queries for the fake cryptocurrency websites where upwards of 200,000 queries per hour can be seen during the time window the ad was displayed,” Talos wrote.
Most of the victims were from non-English speaking nations, with particular attention paid to those in Africa and other developing countries where banking is difficult and local currencies unstable making Bitcoin a safe haven.
This method is so efficient that Talos believes Coinhoarder has stolen more than $50 million over the last three years. The group greatly benefited from Bitcoin's recent skyrocketing valuation. To keep the scam running all that is done is purchase more Ad Words.
The flaws at issue are Apache CouchDB JSON Remote Privilege Escalation Vulnerability (CVE-2017-12635) and Apache CouchDB _config Command Execution (CVE-2017-12636). Both of which were patched in November 2017.
Trend found that CVE-2017-12635 is first exploited to configure a CouchDB account with admin abilities which is then used to authenticate the remote code execution flaw in CVE-2017-12636. Once inside a system the malware injected detects and disables competing miners and then downloads and executes Coinhive.
CouchDB is a somewhat popular data base management system and is used by some large corporations giving those looking to take advantage of unpatched systems access to some pretty powerful resources, Trend noted.
“However, in our view, the system being targeted is not as important as the existence of vulnerabilities that can be exploited,” the report said, “As long as there's a chance to exploit an RCE (remote code execution), the threat actors will take advantage of it.”
Using a remote code execution flaw to run a cryptominer is even more attractive because it is a low-risk operation, but also high reward because the price of the various digital currencies are climbing.
The TrickBot trojan began its life attacking banking and financial interests, but IBM's X-Force Team has found the group behind it has expanded into the cryptocurrency stealing business. This particular case has TrickBot being used to place itself in the middle of a cryptocurrency transaction and steal from those purchasing Bitcoin and Bitcoin cash using a credit card.
“This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet,” X-Force said.
TrickBot is a great tool here, IBM said, as it is uses webinjections to implant itself in both the bitcoin wallet and payment card websites where it can grab the information needed to steal the currency. Unlike the Ad Words scam, TrickBot requires a relatively high level expertise from the criminal.
“Having researched the attack tactics TrickBot applied to this cryptocurrency coin theft, we can see that, while it relies on existing mechanisms, the scheme required extensive research of the targeted sites, their web logic and the security controls they use,” IBM said.