Called GhostMiner, the malware is integrated into a malicious Windows executable and uses a PowerShell framework to deploy fileless techniques to conceal the presence of the malicious program. These are called Out-CompressedDll and Invoke-ReflectivePEInjection.
The malware randomly probes IP addresses looking for servers running Oracle WebLogic, MSSQL, and phpMyAdmin. Researchers said that to avoid detection by network security tools, this component of the attack communicates with its C2 server over HTTP by encoding requests and replies in Base64.
GhostMiner also tries to get rid of other cryptocurrency mining tools it encounters on a victim's system before mining itself. It uses PowerShell's “Stop-Process -force” command, detecting other miners by using a hard-coded blacklist. It then stops and deletes these blacklisted miners, and can remove miners run as a blacklisted scheduled tasks. It will also stop and remove miners by going through the list of established TCP connections, looking for ports associated with miners.
Despite these tactics, researchers said that over the course of three weeks, the miner has only made 1.03 Monero, approximately US$ 200 (£141).
“However, it is highly plausible that there are other addresses used in this campaign, undetectable due to Monero's anonymity features,” said Aprozper and Bitensky. “Another potential explanation for the low “revenues” of the GhostMiner campaign is the aggressive rivalry between mining gangs. There are plenty of potential victims, but the exploits and techniques they use are public. The attackers are aware that their competitors share the same toolset and try to infect the same vulnerable machines.”
In order to stop the cryptocurrency mining attack, researchers have modified the “killer script” to help incident response teams write their own PowerShell scripts to eliminate malware miners. The script is provided in Minerva's research team's GitHub account.
“It implements all the aforementioned tactics – removing known processes, tasks and services by name and unfamiliar ones by arguments or TCP connections typical to miners,” said researchers.
Oliver Pinson-Roxburgh, EMEA director at Alert Logic, told SC Media UK that these are opportunistic attacks, and the beauty of Monero is that, if you set up an account pool, you can do whatever attacks you like and you can still sync the revenue streams.
Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Media UK that any publicly accessible server that does not have a rigorous vulnerability and patch management programme in place is at high risk, and not just by cryptocurrency miners.
“These types of servers should not only be prioritised for security patches but should also have additional security in place to ensure the integrity of software running on them at all times - they are often the front door into an organisation for an attacker,” he said.