Fileless Crypto-Mining Malware Discovered

Malicious crypto-miners have invaded the threat landscape over the past year, fueled by a massive increase in the value of crypto-currency. 

A recent attack discovered by security researchers from Minerva Lab used malware dubbed GhostMiner, which has adopted the most effective techniques used by other malware families, including fileless infection attacks.

Focused on mining Monero crypto-currency, the new threat used PowerShell evasion frameworks – Out-CompressedDll and Invoke-ReflectivePEInjection – that employed fileless techniques to hide the malicious code.

Each of the malware’s components was designed for a different purpose: one PowerShell script to ensure propagation to new machines, and another to perform the actual mining operations.

“This evasive approach was highly effective at bypassing many security tools: some of the payloads analyzed were fully undetected by all the security vendors,” Minerva Labs’ Asaf Aprozper and Gal Bitensky reveal.

The security researchers compared the detection of the malicious executable with and without the fileless method and discovered that, once the fileless module is removed, most of the VirusTotal vendors would detect the payload.

The PowerShell script in charge with infecting new victims targets servers running Oracle’s WebLogic (leveraging the CVE-2017-10271 vulnerability), MSSQL, and phpMyAdmin.

Despite that, however, the attack only attempts to exploit WebLogic servers, the security researchers say. For that, the malicious code randomly probes IP addresses, creating numerous new TCP connections per second, in an attempt to discover vulnerable targets.

Communication with the command and control (C&C) server is performed via HTTP through Base64-encoded requests and replies. The protocol the malware uses to exchange messages involves a simple hand shake followed by a request to perform various tasks. Once the task is completed, a new request is sent to the server.

Launched directly from memory, the mining component is a slightly customized version of the open source XMRig miner.

The mining operation, Minerva Labs researchers say, had been running for about three weeks by the time they discovered it, but the attackers have made only 1.03 Monero (around $200) to date, based on the employed wallet. However, the attackers might also be using addresses that the researchers haven’t detected yet.

“Another potential explanation for the low ‘revenues’ of the GhostMiner campaign is the aggressive rivalry between mining gangs. There are plenty of potential victims, but the exploits and techniques they use are public. The attackers are aware that their competitors share the same toolset and try to infect the same vulnerable machines,” the security researchers note.

The analysed sample itself contained a variety of techniques meant to kill the process of any other miner running on the targeted machine. These include PowerShell’s “Stop-Process -force” command, stopping blacklisted services and blacklisted scheduled tasks by name using exe, and stopping and removing miners by their commandline arguments or by looking at established TCP connections.

Minerva Labs security researchers also suggest that defenders use similar methods as these “competitor killers” to prevent malicious miners from running on endpoints. They even provide a killer script that can be modified for such purposes.

Related: Fileless Attacks Ten Times More Likely to Succeed: Report

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: