So other than self-promoting (hey, I think it was a fun piece of research), it's also interesting to look at the Monero exchange rate vs BitCoin and USD and notice how this is a classic pump and dump scam. Someone drives up the exchange rate of a crypto-currency (strong PR backing, whatever) and someone uses the fact that mining the currency is currently quick and simple and whoom, a couple of hundred dollars of free profit every few months.
This is less likely to happen to BTC simply due to being ungunned/outmanned in the ASIC war but in the lesser crypto-currencies this is very simple to pull off.
The blog post and i'll quote the fun parts and no diagrams.
In before anyone comments, this is technically very easy. The hard part was using my workplaces sensors to collect the thousands of samples needed to understand the worms behavior and trying to figure out how widespread this infection is.Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.
We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware.
Attack Description
On January 10 2016, GuardiCore Global Sensor Network detected an automated attack uploading suspicious files to FTP hosts. Usually, uploading files to a vulnerable FTP server would go unnoticed in organizations but our Sensor Network identified an anomalous behaviour where identical incidents continued to pile up, arriving from all over the world.
Since its first release, the malware has evolved rapidly. Till today, we’ve seen two different variants of PhotoMiner and over a dozen versions, indicating a rapid pace of evolution. The first variant was compiled on December 9, 2015 and included the core miner and basic propagation abilities. The second variant was released February 3, 2016 and quickly became the dominant version we can observe in the wild.
Spreading and Infecting
Over time, PhotoMiner added new capabilities including a unique multi-stage infection mechanism. First, insecure FTP servers over the world are compromised. Then, innocent websites hosted alongside the FTP servers are engineered to infect their visitors with malware. Finally, unsuspecting website visitors are infected with malware that does not only mine crypto-currency, but also seeks to infect additional FTP servers and systems in local networks.
PhotoMiner uses two types of attack techniques:
The primary attack method takes advantage of insecure FTP servers and clueless users. Since websites are frequently accessible over FTP, the operators of PhotoMiner are able to easily infect website source code and from there, innocent users. This method poses a long term danger to website security.
This is a simple two-stage attack;
By brute forcing random IP addresses and working off a user/password dictionary, weakly protected FTP servers are located and attacked.
Once a successful login attempt is made, a copy of the malware is uploaded to each writable server. At this point, each and every file capable of being rendered to a user (such as HTML, PHP and aspx files) is infected with the following string:
At this stage, rendering the page will cause a vulnerable browser to serve as a download. A careless user will click Open and let the malware in. Recent variants of the malware have upgraded this attack by adding server-side code injection and attempting to install a Linux based miner.
The target server IP, its credentials and the list of infected files are sent to the malware’s backend servers. With this information, the attackers can later login to the infected FTP servers, infecting more files and pivot into additional victims.
The second method is based on attacking Windows endpoints and servers reachable in the local area network using the following steps:
PhotoMiner uses built-in Windows systems tools such as ‘arp’ and ‘net view’ to read the ARP cache and to scan the local network segment using the BROWSER protocol.
Next, it attempts to brute force a connection over SMB. With each successful connection, PhotoMiner attempts to drop copies of itself into every accessible remote startup location. After any successful copy, it will use WMI scripting to execute local copies.
Some variants stealthily open a public Wi-Fi access point with the hardcoded name of “Free_WIFI_abc12345” which can lure innocent users into the network and get them infected.
Malware In Depth
PhotoMiner is built in a modular fashion, creating a standalone executable focused on mining Monero and a complex wrapper that is responsible for the persistence mechanism and further infections. This wrapper is comprised of two main variants with multiple sub versions:
The first variant img001.scr is unique in its use of NSIS, a custom scripting language.
Built for installers, NSIS is a perfect fit for writing simple installers including malware. The code is easy to read and debug, enabling the attackers to easily iterate and add features
The second variant photo.scr is a native binary that implements the img001.scr functionality in native code
Both variants include multiple sub versions where differences range from bug fixes to changes in the infection technique. Despite the multitude of versions, they follow the same order of operations. As such, we will describe them together, mentioning distinct abilities only when required.
During the initialization stage, PhotoMiner performs householding tasks such as persistence mechanism installation and collecting configuration data for the miner: To install a persistence mechanism, the PhotoMiner registers as a startup program using the following:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
%HOMEPATH%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
While basic, this technique does work and today does not automatically mark a program as “malicious”.
Configuration data is acquired by communicating over standard HTTP with a list of predefined hostnames, all serving a generic configuration file. Currently the given configuration is a list of Monero pools and wallets from which the malware randomly picks a recipient. This configuration file is scrambled using a basic reverse-dictionary. This means that for each scrambled character, a matching character is retrieved from a hardcoded dictionary, while non scrambled characters are safely skipped over.
At this stage basic details about the computer such as operating system version and IP are sent to C&C servers. PhotoMiner connects with C&C servers to communicate its progress rather than accepting “commands” and infact does not include any remote access capabilities. Our attackers have built a resilient backend, spread over multiple domain names and using VPS servers rotated across different hosting providers. However, thanks to several mistakes made by the attackers such as reusing servers and IP addresses the different campaigns are tied together through shared servers.
After initialization, the malware “spins off” the miner as a separate process and goes on to spread itself. This minimises the danger posed by antivirus programs to the miner itself. The mining module itself is a packed version of BitMonero, the core implementation of the Monero worker and is a legit program which is not likely to attract unwanted attention.
