Cryptominer Hunting

Cryptomining malware is a form of malware that uses energy and resources of compromised devices to mine cyrptocurrency.  Unsuspecting computer users and enterprise level server administrators are mining cryptocurrency for others right now and they don’t even know they’re doing so. If it were me I’d want my cut! Let’s learn more about this type of malware and how ElevatedPrompt can help protect you against it.

You’re probably aware of what cryptocurrency is and how you can obtain some but if not, I’ll go over it very briefly. Cryptocurrency is a digital currency.  A couple examples which you may have heard of include Bitcoin, Ethereum and Litecoin. Bitcoin, for example, is decentralized and when the right steps are taken can be anonymous. Anonymity plays a large role on the dark web markets which purport to have illegal goods and services for sale.  If you’re buying something illegal, perhaps a botnet or credit card data, it’s probably best to stay as anonymous as possible. Cryptocurrencies like Bitcoin are also popular forms of payment for different types of ransomware which keeps the attacker unknown.

To obtain cryptocurrency like Bitcoin or Monero you can purchase it online or mine it using a computer. Mining coin can become expensive. Depending on which coin you want to mine you may require specific hardware. That hardware could become expensive to run due to electricity costs which is why it’s beneficial to mine the coin on someone else’s computer and let them pay the running costs.

To mine a coin a special program is run that attempts to solve a complex mathematical problem. In return for doing this a miner may be rewarded with a small amount of coin. In the past Bitcoin has been at the forefront of coin mining popularity but due to ever increasing difficulty in the mathematical problems Monero has started to pull ahead. Monero doesn’t require much from a computer. It can be mined with only CPU power. Bitcoin on the other hand requires graphics processing units or even special built machines with ASIC chips. Monero’s mining software is open source and runs across many different operating systems. With all of these benefits it’s easy to see why Monero is starting to become the coin to mine.

Cryptomining malware is delivered via the usual popular vectors; phishing, document macros or installed directly on vulnerable, unpatched servers. Cryptojacking is another form of potential malware that mines coin while a user visits a website. This may be intentional or unintentional behaviour by the website owner. for example famously experimented with cryptojacking as another form of revenue generation. If a website visitor was using an ad blocker the site gave them the choice of turning it off or using the viewer’s processing power to mine Monero for Salon.

Today we’re going to catch some cryptomining malware attempting to make someone else some coin. Below we see command attempts captured by ElevatedPrompt’s threat intelligence sensors. The attacker is attempting to exploit a piece of vulnerable Netgear hardware:

If the exploit would have succeeded the following script would have been downloaded to the device: hxxp:// Let’s have a look at what that script does.

It looks like it downloads two more files; and  It can probably be deduced that one script is a coin miner and the other is some sort of IP scanner. With the topic of this blog post in mind I’m going to skip the scanner and jump into the miner. Let’s take a look.

The script runs commands on either x86 or ARM devices. It kills any running XRig processes (XRig is another miner that uses the CryptoNight algorithm to mine Monero, amongst other coins) and then downloads and installs its own CryptoNight mining program CNRig. The script calls home to the mining server ( and logs in with the username 386_MINER and password x. From here the miner proceeds to mine coins for the attacker.

Other innocent victims of this event include the owners of the website that the attackers hacked to use as their malware host.

Believe it or not there have been cases where coin miners have been found and allowed to stay in the environment. In one case an attacker broke in to multiple computers to set up miners and did such a good job at server upkeep that the victim found the attacker preferable to their own IT service provider. Check out episode 22 of Darknet Diaries if you want to hear all about it.  If you ever found yourself in this type of position I would recommend removing the malicious crypto miner.

See the following Pastebin link for a list of IOCs:

2018-10-01T20:44:14+00:00Categories: Threat Intel|

Leave A Comment

Come by our booth March 13 & 14, 2017 at BSides Vancouver, a two-day, high-caliber gathering for information security professionals, hackers, coders and the greater tech community. link to