 Hi everyone, I hope the afternoon is treating you guys well, and you're in conference room 2 right now when we're going to hear a Conference title trick-or-treat and veil this freedom of the mining pool So if this is not what you were expecting now is a good time to head to room one Our centers today are Emilia and Jean-Tel. He's a security analyst for certEU since four years and also responsible Monitoring and hunting activities in certEU and Yana Andrada Tadirica She's working in Brussels for the certEU as an IT security administrator previously working as an IT systems administrator for the Romanian Ministry of Defense and Passionate about information technology. I will let you go in depth into your background. I don't want to steal your tender So without further ado So I do everyone. Thank you for being here for talk. So we'll talk about crypto miners So crypto mining malware or mining malware. I don't know which one you prefer for that And we'll speak especially about the stratum mining protocol and Yeah, so my name is Emilia Jean-Tel. I'm a security analyst in certEU. I used to be a pentester So more for red team activities I also work in the threat intelligence team in certEU, but no I'm after small time as an incident responder I'm not responsible for everything related to threat hunting and Monitoring of our sock. I'm Yana Tadirica. I'm from Romania for those who don't know about Romania Romania is a really small country in Europe known as Dracula's land or the the house of the vampires. I Worked previously for the Romanian army as a system administrator and like The last three years I moved to Brussels to work as a security administrator for certEU Okay, so mandatory slide about what we are what we do So certEU is a computer emergency response team cert of the European institutions bodies and agencies So it means that it go from European Parliament European Commission to small agencies Like the medication agency is a transport agencies. So or cost insurance are around 60 plus different organization that's very interesting Let's say work environment because we have different maturity level between our constituents So we can have very small entity big one with their own security team And so it's pretty cool to work there in certEU and to help the European institutions to get protected against cyber threat So what we do is more or less what every search are doing so it go from incident handling Which is the team I part of we have very good strategy agents team We have some developers also to help us on the automation on task And Johanna is part of what we call extended services, which is some kind of infrastructure team Plus red team plus VINAT assessment plus a lot of stuff That we so we actually provide more services to a constituent like helping them deploy sensors and stuff like that Okay, but no, let's jump on the real topic so Crypto mining malware is always something. I mean, it's really on the rise since more than two years You actually kind of replaced run somewhere attacks. So no, it's actually more profitable for So a doctor to infect machine and have them mining for them instead of trying to run some people And the thing is we often Have people asking us Okay, but the price of bitcoins and other crap Torah currency is actually crashing So is it still a thing and if you look at the news just last week trend macro released a blog post about vulnerability of confluence being exploited and then they were installing some crypto miners there in order to mine some money Oh, and if I look at the analysis we are doing I see more and more samples So the thing is for threat actors if the price go down just infect more machine And then you will still make money and I mean free money. It's not your infrastructure. So it's cool The other thing is it's pretty easy to deploy you have a lot of proof-of-concept code online on github on past been I mean very basic script So you find a vulnerability Which is not patch you use services to actually find Venerable services you deploy your user exploit you deploy your script and then you start mining and making money out of other people infrastructure so the thing is What we want to do is to be able to detect Crypto mining activities and inside of our network and so for that we will use something which is Specific to crypto mining for mining activity is that most people most miner will actually do not do solo mining But they will use mining pools. So I will quickly explain In very basic explanation of a mining pool So you have these mining pool servers So usually you have a website and then you have a different services which will actually communicate with a blockchain every participant will actually connect to the mining pool and Participate to the proof-of-work in order to generate To find some blocks and to generate rewards and based on the participation of each entity to the mining pool They will kind of devise of the reward to the different participants and the thing is that it can be any type of device It can be Smartphone it can be laptop. It can be servers. I mean you can mine on any devices, especially that you have some Cryptocurrencies which are kind of not depending on use GPU so they can be mined with those very small CPU So even a device and what we will speak here is about crypto mining malware There is another kind of crypto jacking activity, which is leveraging JavaScript in browser, but that's not what we'll speak about today We will speak about malware infecting machine and having them participating to the mining activity of the mining pool so to actually distribute the job between the different Participants the mining pool will use a protocol called stratum. So stratum was released in 2012 and it was replacing an obsolete Protocol called get work which was based on HTTP And so it's way more efficient. It's basically a gson RPC Protocol so it's just TCP connect you send a gson receive a gson and then you distribute your work like that And it's good because in most cases. It's an encrypted not always but in 99% of cases people are too lazy to put SSL on So that's cool for us okay, so What we do or work was to actually try to identify stratum servers on internet So meaning the configuration which is needed by the miner in order to connect to the mining pool and Because that's the only way for them to participate to the pool. We want to see exactly Where they connect which port? Is it using SSL or not, but mostly domains IP port that's what we want So we developed four different strategy to do that the first one will be to process some Malicious samples and to extract configuration from them The second one will do to use some search engine in order to find directly servers But also to extracting from the mining pool websites the configuration they use For the stratum protocol and finally we'll speak about about actually scanning the internet at the end. Oh And we have some snort rules. It's available on our github account. You will have the link at the end of the presentation So, yeah, okay, so Crypto analysis of samples So we have different strategy to capture the first step is to capture some samples I capture something like 20,000 unique samples since more than a year something like that So we have different sources it can be from malware repository like various total for example or online sandboxes like any run hybrid analysis all those kind of Open sandboxes that you can use but also from internal incidents that we manage absurd you and In order to identify interesting samples for us, we will use Yaraul. We will use List of interesting domains list of interesting behavior like which we reference either the stratum protocol itself or Wallet addresses so wallet addresses is when you want to get paid in Monero in Bitcoin You provide your wallet address to somebody the thing is that most mining pool will actually use a wallet address for authentication to their pool That's pretty cool. So it's very long string. So I have nice regular expression In Yaraul to detect actually existence of those of those address in samples And so I know that something interesting will be on the other side Something else Which I will go into details and the next slide is the use of specific mining software. So People are lazy You have very good tools which exist to do the mining the most well-known is XM rig. So most threat actor will just embed the miner itself So the software doing the mining inside of the inside of the malware that will deploy in the infected Infected target and they will just make it run. So if I see reference to those specific tools I know that's that probably something related to crypto mining. So the workflow to analyze them. It's More or less fully automated. I mean with some bugs, of course, I mean it's Python script. So So I take those samples and I try to Decode it as much as I can. So for example, I will look for base 64 encoded block inside of the samples that we decode them Sometimes it's not encoded at all and sometimes it's packed So for those case I use open source tools mostly red deck the compiler Which was released a year something ago and for 32 bits samples and snowman for 64 bits The thing is that last month the developer of red deck announced that knows are supporting 64 bits Samples for internal Intel architecture. So I think I will use it more because I prefer the output of them So there and they have some kind of Unpacking embedded unpacking Functionality which is pretty pretty cool for us. So then I'm using your rules. So to actually find some specific Pattern inside of the file and I'm looking for two main things. The first thing is a mining software They are using so is it xm ring is it CPU miners in some class and also reference to configuration files I mean all they will actually Configure the miner to start participating with with a mining pool and finally I have a shit lot of regular expression More or less correctly written in order to extract those configuration passing it with some kind of Python script to actually make it compliant and then store everything that I'm interested into a json file Okay, so you don't have to read everything We like some stuff is just to show you that what we did is we did an inventory of all the most used a mining software That we can find in samples Oh, they start it because you are usually two way of starting the mining process either It's having a command line when you will specify the stratum server. You want to communicate with or a configuration file So if you take xm rig for example So you so that's basically on Windows or you start the mining process So you have these like usage you want to use so 85% you will not put it happens We'll not put 100 because you don't want the machine to be completely killed and then everybody will figure out Everybody will figure out something's happening in this case 85% is already kind of tricky I mean if you start doing that on web servers, it may have issues And the minus all will specify those stratum server you want to connect to with a port and the minus who is the wallet address The other way around is to actually use a config file Format so when you will specify the URL of the pool with a port and then the wallet address you want to use for authentication So some samples are packed obfuscated. So we are not necessarily capable to extract directly the configuration So then we have all those strategies So we're not going to too much details to those a bit more on the network capture But what we do we just send them into sandboxes or we look for actually Online sandboxes which actually executed a sample. I will extract the sandbox report So you have interesting stuff like command line executed on the machine Which kind of IP it's connected on which port and stuff like that So we will actually extract from those sandbox report the data we want But also some sandbox, especially the one we are running internally give us a possibility to get memorandums So for that we will use volatility with the same year our rule We were using previously on our static analysis to identify which process is actually doing the mining And then I will use exactly the same technique from the unpacked malware in memory So then I don't have to start doing some reverse engineering to just get stratum address so that's pretty efficient and finally We can have a network capture and so we have those nice pickups and I will explain a bit more all the stratum protocol works to show you how easy it is to extract the information from a pick up So it's basically I have my infected laptop It will initiate a gson fpc request to the stratum server with the IP and the port or the domain and the port and Then the stratum server will just give it back like okay, so welcome to the pool. That's your job Please send me the result when you have it So the login request look like that So it's just a login the path X may look at I Password, but actually 80 90% of cases Mining pool do not check the passwords so I mean why if you want to participate just participate, I mean I don't care and We have the user agent which is pretty cool and Okay, so that's that's a basic stuff So the answer look like that so the stratum server say okay cool. Welcome. That's your job. That's the job ID That's the blob you need to analyze and that's the target you need to reach once it's done Give me back the result. I will compile it with the rest of the participant and if we find a blocker then we will get part of the reward So we have the port we have the IP because we identify I mean the The packets which are containing those specific gson RPC request in your pick up And I just have to look back into the DNS query which was made by the sample in the sandbox to identify At least the domain attached to the IP are previously identified Okay, so for this part, I will give the floor to your honor which will speak about the next strategy we use to identify the service Okay, so I'm land talked about having the samples already. We would like to find what's online there What's already active so as he talked before nowadays mining by herself It's not pretty efficient in the end like yeah, it's really hard to mine your own block until you get it It takes a lot of time. So what we are planning to to do is just to scan them over the internet Using services like on if senses show down to look for those stratum servers or mining pools which might contain configuration of the stratum servers for Those who don't really know what are those search engines that I'm talking about like on if senses or shut down those are like search engines which are Mapping all the connected devices to the internet and they're gathering information about about services protocols They have different filters depend on what are your needs? You can get the results through their API for us. We just needed we search only for Basic keywords. We didn't need to filter like it on on other stuff. We just wanted to look after specific stratum protocols so okay, so Initially we wanted to look for stratum servers which are already already there online and We've done this through we found it like some standard messages. For example, if you If you'll do a request there is a respond with like mining servers online. This is a standard standard message which Stratum server will say, yeah, I'm you know, I'm a stratum server waiting for you to connect Another interesting case you will see like they will respond with their in their HTTP header with x stratum Where you'll have the the configuration as you can see here like stratum plus TCP You will have the configuration of the stratum server word where you can connect Emilean talked also about the xm rig miner The xm rig miner has them you can enable the HTTP API so for example if you search on those engines it will give The configuration of the miner so for example, you can see there in the connection there's the pool which gives you exactly the stratum server you're where you're supposed to connect to start mining and Another one which we identify is this a terrum stratum proxy, which is a transition between the Old protocol get a get work to the to the new one so those were like Scanning directly on the on the internet for a stratum servers now what we want to is to Identify the mining pool online, which might contain the configuration of other stratum servers So we found like common keywords for basic pools like mining pools top 10 miners if you search for those you'll find plenty But also we identified I would say like here around five Mining frameworks I would say which are open source and there are available on I think all of them are on github and You can install it by ourselves. It you I like in many cases that you don't need much knowledge of it It's pretty pretty simple simple to do it. So what we went to we Try to see the what's specific for each type of pool and to extract the configuration of the stratum server On this one we used the scanning services to extract the pool website, but also we used you can find online Websites which have which are listing the mining pools So we exactly extracted the URL from there and we just parsed it and checked if they apply to to our searches So we found around three basic techniques of Extracting those mining pools that I was talking about so the first one is like node crypto note and Node.js pools. They're like used for most mostly for crypto note coins and The interesting thing you go you just parse the HTML page and they just just look for a configuration file What's really interesting about it in the configuration file? You will find the API which you can connect and you will just as you can see here You can take the pool hose directly and the port so basically we found a configuration of a stratum server So what we're doing we're gathering those Those details and for later to see if they're gonna be online and if they're available for mining For Node.js, there's like a slight difference the the configuration file is called different It's like global.js and when you do the API call it's it's not slash stats. It's just Pool and I think it supports something like this But as a method it's yeah You just parse the file you look after a configuration file and then then you just connect to the API call and you take here your data For those ones like NOMP and open a Terrain pool We It wasn't that straight for I would say like they have an API But they don't have the the data that we're looking after so what we are doing we're connecting to the to the page and Trying to okay, we've done some engineers some regex around to to steal the port and the IP or the the name of the pool host For the open a Terrain pool. It's a pool only for the Ethereum mining so if it's not It's a bit more straightforward. For example, I don't have to search for the port I there is like you have to serve for stratum port and stratum host you'll have them there It's much easier to you know to to go and serve for it here It was a bit complicated yet to engineer some regex which will filter the the data Okay, this is like the last technique that we identified and I think it was one of them which required a lot of parsing in the background So we have this imp pool Which basically in the in this page it will give you How to configure your miner and to like it will give you okay, we need to The stratum server is there. You just need to replace like the port and the algorithm that that you want to put so basically initially I'm filtering the first the first page and the I'm taking the stratum plus TCP then I'm doing a call into the Page then to find the API then after I find the API I'll get the Algorithm name and the port so I'm extracting there and in the end. Yeah, I'll just I'll just have the the final stratum configuration what is interesting on this one you on big mining pools I've seen offer like types of for imp. We've seen that They might mine on the same port more coins or on the same algorithm But on different ports so it depends on the configuration that they initially initially have I guess Okay, so we gather all the all the data. What are we gonna do with this one because you know That's that's a lot of data. So we wrote a scanner in which we Wanted to see okay if I'm gonna send job to the server Let's see if it's gonna respond or not in the end. So we identified like two responses We have like either an error Which okay, so say if we create we crafted a message, which is like, you know buggy There's just a random pass or nothing like real there But the funny part as a million was saying we just if you look on the second one on the job We just receive the job. So you just they can okay You can start mining so a Few statistic about the data that we collected in the end So we identified around 8,000 stratum servers Yesterday morning, I think it does when we scan them last time we had around 4,000 live servers You can see here. They're like only 1,000 unique IP hosting Well, as I said you earlier on the same IP you might host Different type of coins on different ports, but the IP is the same Also, like I would say a good indicator of compromise. It's most Like a good one. It's coming from the sample analyze which you know, they're like the ones Which you know, they're like malicious in the end. So, yeah, those are my the most reliable I would say and yeah, okay, the rest we had like 6,000 from mining pull extraction, which yeah, it's not pretty bad compared to To the to the rest as we found directly in the end Okay, then there's one thing here. You can see like unique domains. There are like a lot of them if you compare Okay, we found only 1000 Well, why do we have 12,000 unique domain? So Emily and we'll tell you more about this one Okay, so as Yana said We have those samples which were I Will not say malicious, but we know that those mining pools has been used by malicious samples So it's not that the mining itself is malicious But we know that we identified specific samples which will use those specific mining pools once infected machines So these 11,000 stuff it comes from one simple trick that we've seen being used by a lot of malicious actor is they will actually Register a domain name pointing to the proper IP address of a mining pool without actually telling the owner of the mining pool Some people will use you you have some available Domains of mining pools for example So you will look in your DNS locks in your proxy locks if you have connections to those specific domains Not necessarily looking for IPs So in order to be undetected what they will do is they okay I will just research this totally random domain and make it point to the specific IP address So then your DNS based detection is totally useless. So that's why by doing passive DNS passive SSL looking in search engine like being have a functionality when you can do some kind of Passive DNS query and also through the sample analysis we identified that a lot of those stuff So for example the crypto pool.fr, which is one of the biggest mining pool online for Monero cryptocurrencies actually have a very cool and funny domain registered to this IP like this video porno azo.com or Test test QE or I don't know. So those guides were kind of imaginative in order to line behind it We have some false positive, especially if you have this kind of share IP hosting services like OVH or sometimes Amazon is doing like But at the end what we do we will retest with those specific domains with a scanner to see if it's actually It's if it actually can be used to start the mining process So some of the data we decided to take out of it was okay Is there a default port because we're looking at the documentation about those About those mining pool open source projects, and I think NOMP had some kind of default port configured which was 5 5 5 5 I think but most of the others do not have that and So we started doing so if you look on the left side say, okay, it's quite distributed There is nothing very specific But you can see that there is this kind of four times the same digit like 3 3 3 3 5 5 5 5 7 7 7 So I'm my idea that people are lazy, and you know they have to configure the stuff. Okay. Okay. Okay four times the same stuff And it works. I mean why not? So we did another statistics based on all the ports So it's not just based on the top 10 but all of the ports identified and we can see that roughly more than one third of them is using these four times the same digit and Also, you have sometimes some deviation So for example if you have two type of coins that you mine or if you have two type of difficulty You want to mine on the same coin the first one It will be 4 4 4 4 and then say okay Let's change for the second one because I cannot use the same one 4 4 4 5 Then for 4 4 6 and so we observe that we have also a lot of those Like I call it there there x x x y Some guys with other use HTTP standard port 80 80 80 4 4 3 in order to hide be Behind legitimate traffic and the others. I mean, yeah, we have very different stuff, but we have some kind of patterns there so So we work I work with Patrice of red, which is a French secretary searcher working for on if And actually I provided him a payload which is more or less the Python script We developed for the scanning and I asked him okay Um, can you check on all those four times the same digit port if you see strut on mining protocol? So he's sending the json looking at the answer and So when I checked this morning, no yesterday yesterday evening, we identified 1000 1600 something But the thing is the scan is still ongoing So we'll probably get more so once he tell me that the first scanning is done Then I will integrate those IPs into our list and to see if there is like the duplication and stuff like that so it's pretty cool and So there you have an example for example of server refund So something pretty cool here is you see some error message invalid payment address provided now It's because that's a fake Login I'm sending to the mining pool. So some of them answer by responding with my Fake bug us Authentication results and the interesting part is some of them actually do not care about authentication Hmm. Yeah. Yeah, but the thing is that I I request by scanning them I request a job But I will never answer because I'm just sending a json a PC getting the answer But I'm actually never do the job. That's something I didn't test because it's a bit offensive Would be to actually take one of those mining pool which do not care about authentication and spam them with job requests And I don't know if it will drop there. I don't know That's something I didn't test because not really allowed to do that offensive stuff against people so We have regulation in Europe and stuff like that. So my boss So the head of the Some response tells me okay. It's really cool. You do research you find stuff. So please know make it actually usable So there is some way we actually Use this data to detect or block mining activities in your constituent So on ideas APS level, for example, we will use the list of domains and IPs We also have the snort rule we developed so that we deploy so in order to detect such activity We can also use domain and IP on proxy level and on DNS level as well in order to see if we have connection to those specific domains and IPs that we identified and Finally based on the work we did For analyzing the static analysis of the sample we developed a list of my shoes hashes of course and also specific common line So for that, I don't know if you know sigma I mean you may look on it if you want, but we have some kind of pattern of common lines They are using to start the mining process. So if I detect an endpoint of a server running a lookalike Common line which looked like a mining process It started and I can generate alert on my sim and also we have Yara rule when we do a wipe I mean a swipe of all of our workstation for one of our constituents We will actually use some Yara rules we developed to get new samples to see actually if we have such sample already Installed in one of our constituents. We're using MISP as well to share with our constituents and our partner if you don't know MISP You should it's pretty cool. So it's open source project to exchange Indicator of compromise and analyze this with your peers So you can get like for example here. We have the hashes of the files we identified We also put the wallet address And actually Rafael Vino Vino from circle, which is one of the guy developing MISP added new tags for very specific Cryptocurrencies so you have so you can do correlation Inside of it. We also put the domain even if they are not malicious by themselves But they can be good indicators to detect that something malicious is happening in your network. I will let you know Okay, what's our plan for for the future so we would like to Dig more into the pool extraction technique. I have to say that we started with two big mining pools and then we reached to five and I think the last one was bringing the most results So I think we will go and continue will discuss for sure will discover Other mining pools which will get us more stratum servers Also, one of the things as Emilia talked about MISP. We need to really integrate it with Mitre attack and do a proper tagging and correlation on them on the events that we're having there and One thing which yeah, we're really working on it is to have a better automation of what we're doing Okay, we're having like a script, but they should look you know better than and Trying to improve and make you know do regular scanning without the human Human interaction I would say and also it would be good to have like a storage of the historical data to be able to do Some statistic on it and see what's the trend and how other things are gonna go For for the future do we still have some time? Okay, good, so yes So one interesting stuff that we found during our search while we're using the scanning services for XM rig minor as I remember we found those those Docker Boxes and we're like wondering what what what's about them? So we've seen that they're listening on on port two three seven five and If you look closely to it, okay, it looks like an image which is yeah, okay It looks like an image which contains a Monero minor, which the first only looks pretty legit. Okay, you have a Minor there already configured you don't care, but the second one it's a little bit Looks a little bit weird suspicious. I would say So yeah for the for the first one, okay, you can see that you can you set your minor you can as you can see you can See the the domain of the stratum server and the port where you can mine the pass or whatever but on the second one it's Yeah, it looks a bit Fishy, why would you put it in coded like why would you want to be like that? So the moment we we tried to decode it. Yeah, we discovered. Yes, it's still a It's it's a minor who's yeah sending Some requests to a to a valid stratum server. So the thing is We didn't have yet to explore it. But what if they are exploiting like Docker? API like for the stations which are not properly patched and just you know sending Infecting random Docker stations just yeah because they found it easy to to be exploitable. So we're not really sure yet about it, but Yeah, we're thinking this this might be a suspicious case like why would you put it in an encoded format? In the end if you if you have a legitimate legitimate image Okay, I'll let him learn to he has a nice example about XM rate minor Yes, okay, so we analyzed a lot of samples sometimes we find something cool So we look a bit more into it and that's a trick I've seen used several times and I really like it because it means that we are not the only one doing threat intelligence So you have the partial version on the left and the bash version on the right So what those guys are doing is they will kill processes based on specific name or specific strings like IP addresses wallet addresses Reference to the stratum mining protocol before starting the miner. What those guys are doing is are scanning internet for let's say Vulnerable web logic server, okay They connect there and they kill everything they know about competitors and then they start the mining process Probably for two days or let's say 20 minutes maybe before somebody else do the same, you know So that's pretty cool Thank you for the indicators. I would say because then I can integrate them into my threat intelligence database But I really like the trick that you know those guys know that if they want to make money They have to to beat the orders and it was very cool trick So I know they're very cool samples. So, okay, I will speak a little bit about the Mitre mitre attack framework. There were a presentation about it this morning. Yeah So persistence mechanism I found this very cool sample you have the hash on the back I will the slide will be shared. You can take a look Which actually at three different persistence mechanism. So once in fact the machine it will actually create a schedule task then use WMI so to Subscribe events in order to create them for persistence and then it will actually Registered itself in a registry run keys. So I don't know why they need three because I guess if they are detected once The other will be cleaned as well But the guy really wanted to be sure to stay there even if the guys in fact the machine as well So it was pretty cool case and that's where the Tagging with a mitre attack framework could be very cool because then you can kind of highlight automatically So it's kind of very strange samples and which looks cool when you do a presentation and I think that's it for us So we have the code repository Where we have most of the code we are still in the phase of cleaning a bit of it like removing our coded API keys and stuff like that and Also, we will find the full papers that we submitted to Norsak To get accepted to the conference On this GitHub repo. So expect maybe in the next few days Middle of next week to have all the codes we actually produce to be put there and probably cleaned and maybe documented We're doing our best