Check Point Forensic Files: A New Monero CryptoMiner Campaign

A new variant of the Monero mining malware has been detected by the Sand Blast Agent Forensics team, which is spreading throughout organizations worldwide. It is being spread and operating in a manner more consistent with ransomware and other attacks that retain a level of persistence than seen before.

Check Point researchers said, these mining operations have been ongoing since mid-January using two specific trojans, Trojan.Win32.Fsysna and a variant of a Monero cryptominer. “The highlight of this variant is the use of legitimate IT administration tools, Windows system tools and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs,” wrote Check Point’s Richard Clayton. Also, they added, “The actors behind this campaign possess enough skills and experience to make this a potentially severe attack on any organization with no so easy steps for remediation.”

Most Trojan-based attacks are delivered via an email, network, file, or application vulnerability, but it is not known exactly how the miner is being injected, but Check Point did find the malware uses the Mimikatz post-exploitation tool to spread laterally through a target system.

During analysis, it shows that all the Trojan binaries are signed by Shenzhen Smartspace Software technology. However, Check Point’s Sand Blast Agent engine detects the invalid signature and indicates it as such in the “Suspicious Event” tab of the Forensics report.

Once established miner begins a series of obfuscation and persistence maneuvers. It is initially dropped into the User Temporary folder, but immediately makes a copy of itself which is stored in the Windows Temp folder for persistence. The malware then checks for older versions of itself previously installed and stops them from running, eventually cleaning them from the system, and then Netsh Windows utility to open the proper ports it needs for connection to the mining network.

The next level of persistence happens when a second trojan is dropped into the temp folder. This stops the first trojan from operating and moves itself as a wmiex.exe to the system folder where it is able to utilize Windows own tools, it creates a scheduled task to mimic a web server application and run on startup. It then flushes the DNS cache and start the scheduled task it has created.

The trojan also connects to the command and control server and updates the server with the latest information from the infected machine. At a later stage, a Bitcoin Miner is also downloaded to the infected machine which runs parallel to Miner.

The use of Open Source and script-based tools in order to make lateral movements in the organization, and increase infection rates in loosely secured organizations, make this campaign difficult to spot and stop.

“The use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage to the system and establish persistency would make these attacks harder to detect without increasing false positive detection in the organization,” Clayton wrote.