Bitcoin a crypto currency that drove people mad
The J2 Cyber Security Centre (J2CSC) team has detected multiple Crypto Miners across multiple platforms during the month of January.
A brief overview of a Crypto Miner
Many people sought after it in the “digital gold rush”. For that simple reason a new form a malware was born, the Crypto Miner, this simple program has one main purpose, to utilise the infected machine’s resources (such as the Graphic Processing Unit (Graphics Card) and Central Processing Unit (CPU)) to mine for crypto-currency. There are miners for multiple different crypto currencies including Bitcoin, Litecoin, Ethereum and a host of others.
Crypto currency is earned by verifying transactions by solving complex math problems. When this task is completed the transaction is made, Crypto is added to the blockchain and the miner is rewarded with a small piece. This is a very resource intensive process which means that the Crypto Miner virus will use a massive amount of the infected machines processing power, causing the machine to slow down and freeze up.
There are often many installed versions of the Crypto Miner found across
a network to spread the load. This essentially reduces some of the load and minimises the risk of detection. Picture 100 machines essentially tied together by the same Crypto Mining virus, all working to solve one math problem. Not only does this reduce the risk of detection, but it is much more effective than one machine doing all the heavy processing.
Please read on below for a quick analysis and commentary on a fee examples recently detected and removed on client machines.
J2 CSC Crypto Miner Findings.
In this first sample the Crypto Miner was detected and stopped at the gateway. Even though these were stopped, it is still important to quarantine the device and remediate the infection because when this device connects to a network with no traffic monitoring (home, coffee shop, airport, etc) at the gateway it will communicate outbound to the Crypto sites.
This Bitcoin Miner infected the machine and set itself up to immediately launch and start mining for Bitcoin once the machine was powered on.
By running the above on startup, the Operating system would then go to the file that contains the actual Bitcoin Miner and execute the virus:
The Crypto miner would then continue to run, relentlessly consuming the machine resources until it was removed. This goes to show that even after the Bitcoin surge is over, the malware is still circulating the net waiting to rise again.
In a second instance a Crypto Miner Was detected and quarantined on the endpoint before it had the chance to execute.
During our analysis, it shows that the user was browsing content on a removal media device at the time of infection. It is important to understand that miners are often embedded in illegal downloads.
A Few Technical Recommendations
- IT is critical that your endpoints internet traffic is inspected through a web security filter and/or through DNS protection whether the devices are connected through a corporate network or not.
- Traffic Blocked at the Gateway and at endpoint should be monitored and reviewed. You can make this easier for yourself by utilising a SIEM. J2 CSC can help make this a reality and give you the increased visibility.
- Restrict USB access where users don’t require it and have real-time scanning enabled to detect Miners and prevent illegal downloads.
Would you or your security provider have detected this and notified you?
Martin Erasmus
Jarred Reid-Robertson
- Hits: 1993