Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
How to find cryptojacking malware
Message
<blockquote data-quote="Prorootect" data-source="post: 726942" data-attributes="member: 905"><p><span style="font-size: 18px"><strong>Collection of Malicious Crypto-Mining fact of the day</strong></span></p><p><a href="https://malware-research.org/collection-of-malicious-crypto-mining-fact-of-the-day/" target="_blank">Collection of Malicious Crypto-Mining fact of the day</a></p><p></p><p>Here are the facts collected into a single blog post.</p><p></p><p><span style="font-size: 22px"><strong>Fact one:</strong></span></p><p></p><p style="margin-left: 20px">Malicious Crypto-Mining fact of the day:</p> <p style="margin-left: 20px">Trying to hide from suspicious technical victims, crypto-miners often self-terminate when they spot IT tools such as Task Manager and Process Explorer.</p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/932722338621255686?ref_src=twsrc%5Etfw" target="_blank">November 20, 2017</a></p> <p style="margin-left: 20px">and also here: <a href="https://t.co/klexq0k7uf" target="_blank">WaterMiner – a New Evasive Crypto-Miner</a> <a href="https://t.co/RNGQ8CczLN" target="_blank">pic.twitter.com/RNGQ8CczLN</a></p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/932753521425960961?ref_src=twsrc%5Etfw" target="_blank">November 20, 2017</a></p><p> </p><p><span style="font-size: 22px"><strong>Fact two:</strong></span></p><p></p><p style="margin-left: 20px">Malicious Crypto-Mining fact of the day:</p> <p style="margin-left: 20px">Although many different currencies are mined by attackers, Monero (XMR) is the choice for vast majority of bots. Its improved anonymity and CPU optimization makes it perfect for cyber-criminals.</p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/933090762983555074?ref_src=twsrc%5Etfw" target="_blank">November 21, 2017</a></p><p></p><p><span style="font-size: 22px"><strong>Fact three:</strong></span></p><p></p><p style="margin-left: 20px">Malicious Crypto-Mining fact of the day: A lot of miners are depending on public pools, making their profits and size quite easy to track. The wallet and pool address can be found quite easily and automatically. Here is a random example: <a href="https://t.co/QeaKB07gT1" target="_blank">VirusTotal</a> <a href="https://t.co/JHO1zAUoe8" target="_blank">pic.twitter.com/JHO1zAUoe8</a></p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/933385295520727040?ref_src=twsrc%5Etfw" target="_blank">November 22, 2017</a></p><p></p><p><span style="font-size: 22px"><strong>Fact four:</strong></span></p><p></p><p style="margin-left: 20px">Malicious Crypto-Mining fact of the day:</p> <p style="margin-left: 20px">A lot of new cyber-crooks are experimenting with CryptoMining, their #1 OpSec Failure is to use a traceable email as their pool account. Live example via <a href="https://twitter.com/anyrun_app?ref_src=twsrc%5Etfw" target="_blank">@anyrun_app</a> - <a href="https://t.co/5qAFEylNB9" target="_blank">672770f26bce507c7a52073a03fea19e5c08dd358f7fd521cdeed00151b38789 (MD5: DBD02AB6062A490C28109EF703D382D9) - Interactive analysis - ANY.RUN</a> <a href="https://t.co/QSEFQsgx22" target="_blank">pic.twitter.com/QSEFQsgx22</a></p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/934898736072970247?ref_src=twsrc%5Etfw" target="_blank">November 26, 2017</a></p><p></p><p><span style="font-size: 22px"><strong>Fact five:</strong></span></p><p></p><p style="margin-left: 20px">Malicious Crypto-Mining fact of the day:</p> <p style="margin-left: 20px">Building efficient mining code is not trivial. Therefore, malicious crypto-miners often include open source such as XMRig (<a href="https://t.co/oZOvUIudfM" target="_blank">xmrig/xmrig</a>). Here's a very simple Yara rule to detect XMRig (and similar): <a href="https://t.co/N4i3S3y2sg" target="_blank">very simple yara to find xmrig Crypto-Miners</a> <a href="https://t.co/JasWyveh2Z" target="_blank">pic.twitter.com/JasWyveh2Z</a></p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/935174138842566657?ref_src=twsrc%5Etfw" target="_blank">November 27, 2017</a></p><p></p><p><span style="font-size: 22px"><strong>Fact six:</strong></span></p><p></p><p style="margin-left: 20px">Malicious Crypto-Mining fact of the day:</p> <p style="margin-left: 20px">Since solo mining is not that profitable, bots are joining public pools. These pools have pretty static domain names. Here are very experimental Snort and Suricata sigs for tracking them down. <a href="https://t.co/YbYu4YeOTM" target="_blank">suricata crypto-miner pool rules</a> <a href="https://t.co/3174OWskxN" target="_blank">pic.twitter.com/3174OWskxN</a></p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/935606425073733632?ref_src=twsrc%5Etfw" target="_blank">November 28, 2017</a></p><p> </p><p><span style="font-size: 22px"><strong>Fact seven:</strong></span></p><p></p><p style="margin-left: 20px">Malicious Crypto-Mining fact of the day:</p> <p style="margin-left: 20px">It’s not surprising that mainstream bots are adding crypto-mining modules to their functionality. Mining plugins exist for both Windows and Linux bots. Here’s an example from SnatchLoader:<a href="https://t.co/Qdp9SwdC1C" target="_blank">VirusTotal</a> <a href="https://t.co/SpvzULVw2D" target="_blank">pic.twitter.com/SpvzULVw2D</a></p> <p style="margin-left: 20px">— Omri Moyal (@GelosSnake) <a href="https://twitter.com/GelosSnake/status/935930482507833344?ref_src=twsrc%5Etfw" target="_blank">November 29, 2017</a></p><p></p><p><span style="font-size: 26px"><strong><a href="https://malware-research.org/" target="_blank">@GelosSnake</a></strong></span></p><p> </p><p>If you know something, share it. If you learn something, learn more. When you really know your stuff, teach it!</p><p></p><p></p><p></p><p>---> thoughts still valid, at work!</p></blockquote><p></p>
[QUOTE="Prorootect, post: 726942, member: 905"] [SIZE=5][B]Collection of Malicious Crypto-Mining fact of the day[/B][/SIZE] [URL='https://malware-research.org/collection-of-malicious-crypto-mining-fact-of-the-day/']Collection of Malicious Crypto-Mining fact of the day[/URL] Here are the facts collected into a single blog post. [SIZE=6][B]Fact one:[/B][/SIZE] [INDENT]Malicious Crypto-Mining fact of the day:[/INDENT] [INDENT]Trying to hide from suspicious technical victims, crypto-miners often self-terminate when they spot IT tools such as Task Manager and Process Explorer.[/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/932722338621255686?ref_src=twsrc%5Etfw']November 20, 2017[/URL][/INDENT] [INDENT]and also here: [URL='https://t.co/klexq0k7uf']WaterMiner – a New Evasive Crypto-Miner[/URL] [URL='https://t.co/RNGQ8CczLN']pic.twitter.com/RNGQ8CczLN[/URL][/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/932753521425960961?ref_src=twsrc%5Etfw']November 20, 2017[/URL][/INDENT] [SIZE=6][B]Fact two:[/B][/SIZE] [INDENT]Malicious Crypto-Mining fact of the day:[/INDENT] [INDENT]Although many different currencies are mined by attackers, Monero (XMR) is the choice for vast majority of bots. Its improved anonymity and CPU optimization makes it perfect for cyber-criminals.[/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/933090762983555074?ref_src=twsrc%5Etfw']November 21, 2017[/URL][/INDENT] [SIZE=6][B]Fact three:[/B][/SIZE] [INDENT]Malicious Crypto-Mining fact of the day: A lot of miners are depending on public pools, making their profits and size quite easy to track. The wallet and pool address can be found quite easily and automatically. Here is a random example: [URL='https://t.co/QeaKB07gT1']VirusTotal[/URL] [URL='https://t.co/JHO1zAUoe8']pic.twitter.com/JHO1zAUoe8[/URL][/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/933385295520727040?ref_src=twsrc%5Etfw']November 22, 2017[/URL][/INDENT] [SIZE=6][B]Fact four:[/B][/SIZE] [INDENT]Malicious Crypto-Mining fact of the day:[/INDENT] [INDENT]A lot of new cyber-crooks are experimenting with CryptoMining, their #1 OpSec Failure is to use a traceable email as their pool account. Live example via [URL='https://twitter.com/anyrun_app?ref_src=twsrc%5Etfw']@anyrun_app[/URL] - [URL='https://t.co/5qAFEylNB9']672770f26bce507c7a52073a03fea19e5c08dd358f7fd521cdeed00151b38789 (MD5: DBD02AB6062A490C28109EF703D382D9) - Interactive analysis - ANY.RUN[/URL] [URL='https://t.co/QSEFQsgx22']pic.twitter.com/QSEFQsgx22[/URL][/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/934898736072970247?ref_src=twsrc%5Etfw']November 26, 2017[/URL][/INDENT] [SIZE=6][B]Fact five:[/B][/SIZE] [INDENT]Malicious Crypto-Mining fact of the day:[/INDENT] [INDENT]Building efficient mining code is not trivial. Therefore, malicious crypto-miners often include open source such as XMRig ([URL='https://t.co/oZOvUIudfM']xmrig/xmrig[/URL]). Here's a very simple Yara rule to detect XMRig (and similar): [URL='https://t.co/N4i3S3y2sg']very simple yara to find xmrig Crypto-Miners[/URL] [URL='https://t.co/JasWyveh2Z']pic.twitter.com/JasWyveh2Z[/URL][/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/935174138842566657?ref_src=twsrc%5Etfw']November 27, 2017[/URL][/INDENT] [SIZE=6][B]Fact six:[/B][/SIZE] [INDENT]Malicious Crypto-Mining fact of the day:[/INDENT] [INDENT]Since solo mining is not that profitable, bots are joining public pools. These pools have pretty static domain names. Here are very experimental Snort and Suricata sigs for tracking them down. [URL='https://t.co/YbYu4YeOTM']suricata crypto-miner pool rules[/URL] [URL='https://t.co/3174OWskxN']pic.twitter.com/3174OWskxN[/URL][/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/935606425073733632?ref_src=twsrc%5Etfw']November 28, 2017[/URL][/INDENT] [SIZE=6][B]Fact seven:[/B][/SIZE] [INDENT]Malicious Crypto-Mining fact of the day:[/INDENT] [INDENT]It’s not surprising that mainstream bots are adding crypto-mining modules to their functionality. Mining plugins exist for both Windows and Linux bots. Here’s an example from SnatchLoader:[URL='https://t.co/Qdp9SwdC1C']VirusTotal[/URL] [URL='https://t.co/SpvzULVw2D']pic.twitter.com/SpvzULVw2D[/URL][/INDENT] [INDENT]— Omri Moyal (@GelosSnake) [URL='https://twitter.com/GelosSnake/status/935930482507833344?ref_src=twsrc%5Etfw']November 29, 2017[/URL][/INDENT] [SIZE=7][B][URL='https://malware-research.org/']@GelosSnake[/URL][/B][/SIZE] If you know something, share it. If you learn something, learn more. When you really know your stuff, teach it! ---> thoughts still valid, at work! [/QUOTE]
Insert quotes…
Verification
Post reply
Top
