New malware indicators for Monero Crypto Mining

A new cyber threat is cryptomining malware. It works in a completely different way than known attack techniques and is therefore extremely difficult to detect. CyberArk has identified five indicators of infection based on a detailed analysis of the Monero crypto currency mining malware. The digital threat landscape is constantly changing.

While 2017 was still the year of ransomware attacks, cryptomining malware is currently on the advance. Malware, which is used to dig for the crypto currency Monero, made the headlines above all. Monero is one of the most used crypto currencies, espcially when it comes to gambling. Further info can be found at http://www.monerogambler.com/.

“Using foreign computing power for ‘making money’ is not something completely new, but it does take place in an intensity and with direct output (Bitcoins) in a dimension never seen before in cryptomining,” explains Christian Goetz, Director of Presales – DACH at CyberArk. “In stark contrast to ransomware, for example, malicious cryptomines also act undetected in the background. As a result, it is very difficult to detect such attacks. CyberArk has therefore identified some indicators that point to cryptomining malware”.

To determine these indicators, CyberArk has analyzed in detail the XMRig source code, an open source Monero CPU Miner with Windows support, released under the GNU General Public License (GPL). The Miner, which is largely written in C++, has become very popular among malware writers because, among other things, it is easy to compile and offers Windows-specific performance optimizations. The analysis of the XMRig source code has shown how a malicious cryptominer works on Windows in practice. The XMRig design approach may differ from other cryptominers, but there are five points that are generally interesting for the detection of new malware types.

Memory access

A characteristic feature of Monero mining is the use of the CryptoNight algorithm, which among other things leads to an optimization of the memory access speed and thus drastically increases the miner output. In Windows, the VirtualAlloc API provides a special method for optimizing memory latency using the MEM_LARGE_PAGES flag. This flag can therefore be a valuable indicator for the initialization of a Monero Miner. In addition, the user account privileges required to use the MEM_LARGE_PAGES flag must also be observed. If the malware writer does not properly disguise his Miner, the Windows API calls required to modify these privileges are an excellent indication of Monero mining.

Cryptomining traffic

  • Although the outbound traffic produced by a malicious cryptominer can be a clear indication of infection, there are two challenges to consider: Mining pools use different ports and some use SSL encryption.
  • However, if a malware author does not hide cryptomining traffic by using either SSL or a proxy, the traffic can be a simple indicator of a cryptomining infection both on a local machine and on the network.
  • Moreover, since there are only a limited number of mining pools, connections to their IPs are an unmistakable sign of infection. If the target IP and host name are hidden by a proxy, the traffic patterns between the pool and Miner can also be another good indicator of infection.

CryptoNight Logic

The absence of Windows API calls in CryptoNight-Logic does not allow diagnoses regarding API hooking or Event Tracing for Windows (ETW). On the other hand, CryptoNight-Logic also opens up the possibility of reliable detection using traditional byte pattern file scanners in security products such as antivirus solutions. The reason for this is that highly specific code patterns are used which are essential for the functioning of the Miner and can hardly be changed without detailed knowledge of the cryptographic logic. In addition, the design of a completely new CryptoNight implementation from the attacker’s point of view would require too much effort. Even attackers who want to create their own Miner are tempted to copy files like CryptoNight_x86.h from projects like XMRig directly into their own code base to save time.
4. readable strings and command lines

Another indication of a cryptominer infection in general – XMRig is no exception – is the presence of a large number of readable strings, often unique. The reason for this is that all public miners are written for maximum ease of use. An even simpler variant of this detection method – without the need to scan file contents – is to observe suspicious command lines in active processes; without recompiling a miner, the syntax of command lines does not change.

CPU usage

Last but not least, a high CPU load is also a good indicator for cryptomines. However, there is also the danger of a high number of false positives. As a result, the CPU usage criterion should only be used in combination with other detection methods to ensure maximum accuracy of the results.

“Kryptomines will remain a major challenge for IT teams and products in the near future as they do not follow traditional malware principles. That’s why companies need to find new ways to do this. CyberArks’ five indicators, which indicate a potential infection, offer a first possibility for this,” says Goetz. The CyberArk white paper “Behind the hidden Conversion of Electricity to Money: An In-Depth Analysis of XMR Cryptominer Malware” provides an overview of current cryptominer trends and the technology behind Monero.