By the end of 2017, cryptojacking, or the secret use of computing resources for mining cryptocurrency, had already gained noticeable momentum. It’s a smart strategy if you’re a cyber criminal. Why try and ransom someone’s system and wait for them to pay you when you can essentially print money?
Recently, two members of the Carbon Black Threat Analysis Unit, Adam Nadrowski and Brian Sturk, gave us a quick overview and live demonstration of what cryptocurrencies are, why cyber criminals use them, and how you can use Cb Response to hunt for indicators of malicious mining applications.
April 12, 2018 2:00PM EST
Live Webinar: Operationalizing Your Threat Hunt
Join Carbon Black and Red Canary for a live threat hunting demo.
There were plenty of additional questions for our threat researchers to answer on the spot after the webinar, so here’s a transcript of what they had to say:
Q: So, the first question we have is where else do you see cryptomining being leveraged?
A: In addition to malicious browser mining, which we actually didn’t talk about today, but I could imagine someday there being another webinar about that, there’s actually been some movement as far as miners with legitimate website monetization. So, rather than showing ads on a webpage, miners run in the background while a user is browsing a site. Salon, Showtime, and if I remember right, the Pirate Bay did this as well. They’ve tried out some form of mining as an alternative revenue generator, instead of running ads. I see that actually being a big thing that obviously is going to make it harder to differentiate between malicious and benign. So, there’s probably in the future going to be more false positives if this catches on, as far as a revenue generating technique.
Q: Where does the blockchain fit into this?
A: So, the blockchain—I can’t believe I went through the whole presentation without saying the word blockchain. That’s pretty funny. The blockchain is like the global ledger that transactions are recorded onto. Miners are validating those transactions, and then they record them to the blockchain. That’s kind of where it comes into play. How this all works is way beyond this webinar, this notion of proof of work and proof of stake, and how they get blocks, and who wins. But basically, that’s what’s going on. The miner is validating transactions and then writing them to the blockchain, which is the global ledger.
Q: What about GPU miners? How would you adapt to hunt for GPU-focused miners?
A: For XMRig, what I’ve been seeing in the wild is primarily CPU focused. And I think that is due to the efficiency with CPU mining. I do know that there are some open source XMRig variants that use AMD Nvidia cards. But again, I haven’t seen them used in the wild much. And so, within our user community, I do recall one of our [incident response] consultants, Ben Tedesco, provided some insight on GPU mining, and he used a similar strategy to the last one I used, with mod loads and network connections, and digital signatures. But he focused on AMD to Nvidia mod loads, as opposed to sort of the cryptographic functions. So, that is how you could replace or supplement the mod loads that we used during this presentation and add the GPU focused ones.
Q: Next question, how do you create a custom feed in Cb Response?
A: We do have documentation on the User Exchange, specifically the user guide on how to do this within the UI. It differs a little bit between response, cloud, and on-prem variants. There’s multiple ways of doing it. You could either host it on a web server or save it locally on the Cb Response server. It varies. But the instructions are in the user guide. And I would definitely leverage that Python script we saw at the beginning of this presentation because it certainly simplifies things a lot. Like I said, it took me ten minutes.
We hope this Q&A session answers some of the lingering questions you may have about hunting for cryptocurrency miners in your enterprise environment. If you’re looking for more information on Monero, cryptocurrency mining, and how to better defend your environment against this type of malicious activity, we highly recommend checking out a recent blog post by Carbon Black security strategist Rick McElroy that arms security professionals with the right mindset to tackle this emerging threat.
For more information on strategies, team structure, and processes to help blue teams transform their threat hunting efforts from an ad-hoc tactic into a regular operational effort, join Carbon Black and Red Canary for a live webinar on April 12th.