By Jon Oliver and Menard Oseña
As new trends and developments in the malicious mining of cryptocurrency emerge, a smart and sustainable way of detecting these types of threats is swiftly becoming a cybersecurity necessity. By using Trend Micro Locality Sensitive Hashing (TLSH), a machine learning hash that is capable of identifying similar files, we were able to group together similar cryptocurrency-mining samples gathered from the wild. By grouping together samples based on their behavior and file types, detection of similar or modified malware becomes possible.
Through TLSH, we came up with clusters for the cryptocurrency-mining malware. These are clusters that will analyze and detect cryptocurrency-mining threats by computing the mathematical “distance scores” between one file and another. Our algorithm generates a center TLSH of a coinminer malware that a group of other malware are close to.
Clustering malware samples allows security researchers to create one-to-many patterns that work proactively. The reason for this is that automated systems (or indeed reverse engineers) can examine the members of a malware group and identify similarities among the members. When our systems are examining a new file, they can look for elements which are exhibited by a malware group and also confirm that the new file falls within the constraints of the malware group.
In addition to this, TLSH also has the functionality of immediate and scalable searching and crosschecking of large amounts of possibly malicious or unknown files against known threats.
Table 1. A sample of five out of the 123 cluster members with TLSH values that have very close distance scores when compared to the center TLSH value
Note: We have identified the center TLSH value against which hash values from files being examined are compared to determine similarity. Trend Micro Proactive Detection: Coinminer_TOOLXMR.SM2-WIN32.
We have applied TLSH to detect similarities in cryptocurrency-mining malware. The threats discussed in this post are detected by both Trend Micro Predictive Machine Learning and by the real-time scan patterns for Coinminer_XMRMINE.SM, Coinminer_TOOLXMR.SM2-WIN32, and Coinminer_MALXMR.SMN1-WIN32.
Among the cryptocurrency-mining malware samples gathered, we found that a majority were mining for monero, which uses the mining algorithm CryptoNight.
Malware Moving to Monero
Bitcoin has been the cybercriminal’s go-to cryptocurrency for mining malware, what with its sudden rise in value that even peaked at $20,000 in 2017. However, it appears Monero is taking the lead. Though its value ($224 as of writing time) is far less than bitcoin’s ($9,000 as of writing time), it can be mined on consumer PCs and laptops. This, partnered with its untraceable transactions, enables malicious actors to illicitly mine cryptocurrency on a wider range of targets.
We also detected samples that used modified open-sourced code XMRig to mine monero or other CryptoNight-running digital currencies.
Figure 1. A sample of a modified XMRig command-line mining tool from a clustered sample
Note: The modified XMRig version is 2.4.1 while the latest available XMRig version on Github as of writing is 2.4.5.
Figure 2. A screen capture of a malicious sample of a modified XMRig command-line mining tool
Note: Trend Micro researchers provided test mining configuration files (mining pool address/port and Monero wallet address) for testing purposes.
One of the reasons why XMRig is favored by threat actors is its being an open source code, making it easy to adopt and reuse in cryptocurrency-mining attacks. It is important to note, however, that cybercriminals are not alone in favoring this command-line miner tool — even legitimate cryptocurrency-mining enthusiasts use it as well.
Over the course of just a few years, the use of cryptocurrency-mining malware has attracted much attention from cybercriminals looking to profit from the increase in cryptocurrency prices through malicious means. Using malware, they abuse others’ computing resources to obtain valuable cryptocurrency surreptitiously and illegally.
Last year, we saw cryptocurrency mining swiftly gaining traction. Cryptocurrency mining was the most detected home network event by Trend Micro™ Smart Home Network™ while Smart Protection Network™ sensors detected a spike in cryptocurrency-mining malware.
Cryptocurrency mining malware has adverse effects on its victims’ resources. Mining consumes enormous amounts of electricity and exhausts computing power, and malware can do the same — even to the point of overheating a smartphone’s battery that it bursts open. This gives us a glimpse of just how far threat actors are willing to go to explore new, uncharted means of changing the threat landscape for their own gain.
As illegal cryptomining events continue to surge and cybercriminals diversify attack methods, the importance of creating solutions that will provide protection from various iterations of cryptocurrency-mining malware becomes all the more pronounced.
Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware. It features high-fidelity machine learning that uses TLSH to secure the gateway and endpoint, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, either steal or encrypt personally identifiable data, or carry out malicious cryptocurrency mining. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.