• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware

Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware

  • Posted on:March 26, 2018 at 5:00 am
  • Posted in:Malware
  • Author:
    Trend Micro
0

By Jon Oliver and Menard Oseña

As new trends and developments in the malicious mining of cryptocurrency emerge, a smart and sustainable way of detecting these types of threats is swiftly becoming a cybersecurity necessity. By using Trend Micro Locality Sensitive Hashing (TLSH), a machine learning hash that is capable of identifying similar files, we were able to group together similar cryptocurrency-mining samples gathered from the wild. By grouping together samples based on their behavior and file types, detection of similar or modified malware becomes possible.

Through TLSH, we came up with clusters for the cryptocurrency-mining malware. These are clusters that will analyze and detect cryptocurrency-mining threats by computing the mathematical “distance scores” between one file and another. Our algorithm generates a center TLSH of a coinminer malware that a group of other malware are close to.

Clustering malware samples allows security researchers to create one-to-many patterns that work proactively. The reason for this is that automated systems (or indeed reverse engineers) can examine the members of a malware group and identify similarities among the members. When our systems are examining a new file, they can look for elements which are exhibited by a malware group and also confirm that the new file falls within the constraints of the malware group.

In addition to this, TLSH also has the functionality of immediate and scalable searching and crosschecking of large amounts of possibly malicious or unknown files against known threats.

Table 1. A sample of five out of the 123 cluster members with TLSH values that have very close distance scores when compared to the center TLSH value

Note: We have identified the center TLSH value against which hash values from files being examined are compared to determine similarity. Trend Micro Proactive Detection: Coinminer_TOOLXMR.SM2-WIN32.

We have applied TLSH to detect similarities in cryptocurrency-mining malware. The threats discussed in this post are detected by both Trend Micro Predictive Machine Learning and by the real-time scan patterns for Coinminer_XMRMINE.SM, Coinminer_TOOLXMR.SM2-WIN32, and Coinminer_MALXMR.SMN1-WIN32.

Among the cryptocurrency-mining malware samples gathered, we found that a majority were mining for monero, which uses the mining algorithm CryptoNight.

Malware Moving to Monero

Bitcoin has been the cybercriminal’s go-to cryptocurrency for mining malware, what with its sudden rise in value that even peaked at $20,000 in 2017. However, it appears Monero is taking the lead. Though its value ($224 as of writing time) is far less than bitcoin’s ($9,000 as of writing time), it can be mined on consumer PCs and laptops. This, partnered with its untraceable transactions, enables malicious actors to illicitly mine cryptocurrency on a wider range of targets.

We also detected samples that used modified open-sourced code XMRig to mine monero or other CryptoNight-running digital currencies.

Figure 1. A sample of a modified XMRig command-line mining tool from a clustered sample

Note: The modified XMRig version is 2.4.1 while the latest available XMRig version on Github as of writing is 2.4.5.

Figure 2. A screen capture of a malicious sample of a modified XMRig command-line mining tool

Note: Trend Micro researchers provided test mining configuration files (mining pool address/port and Monero wallet address) for testing purposes.

One of the reasons why XMRig is favored by threat actors is its being an open source code, making it easy to adopt and reuse in cryptocurrency-mining attacks. It is important to note, however, that cybercriminals are not alone in favoring this command-line miner tool — even legitimate cryptocurrency-mining enthusiasts use it as well.

Cryptocurrency-mining Malware

Over the course of just a few years, the use of cryptocurrency-mining malware has attracted much attention from cybercriminals looking to profit from the increase in cryptocurrency prices through malicious means. Using malware, they abuse others’ computing resources to obtain valuable cryptocurrency surreptitiously and illegally.

Last year, we saw cryptocurrency mining swiftly gaining traction. Cryptocurrency mining was the most detected home network event by Trend Micro™ Smart Home Network™ while Smart Protection Network™ sensors detected a spike in cryptocurrency-mining malware.

Cryptocurrency mining malware has adverse effects on its victims’ resources. Mining consumes enormous amounts of electricity and exhausts computing power, and malware can do the same — even to the point of overheating a smartphone’s battery that it bursts open. This gives us a glimpse of just how far threat actors are willing to go to explore new, uncharted means of changing the threat landscape for their own gain.

As illegal cryptomining events continue to surge and cybercriminals diversify attack methods, the importance of creating solutions that will provide protection from various iterations of cryptocurrency-mining malware becomes all the more pronounced.

Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware. It features high-fidelity machine learning that uses TLSH to secure the gateway and endpoint, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, either steal or encrypt personally identifiable data, or carry out malicious cryptocurrency mining. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: cryptocurrencymachine learning

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.