XMRIG MINER – Taking stealth to a new level!
Tejaswini Sandapolla
Quick Heal Technologies Limited
Abstract:
Malware attackers use different approaches to slip through the defence and remain undetected. They use many techniques to determine if they are in any testing environment like a sandbox, virtualization or debuggers.They develop various techniques to bypass and convince these environments that their malware files are benign. Hackers keep developing new techniques to hide themselves. One such technique has been discovered which consumes a lot of resources but it is a unique way found to run the malware undisturbed.
In this paper, I will be presenting a new technique that took this defence evasion to a next level where attackers bought along a virtual box image containing a miner along with a copy of Virtual-box to run that. A 5GB Virtual box image was deployed on the targeted machine just to conceal a 120kb miner.This VM is run as a service and it is not easy for a normal user to spot it. To run the Virtual-box as service NSSM(Non sucking service manager) has been used. This actually gives a legitimate way to create virtual-box instance providing another layer of stealth.The actual Miner payload tries to mimic legit softwares with fake digital certificates
A DNS tunnel has been created from inside a VM to facilitate mining. This DNS tunnel exploits DNS Protocol and tools such as “iodine.exe” along with TAP driver for windows has been used to tunnel IPV4 data through a DNS server.A KCP client and server communication is also created using golang library.Through both the above techniques the victims machine is added to the mining pool. Scripts were found inside the virtual machine that contact the C2 server to update the miner.
Many more systems are added to the mining pool by spreading the payload laterally via PSEXEC.exe This paper would show in detail about how this attack happened,how it spread and the latest defence evasion tactics discovered.
Speakers
Security Researcher
Sponsors & Partners
Platinum
Sponsor
Gold
Sponsor
Associate
Partner
Supporting
Partner
Media
Partner