MassMiner: Cyber Crime’s Swiss Army Knife

Malware designed to mine cryptocurrency using a victim’s server or computer is an ever increasing popular choice. Often called crypto jackers or simply miners, many malware authors have seen their potential to make more than a quick buck and are often included in other types of malware packages. Researchers at AlienVault have discovered a new miner, which they have dubbed MassMiner. In a report published by the company, it was revealed that MassMiner employs a who’s who of recent exploits that led to many sleepless nights and loss of earnings in 2017.

As mentioned above MassMiner uses a number of exploits to infect systems in order to mine the cryptocurrency Monero. Those exploits include the following: CVE-2017-10271 (https://nvd.nist.gov/vuln/detail/CVE-2017-10271) (Oracle WebLogic), CVE-2017-0143 (Windows SMB), and CVE-2017-5638 (Apache Struts). Each one of the above-mentioned vulnerabilities has become the equivalent of cyber celebrities in their own right and have become infamous for different reasons.

The first, CVE-2017-10271, has been used by a hacker gang since 2017 in covert cryptocurrency mining operations. Oracle proceeded to patch this vulnerability in October of 2017. However, since then the gang has managed to mine over 200,000 USD. Attackers perhaps choose this vulnerability as it had a severity score of 9.8 out of 10, meaning it was both easy to exploit via the Internet and allowed attackers to execute malicious code on the server and take over the underlying machine. The vulnerability was exploited using a proof of concept code created by security researcher Lian Zhang. The victims of the campaign were almost all enterprises, as WebLogic is Java application server and little utility outside of corporate networks and Intranets. What was a surprise is that the hackers used the exploit only to mine, this despite using the exploit to gain full access to corporate networks. Meaning they could have attempted to steal highly-valuable corporate data, install ransomware, or even install backdoor trojans.

CVE-2017-0143 made international headlines for being the vulnerability exploited by the WannaCry ransomware. It has a far more appealing name better suited for its celebrity, that being EternalBlue. The exploit widely seen has been developed by the US NSA was leaked by the Shadow Brokers. For the MassMiner attacks, AlienVault says hackers are using EternalBlue to install the DoublePulsar backdoor on vulnerable hosts. This enables the miner to spread across networks infecting other networks that are vulnerable.

massminer crypto miner

Lastly, CVE-2017-5638 was leveraged by hackers in the infamous Equifax data breach. This lead Equifax to admit in a press release that:

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who have been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The vulnerability, simply referred to as Apache Struts, as it was found leaving users who use Apache Struts a “…free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.” The vulnerability was one of those feared zero-day events, a term used to describe security bugs exploited by attackers but which vendors are not aware of or have a patch released.

Another Surprise

In addition to the attackers using the above-mentioned vulnerabilities, they are also leveraging SQLck. It is a hacking tool for carrying out brute-force attacks against Microsoft SQL databases. Such tools are generally used by hackers to gain control of remote computers and install malware in this case MassMiner. Once the database is compromised attackers also use as an intermediary point to launch SQL scripts and install a local cryptocurrency miner. While the attackers have carefully selected the tools for the job, what is more, surprising is the amount of money they have made from it.

Bleeping Computer has estimated that the group has made somewhere in the region of 295,000 USD. This figure has been attained by tracking the Monero wallet addresses associated with the group. It was admitted that it is unclear if all the money came from the MassMiner campaign, or if the group has other sources of illicit income. Chris Doman, a researcher at AlienVault believes that the MassMiner campaign may be related to the infamous Smominru. This a botnet that infected over 526,000 Windows machines last year for the purpose of covert cryptocurrency mining alone, and supposedly made over $2.3 million for its creators. According to Proofpoint their researchers began tracking a campaign that began in May 2017. The campaign involved the exploitation of the EternalBlue exploit and like in the above example was used to distribute a miner which like in the MassMiner campaign is used to mine Monero.

MassMiner is not alone

At the time of writing MassMiner is not the only miner been distributed in an active campaign. Researchers at Imperva have been tracking and analyzing another miner they have dubbed RedisWannaMine. Like with MassMiner, RedisWannaMine also leverages EternalBlue and like MassMiner it demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate, fatten their wallets and avoid detection. Based on Imperva’s recent analysis it has determined that miners account for roughly 90% of all remote code execution attacks in web applications.

Security firm Fortinet has also discovered a new miner. This one, however, is python based and has been dubbed PyRoMine, and following the trend again it uses EternalBlue, this time combined with EternalRomance, to propagate across networks. PyRoMine is a relatively new campaign, which got off the ground only at the start of April. Fortinet says it only mined 2.4 Monero or the equivalent of $600 at today's exchange rate. With all the evidence at hand, it is safe to assume the trend that started in 2017 is still one of the biggest cybercrime trends in 2018.