cool hit counter A new type of worm known as the "gold miner"_Intefrankly

A new type of worm known as the "gold miner"

Since it was first discovered in 2016, the PhotoMiner Trojan has generated a cumulative revenue of 89 million RMB from its involvement in Monroe Coin mining, making it a veritable "gold miner". In recent times, the Trojan has shown signs of being active again and is spreading widely by hacking infected FTP and SMB servers, and both domestic and international technicians have carried out research on the Trojan. Here we present a foreign research article on PhotoMiner.

*I'm the divider where the text begins*

For the past few months, we've been looking at a new worm called photominer. PhotoMiner has a unique infection mechanism that infects end-users by infecting websites hosted on FTP servers to benefit by mining Monero. The choice of a currency with a good but little-known exchange rate can quickly benefit an attacker, and its use of sophisticated safeguards that can withstand most means of disrupting it can leave a victim infected for a long time.

We've compiled thousands of records of attacks, They were found to come from the most primitive of hundreds ofIP。 They use different binaries for the same attack。 Inside this report, We will be sharing the information that was presented atPhotoMiner timeline, mode of infection、C&C server、 Research on tools for checking malicious code, etc.。

Description of the attack

On January 10, 2016, GuardiCore Global Sensor Network detected an automated attack to upload suspicious files to FTP hosts. Normally, uploading files to vulnerable FTP servers goes unnoticed in an organization, but our sensor network identified an unusual behavior - the same events were occurring consistently around the world.

From the first release of the worm, The worm version iterates rapidly。 until today, We've seen it.PhotoMiner Two different variants harmony A dozen versions, This suggests thatPhotoMiner evolve rapidly。 The first category is compiled in2015 year12 month9 sun, Included is the core mining program(miner) harmony Basic dissemination capacity; The second category was released in2016 year1 month3 sun, Soon to be the main version we can observe in the wild。

Proliferation and infection

As events unfolded,PhotoMiner New features have been added, Includes a unique multi-stage infection mechanism。 firstly, Worldwide Insecure FTP server quilt, It is then hosted atFTP on websites designed to infect their visitors with malicious code, Finally unsuspecting site visitors infected with not only can they mine virtual currency, It can also actively seek out and infect local networks inFTP server harmony system。

PhotoMiner has two types of attacks.

The first type of attack Took advantage of the Insecure FTP server harmony A user who knows nothing。 Since websites are usually available throughFTP interviewed, thereforePhotoMiner operators can easily infect the site's source code from here harmony Ignorant users, This approach poses a long-term threat to website security。

A simple two-part attack.

Forced randomness through violenceIP address harmony Using users/ cryptographic dictionary, locate harmony Attacking the weakly protectedFTP server。

Once the login attempt is successful, the malicious code uploads a copy to every writable FTP server. At this point, each file presented to the user (e.g. HTML, PHP and aspx files) will be infected by writing the following code.

A web service that has been infected with this malicious code

At this stage, rendering the page causes a vulnerable browser to treat it as a download item. An unsuspecting user will click to open the malicious code. The recent update to the malicious code variant adds code injection via an infected server and an attempt to install a Linux-based mining program.

The target server IP, its credentials, and the list of infected files will be sent to the malicious code's backend server. Based on this information, the attacker is able to later log into the infected FTP server to infect more files and infect other victims.

The second approach is based on Windows terminals and servers in the local LAN using the following steps.

PhotoMiner uses built-in Windows system tools such as 'arp' and 'netview' to read the ARP cache and scan the local network segment using the BROWSER protocol.

Next, it tries to brute force the SMB to connect. Once the connection is successful, PhotoMiner attempts to place a copy of itself into each accessible remote boot directory. Then use the WMI script to execute the remote copy.

PhotoMiner disables hibernation

Some variants surreptitiously open a public WIFI access point hardcoded as "Free_WIFI_abc12345" to lure innocent users into the network and infect them.

Attacker infection lures website visitors by opening an accessible wireless access point

Deeper into the malicious codePhotoMiner is composed in a modular way, It creates an executable focused on Monroe coin mining harmony A mechanism to maintain permanence harmony Further dissemination of packages of infected modules。 This package consists of two main variants harmony Multiple subversions comprise: the first variantimg001.scr in useNSIS Unique in terms of scripting language。 Second variantphoto.scr is a local binary file, It implements in the nativeimg001.scr functionalities。

Using NSIS makes it simple to write complex scripts that interact with the operating system

Both variants contain multiple subversions ranging from bug fixes to changes in infection techniques. Despite the many versions, they still follow the same operation. Therefore, we will describe them together, mentioning the differences between them only when needed. During the initialization phase, PhotoMiner performs things like persistence installation and downloading configuration data for the mining program (miner): to install the persistence mechanism, PhotoMienr is registered as a startup program using the following method

l HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

%ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsStartup


Although the basic, But the technique still works, and will therefore now mark the program as“ malware”。 The configuration data is passed through the script'sHTTP The protocol communicates with a preconfigured list of host names to obtain the, All hostnames are for downloading configuration files。 The profile obtained is a list of Monroe coin mining pools harmony The malicious code picks random wallet addresses。 This profile uses a reverse dictionary for infection。 This means that for each interfering character, Both retrieve matching characters from the hard-coded dictionary, And undisturbed characters are safely skipped。

Configuration file: interference characters vs. no interference characters

At this stage, Basic information about the computer such as the operating system version harmonyIP All will be sent back toC&C server。PhotoMiner together withC&C Server connection communication to inform progress, Instead of accepting“ command”, And in fact, The sample does not include any remote access features。 The attacker has built a resilient backend, Distributed across multiple domains and using different hosting providersVPS server。 But because the attacker made some mistakes, For example, reusing servers harmonyIP address, Different activities are connected through shared services。

After initialization, the malware separates the mining program as a separate process and proceeds to self-replicate for propagation. This approach greatly reduces the threat posed by anti-virus programs to the mining program itself. The mining module itself is a packaged version of "BitMonero", the core program that implements Monero mining, which is a legitimate program to avoid attracting unwanted attention.

detection harmony guard againstPhotoMiner an attack (terrorist or military)

Regardless of the hosting software used by the FTP server, PhotoMiner could infect it and use all the computing power of the infected Windows machine.

For end devices, it is easy to prevent attacks by implementing recommended security policies, such as application whitelisting and end device firewalls that block internal and external connections. If none of these options are used, then update the browser to prevent a driver download like the one used here.

Deploying a security solution such as Guardicore Reveal, the solution will provide in-depth data center monitoring, alerting to the execution of these types of malware on the computers it protects.

The FTP server should not allow unauthorized connections by locking down the allowed IP addresses; and using more complex user/password combinations.

If an infected server is detected, make sure the code files have been cleaned and all copies of the malware are removed from the server.

IoCs are attached at the end

1、Seventh CNCERT Network Security Emergency Service Support Unit Assessment Results
2、Summary of Tencent Holdings historical financial results
3、Red Flag please hurry up and turn this model into a production car
4、Xiang Yuan based on the library system 20
5、Build Maven in Idea development environment and use Maven to package and deploy the application

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送