MassMiner Takes a Kitchen-Sink Approach to Cryptomining

coinhive monero cryptomining

The malware targets Windows servers with a cornucopia of well-known exploits, all within a single executable — including the EternalBlue NSA hacking tool.

Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin’-somethin’ to the mix. It targets Windows servers with a variety of recent and well-known exploits – all within a single executable.

In fact, MassMiner uses a veritable cornucopia of attacks: The EternalBlue National Security Agency hacking tool (CVE-2017-0143), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach (CVE-2017-5638); and an exploit for Oracle’s WebLogic Java application server (CVE-2017-10271). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.

“It surprised us how many different exploits and hacking tools it leverages,” said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.

They added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.

As for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.

Once the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.

So far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its analysis identified two Monero wallets belonging to the attackers.

The success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.

“Given [the workforce skills shortage], it’s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,” Mishra said via email. “With the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.”

Worryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the DoublePulsar Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.

MassMiner also uses EternalBlue to install Gh0st RAT, a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.

Incidentally, this is not the only cryptomining malware to make use of the ShadowBrokers’ release of a trove of NSA exploits. Last week, a malware called PyRoMine that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.

The multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.

“The enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,” said Mishra.

Suggested articles