A recently uncovered threat actor, dubbed Vivin, has made thousands of U.S. dollars through a large-scale cryptomining campaign.
Vivin is unique due to its longevity — the threat actor has been active since at least 2017 — and researchers with Cisco Talos point to Vivin as a good example of why cryptomining malware isn’t going anywhere, despite a loss in the value of Monero over the past few years.
“Cryptomining…really hasn’t changed all that much on the threat landscape,” Nick Biasini, a threat researcher at Cisco Talos, told Threatpost. “This type of an activity is really going to continue for the foreseeable future. I mean, money’s the name of the game in a lot of these instances, and even though it’s not generating a huge amount of revenue, it’s guaranteed money. And for a lot of these actors, that’s really all their goal is, is to make money. So this remains a very viable way to do that.”
Below is a lightly-edited transcript of the interview.
Lindsey O’Donnell-Welch: Welcome back to the Threatpost podcast everybody. This is Lindsey O’Donnell-Welch with Threatpost here today. And I’m joined by Nick Biasini, a threat researcher at Cisco Talos, who’s going to talk to us a little bit more about some new Cisco research this week, about a large scale cryptomining attack and threat actor. So Nick, thanks so much for joining us today.
Nick Biasini: Yeah, thank you for having me.
LO: So I wanted to talk a little bit about some research that was released yesterday, that touched on a threat actor that you guys are tracking called “Vivin.” And according to research, this threat actor has been active since at least November 2017, and is responsible for cryptomining campaigns and basically mining thousands of U.S. dollars and Monero cryptocurrency off of infected hosts. It sounds like in the years since 2017, that you’ve been tracking tracking this threat actor, it’s really evolved constantly. So just to start, can you kind of give us some context here and tell us how Cisco Talos came across this new threat actor?
NB: Sure. It actually started with one of our analysts, Andrew Windsor, the person who wrote the post, he was looking at some weird PowerShell some obfuscated PowerShell and digging into it a bit. We ended up finding out that it was a cryptomining infection for malicious cryptomining. And then we began kind of starting to run it down. So the first thing we were doing was looking for initial infection vectors, like how did this get onto the system? What we actually found is, as is commonly used, we found it linked to pirated software. So you had some people who were downloading some stuff they shouldn’t have, and this actor was hosting a bunch of what looked like pirated software but actually had a downloader that was then loading up a packed version of XMRig onto a bunch of systems.
LO: That was kind of a unique point there was the use of pirated software as the initial infection vector. And I know, too, that that’s been used as a tool before for attackers, but it seemed like it was kind of unique, at least for a cryptomining campaign.
NB: Yeah, it’s something that we used to see a lot of in the past, it’s not as common as it used to be. Maybe that’s a sign that pirated software is not as popular as it used to be, I don’t know. But from us, it may also be that enterprises are getting increasingly better at making sure that pirated software doesn’t make its way onto their networks That type of an attack vector, although it is common in that specific space, isn’t something we see as commonly as we used to.
LO: I’m curious too, why the name Vivin? I’m always just curious about kind of what goes into the naming.
NB: So this is largely driven by the actor itself. So when the analysts were running this down, they started going through and pivoting on things like the wallet IDs that they were using to contribute to their money making adventure. And as we were doing that, we started to find references and posts on various platforms, including things like Reddit and people that were interested in mining and the Vivin was a consistent part of the user that was posting this data. So that’s the reason for the name behind it.
LO: I thought that was a really interesting part of it was the observing of publicly posting the wallet IDs on Reddit and other social media sites, too.
NB: I will say generally, threat actors are not great at operational security or OpSec. So they’ll make mistakes. And when they do it, once you start pulling on the threads and you start finding little mistakes, you can then start forming out a larger web based on, they tend to reuse usernames or parts of usernames or reuse things that help them be identified. It’s hard to be 100% certain in that space, but bad guys, especially people that aren’t doing very sophisticated attacks, tend to miss things when they’re trying to hide who they are.
LO: And I know, in this case, to you mentioned that the actor was reusing slight variations for their username for various online accounts, too, so that makes sense. So can you walk us through kind of the technical details in terms of the cryptomining campaigns that were being launched by this threat actor? I mean, we talked a little bit about the initial infection vector using that, you know, pirated software, what would happen once that was complete, what’s kind of the next steps there?
NB: So there’s a couple different variants. One of one of the things that it would do is it would do GET requests to what looked like JPEG files, but were actually PowerShell, that would then execute and pull down miners. The main goal, they used several different techniques to do this, but the main goal was get on the system, download a miner, set up scheduled tasks, so it continues to run and then start generating revenue. And that’s something that we really see often still today. Cryptomining, despite there being a huge loss in the value of Monero, over the last couple of years, really hasn’t changed all that much on the threat landscape. When we first started seeing the brute forces and the groups that are randomly compromising systems on the internet, kind of retool and start adding miners into their attack methodology — it’s not something that they do often, it’s not something that they do likely, so this type of an activity is really going to continue for the foreseeable future. I mean, money’s the name of the game in a lot of these instances, and even though it’s not generating a huge amount of revenue, it’s guaranteed money. And for a lot of these actors, that’s really all their goal is, is to make money. So this remains a very viable way to do that.
LO: Well, yeah, that’s a really good point. And you know, after reading the research, I wanted to kind of get your feedback on this type of attack as a whole, because I remember I think it was only back in 2018, when cryptomining attacks were dominating in terms of malware growth. And then we saw that kind of market downturn for cryptocurrency values in 2018. And I think at that time, a lot of people believe that would kind of dissuade cyber criminals from using cryptomining as a popular attack method, but I know in the research that you argue that cryptomining remains strong as an attack vector throughout 2019 heading into 2020. So it sounds like it’s all about the money, is that is that fair assumption?
NB: Well, there’s an easy way to look at it, right. When we first saw cryptominers really burst onto the scene, you saw a huge amount of things like spam campaigns that were delivering mal-docs that were going and downloading miners, right? That was like the first wave of activity. That type of activity isn’t as common as it was back in the beginning. But what kind of happened is there’s this second phase; I mentioned before how we started seeing a lot of brute forcers and people that are trying to just randomly compromise systems, kind of pivot and start using cryptominers. That’s really the group that has kept this going. The first wave of initial spam campaigns, although they’re still there, we still see them from time to time. They aren’t nearly at the volume they used to be. However, these people that are out there just brute forcing accounts and logging in. They still very, very commonly, the first thing they do, download a miner, get it spun up and started and scheduled as a task or service or whatever and start generating revenue.
LO: I know another kind of trend that I wanted to mention as well is, I know many researchers to have talked about kind of an evolution in cryptomining attacks that are going from attacks on individuals to more attacks targeting commercial or businesses. And in your own research, you guys had mentioned seeing potential attacks by higher coordinated cybercrime groups and more collaboration between multiple different threat actors. Do you think that that kind of goes hand in hand in terms of these larger types of attacks that we’re seeing?
NB: Um, it could, I mean, we’ve done a whole series of blogs on a different actor that has been commonly using crypto mining as well. I mean, it really frankly just boils down to money. This is just a good way for a group of cyber criminals to get together and try and generate some revenue, it’s something that you can theoretically have running on a system for a long period of time without really notifying the user. You don’t have to maintain a lot of command and control infrastructure necessarily. Once the system gets up and running, it kind of just keeps going on its own. So it’s an attractive threat from that avenue more than anything else.
LO: Yeah, I mean, going back specifically to Vivin and what you guys were seeing with that specific threat actor, you mentioned that there is an evolution over time in terms of the threat actor’s TTPs. And you know, that included changes to its tools, like updated packers or new methods of obfuscation and other kind of structural changes in the PowerShell code. And, was there anything that stuck out to you in terms of this evolution and kind of the new tricks or tactics that it was trying to adopt and you know, how that really spoke to any overall cryptomining changes in general that we’re seeing over the past few years?
NB: I actually think it’s more a symptom of the state that we’re in with the use of commodity tool sets, right. So a lot of the the PowerShell, that’s being used a lot of the delivery mechanisms and the infection methodologies are using commodity tool sets and things that you can go buy. As those continue to get updated and they move through these various types of tools, that’s commonly where we see these types of evolutions coming from, it’s not so much that they themselves are evolving it’s that they’re either getting better tools, or the tools that they’re using are providing updates that give them the ability to add sophistication. I mean, in today’s world, if you have several hundred dollars and access to the right places, you can easily get a bunch of stuff that makes you look very sophisticated from an actor perspective, without having to have a huge amount of technical knowledge behind you. And that’s commonly what we see, these actors start out small, they generate some money, they start evolving in what they do, and they start getting better tools and better tooling, and then you start to see that evolution move along.
LO: In terms of victims, were you able to get a sense of how many victims were affected by this threat actor or what what types of victims were impacted at all?
NB: Well, that’s a little tough. I mean, that these types of threats, especially using stuff like pirated software is largely indiscriminate, right, they’re just trying to compromise anyone that’s willing to download the software that they’re posting wherever. And because of that, additionally, you have hash rates as one of the big ways that you would kind of track the size of these botnets because you can see the wallets that they’re using and the volume of hashes that they’re calculating every second, but even that can vary widely depending on what type of system you’re compromising, you know, you compromise a whole rack of servers, you’re going to generate a huge volume of hashes, whereas you compromise a couple of very old netbooks or something, you’re not going to generate a large amount of hashes but you could have a very large amount of victims. So, cryptomining is one of those ones that’s a little bit more difficult to narrow down specifically, how many victims are impacted.
LO: Yeah, I guess that makes sense. And I also wanted to ask, you had mentioned some of the other advanced crypto mining actors that you had been observing and detecting over the past few years, including Panda and some other ones. Where does Vivin fall into in the grand scope of some of these other threat actors that we’re seeing out there?
NB: I mean, they’re pretty run of the mill for cryptomining, the biggest thing is their longevity. I mean, they’ve been at this for a long time. Usually, we don’t see these actors keep going for years and years doing the same thing. Typically, they evolve, they move on to something else, or they just stopped doing it all together. This group has just been active for a long period of time and they continue to be persistent and keep doing what they’re doing. I don’t see any indication that they’re going to slow down or stop anytime in the future.
LO: Yeah, I know they are still remaining active today. So with that in mind, how can users or potential victims defend themselves? And are there any kind of telltale signs that you are infected specifically by cryptomining malware from this threat actor?
NB: So I mean, the easiest thing is don’t download and execute pirated software specifically with this actor because that’s the initial infection vector. If you’re not downloading pirated software, you’re at a much lower risk for this, but more generally, there are other things you can look for. Because it is cryptomining, it’s going to spike things, you’re going to see sustained spikes in CPU and system resources. Your system may run slowly. If you’re in an enterprise, there’s easy ways to detect this occurring on the wire. You can look for connections to known mining pools via IP or domain, you can look for the actual syntax and stuff traveling on the wire. And then, of course, if you have an endpoint security solution, hopefully XMRig and these various other open source miners that are running will get flagged by that particular AV solution.
LO: Those are definitely things in mind to keep in mind for the future, and Nick, was there anything else you wanted to highlight about either this particular threat actor or just about cryptomining in general?
NB: More than anything else is just remember the cryptomining is a valid threat that is going to continue to be a problem. It’s not going anywhere. If you were looking for it before and you’ve kind of faded away from looking at it, go back and look at it again. If it’s occurring in your network, you should be able to see it and you should be able to stop it. You know, this type of activity is indicative of malicious activity, and it really needs to be treated as such.
LO: Great, yeah, that’s definitely something that we will be keeping our finger on the pulse of in the coming year to see how that changes or evolves. So, Nick, thank you again for coming on to the Threatpost podcast today to talk a little bit more about Vivin and cryptomining and more trends that we’re seeing.
NB: Yeah, absolutely. Thanks a lot for having me.
LO: Great. And once again, this is Lindsey O’Donnell-Welch with Nick Biasini with Cisco Talos. Catch us next week on the Threatpost podcast.