Cryptomining Malware – How criminals use your devices to get wealthy!

Has your computer ever been slow and you couldn’t tell what the problem was? Nowadays, illicit cryptomining can cause those performance problems. It dethroned ransomware as the top cybersecurity threat in 2018. (Webroot Threat Report 2018) A simple website visit can start the mining process as a javascript running in the background of the browser or an accidentally installed malware on your computer. These two examples for different modes of illicit cryptomining are called browser-based cryptojacking and binary-based cryptomining. In both cases hash-rates can be up to medium-sized mining farms. This blog article will give an overview over binary-based cryptomining malware. In that case the mining process is embedded in the payload of a malware. Criminals hide it as good as possible which makes it hard to detect to gain a massive income. All the tools they need to start a malicious cryptomining business are easy to get in underground markets. For example Malware can be purchased for a few dollars (e.g. the average cost for an encrypted miner for Monero XMR is 35$). We will also take a quick look at how companies are legally using cryptomining to monetize web content as an alternative business model.

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

Basics

In this part we will have a look on basics which are required for this article.

Mining Pools

Since more and more computational power is required to calculate cryptocurrencies mining pools are popular. A mining pool is a collection of miners who pooled their resources together to mine a cryptocurrency and share their rewards for every calculated block. But there are advantages and disadvantages of mining pools. One main advantage is a more stable income by using mining pools due better chances to solve a cryptographic puzzle for the next block. On the other hand miners have to share their rewards which can be seen as a disadvantage, but without enough resources the outcome is potentially lower. (Mining Pools and How They Work 2019)

Cryptocurrency Wallets

Cryptocurrency wallets are not exactly like wallets we know from daily life. Users can  monitor their balance and send money or execute other operations. The virtual wallets contain a private and public key to perform operations. The keys are used to access the public blockchain adresse and confirm a transaction. The private key is used for the transaction of the wallet owner an the public key is similar to a international Bank Account Number. For example, if someone wants to transfer money to your wallet this person needs your public key, but you don’t get actual money on your account. The transaction is only identified by a transaction record on the blockchain and a balance change in your cryptocurrency wallet. Important to know is that the private key is totally unique and in the case of a lost of it the wallet won’t be accessible anymore for its owner. (What is a wallet 2019)

Binary-based Mining

Binary-based mining is the common way to mine cryptocurrency. Users install a program or application on a device to mine. That would be the legitimately way as the user gets the rewards for accomplished performance. It gets illicitly if a malicious actor gains access to the users computer power through a malware and mines for their own benefits. The mining software would be installed on the computer and drains the CPU performance of the victim and the payments for the rewards are going to the wallet of the attacker.

Browser-based Mining

In addition to the two types of illicit cryptomining we will have a brief look at browser-based cryptojacking. Illicit browser-based mining is continually rising in the past years. As in the introduction mentioned it is really simple to run into it. As long as an user navigates on a website and uses the services the mining process is running. The browser of the victim performs scripts which execute the mining progress. It is only illicit if the user is not aware of it. There are some websites that use this method to generate money legally for maintenance, as donations or as a substitute for advertising. For example the UNICEF organization in Australia used this method to provide donations. (UNICEF Donation 2019)

Source: thehopepage.org

UNICEF notifies the users about the procedure and started the mining operation after an agreement to the terms on the devices of the users which makes the activity legitimate.

Key Enablers of Illicit Cryptomining

The factors of key enablers of the malicious actors to conduct were analyzed by the cyber threat alliance in 2018 (The illicit Cryptocurrency Mining Threat 2018). Let’s have a look on these factors :

  • It’s more profitable since the increased value of cryptocurrencies.
  • Cryptocurrencies with anonymity for transactions, such as Monero and Ethereum that can be mined with personal computers or IoT devices and create a potential attack surface.
  • Malware and browser-based exploits are easy to use and easily available.
  • The number of mining pools is increasing, facilitating the pooling of resources and providing a scalable method for mining.
  • Enterprises and individuals with inadequate security measures are targets for malicious actors and are unaware of the potential impact on their infrastructure and operations.

Most popular Cryptocurrency

Since the popularity of Bitcoin dropped for illicit cryptomining over time, because of the increased amount of time to calculate a single coin, underground economies focus other cryptocurrencies like Monero (XMR). Monero is the most popular cryptocurrency for illicit cryptomining, because of the use of innovative ringsturcutres and decoys to retain transactions completely untraceable. (Webroot Threat Report 2019) Researchers found out that 4,32% of the circulating XMR was mined with cryptomining malware which has an estimated revenue of nearly 57 million USD. (First Look 2019)

Damage caused by Cryptomining

Cryptomining can cause serious damage in different ways. It is draining the CPU usage which could be detected easily during the use of an infected computer, but criminals use distinct methods to evade detection of the mining process. These methods will be explained later in the article. Another main damage is the increased power supply of the CPU or GPU which cause high electricity bills. Through the excessive load of computer components during the process the hardware deteriorates rapidly.

How Criminals spread the Malware

The common approach to spread the malware is to host it in public cloud storage sites such as Amazon Web Services (AWS), Dropbox, Google Drive, Github and so on. Criminals often hide the malware in stock mining software for instance xmrig or xmr-stak to get access. Another approach is the use of botnets which are offered as pay-per-install (PPI) services in the deep web markets. (First Look 2019)

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

A Further and probably the oldest approach to transfer these executables to a user is to deliver malicious spam or exploit kits by email. The malware starts to infect the computer after opening the attachment. Once the machine installs the malicious mining software it starts to mine cryptocurrency. In some cases the malware begins to scan the network for more accessible devices and tries to infiltrate them with an exploit.

Mechanisms to evade Detection

As earlier mentioned most of the cryptomining malware make use of stealth techniques. The more difficult it is to detect them, the longer the malware can utilize the computing power. The method idle mining starts the mining process only when the computer is in idle state and no operations are running for a certain time. For example if you leave your computer without turning it off for a longer time the mining process starts and lasts as long as there is no interaction with the computer. After an interaction the process shuts down and the performance is free for the user. The programmers of the malware take care in many ways to evade detection. There are cryptomining malwares with different modes for desktop  and laptop to get the best computing power for the infected device. For instance the malware on the laptop would take just as much performance as possible to keep the fans quiet. Another technique is the execution stalling code which makes the process almost invisible when Task Manager is running. If the Task Manager is running the mining process is slowing down the CPU utilization. It is possible to bypass this execution stalling code by using other process monitoring applications. Furthermore cryptomining campaigns use domain aliases (e.g. CNAME) to prevent blacklisting of mining pools.

Source: coindesk.com [Accessed 4. September 2019]

The image above shows how the execution stalling of the malicious miner called Norman works. It is based on a XMRig-based crypto-miner and avoids detection. After the Task Manager opens the malware stops operating and re-injects itself as soon as the Task Manager is closed.

Source: “THE ILLICIT CRYPTOCURRENCY MINING THREAT” by the Cyber Threat Alliance

In the figure above we can see another stealth technique which was described by Palo Alto Networks. This cryptomining malware uses only 20 percent of the machines CPU. The benefits of using this method is to persist longer on the infected machine and avoid detection as the mining performance is lower than possible.

Campaigns

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

If we have a look on the illicit cryptomining campaigns we see a small number of actors that monopolize the cryptomining malware ecosystem. It is common to see campaigns mining in various pools. The most popular are crypto-pool, dwarfpool and minexmr and there are successful campaigns that are running for over 5 years without getting detected. In the next part we will have a look on the most profitable campaigns which were still active in 2018 and were analysed by Sergio Pastrana of the Carlos III University of Madrid and Guillermo Suarez-Tangil of the King’s College London and which this article is based on.

The Freebuf Campaign

The Freebuff Campaign was and probably is still active since 2016 and has mined over 163K XMR (approx. 18 million USD). It is named “Freebuf” because of the main domain xt.freebuf.info. Statistics of two banned wallets have shown that they were connected from 5,352 and 8,009 different IPs and had mined 362.6 and 1,283.7 XMR. The campaign used 7 wallets which are connected to the mining pools minexmr and crypto-pool by using domain aliases. After the ban of the two wallets the operator changed to another mining pool.

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

In the figure above we can see the structure of the Freebuf campaign. The green nodes are malware miners and are connected to wallets shown as blue nodes. Gray and pink nodes represent the infrastructure of the campaign. Therefore the gray nodes represent the contacted domain server and the pink node shows the malware hosts. The red and orange nodes symbolize additional malware. As earlier mentioned the campaign uses 7 wallets which we can see in this graph. All the malware miners are connected to one of the wallets and linked to one mining pool which is hidden behind a CNAME alias domain. We can see three different domain servers in this graph: xt.freebuf.info, x.alibuf.com and xmr.honker.info. All of them have been aliases of common used mining pools. For example xt.freebuf.info and xmr.honker.info are aliases for minexmr and x.alibif.com for crypto-pool.

The USA-138 Campaign

The USA-138 has mined at least 6,709 XMR (approx. 651K USD) using 5 wallets. An interesting point about this campaign is it has mined the cryptocurrency Electroneum (ETN) with earnings of 314.18 ETN in late 2018. It was worth less than 5 USD, but it was a speculative for the future.

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

The figure above shows the structure of the USA-138 campaign. The meaning of the nodes are the same as previously described in the Freebuf campaign chapter.

Countermeasures

The simplest method to prevent cryptomining malware is to keep the anti virus updated and avoid to download tools from suspicious websites. Furthermore the operating system should stay updated to seal vulnerabilities and prevent injections. Another possibility is to track the network data transfers and web-proxies to detect attacks. In case of suspicions that the computer performance is slower than normal and illicit cryptomining might drain the CPU/GPU load it’s useful to monitor the activities and analyse if any suspicious services are running. (Cryptominer Protection 2019)

The most successful approach to stop illicit cryptomining was the change of the Monero PoW (Proof-of-Work) algorithm in 2018 which stopped approximately 73% to 90% of the campaigns, because their malware couldn’t adjust to the changes.

Conclusion

The fact is that cyberattacks with cryptomining malware is constantly rising and the enterprises and individuals are most of the time not aware of the situation. It causes enormous performance problems and hardware deterioration. The attackers are getting more and more creative with the use of stealth techniques which makes it hard to detect. They got an almost anonymous platform to generate money on victims devices with the cryptocurrency and cryptomining. That’s why it is unlike ransomware, where the victim is aware of the situation and can deal with it. Cryptomining attacks are most of the time silent and without an awareness of this problem it will go on. As an common user you can only have a monitor your CPU/GPU performance if there are any suspicious performance drops. Keep your antivirus software and operating system updated.

References

The (in)security about speaker legitimacy detection

For the most of us, voices are a crucial part in our every-day communication. Whether we talk to other people over the phone or in real life, through different voices we’re able to distinguish our counterparts, convey different meanings with the same words, and – maybe most importantly – connect the voice we hear to the memory of a person we know – more or less.

In relationships lies trust – and whenever we recognize something that’s familiar or well-known to us, we automatically open up to it. It happens every time we make a phone call or receive a voice message on WhatsApp. Once we recognize the voice, we instantly connect the spoken words to that person and – in case of a friend’s or partner’s voice – establish our connection of trust.

But what if that trusty connection could be compromised? What if a voice could be synthesized by a third person in a way that makes it indistinguishable from the original one?

There are some very interesting studies that explore the possibility of “speech synthesis” in the matter of “speaker legitimacy” – the art of determining the authenticity of a voice heard. By the way, that doesn’t only affect us as humans. There are a number of systems that use a voice to recognize a person in order to grant access to sensitive data or controls – think about your digital assistant on your smart phone, for example.

Today, there are several ways to synthesize a voice – purely artificially or based on human input. To give you a quick overview: There is the articulatory approach, where basically the human speech apparatus is mimicked in order to modify a sound signal through different parameters, like the position of the tongue, lips or jaw. This approach is by far the most difficult to achieve due to the vast number of sensor measurements that have to be taken in several iterations of a speaker analysis. To this day, a complete speech synthesis system based solely on this approach doesn’t exist.

Another approach is the signal modelling approach. Where before, the signal was based on the question of “how does a human create it”, this approach raises the question “how the signal actually sounds” – so the acoustic signal itself is being modified here. This is basically done through applying several filters with specific settings in a specific order – the best results can mostly be achieved with a “convolutional neural network” (CNN), but there are many speech signals necessary for training the engine, and it comes with high computational cost.

The by far most successful way to create a realistic-sounding voice is by applying the approach of “concatenation”. Here, fitting segments of a existing, recorded (“real”) voice a taken and put together to create syllables, words and eventually whole sentences. Think about your GPS navigation system – it would probably take forever to record all the street names that exist in your country or region of language. But if you had just the right number of syllables in different pitches, they can be concatenated in a way where every possible combination of street names can be pronounced in a realistic way.

But how can all of this be used to attack me and my phone calls?

This rather shocking example is based on a study by D. Mukhopadhyay, M. Shirvanian, and N. Saxena. They tried to impersonate a voice by a threat model that includes three steps:
First, samples from the voice of a “target victim” are collected. That can be done in numerous ways, either through wiretapping phone calls, recording the victim in it’s surrounding or simply use voice samples shared on social media.
In a second step, an attacker speaks the same utterance of the victim into a voice morphing engine – that way, he receives a model of the voice of the victim. The engine now basically knows “what was said”, and “how did it sound”. That model can now be used by the attacker to speak any utterance, while the morphing engine is able to apply the model built before to make the attacker’s voice sound like the target victim.
Note that the term “voice morphing”: It is a technique where a source voice can be modified to sound like a desired target voice, by applying the respective different spectral features between the two voices. This process makes use of signal modelling and concatenation, that were mentioned before.
The image below illustrates the described threat model:

Source: “All Your Voices Are Belong to Us” by D. Mukhopadhyay et al.

If you want to listen into a short sample of the result of a voice morphing software, watch this little video.

As shown in Phase III of the threat model, the fake utterance of Bob’s voice will be used to attack both a machine-based, as well as a human-based legitimacy detection capability.

The machine-based setup was targeting the “Bob SPEAR Speaker Verification System”, a Python-based open source tool for biometric recognition. Two different speech datasets (Voxforge – short 5 second samples in high quality, and MOBIO – longer samples of 7-30 seconds, recorded with basic laptop microphone) were used to train the engine, which was in this case the “Festvox” conversion system.
The results of this attack system were startling:

Source: “All Your Voices Are Belong to Us” by D. Mukhopadhyay et al.

This data shows how the system responded to the original voices as well as the faked one’s. To clarify the overall accuracy of the system, for each dataset a “different speaker attack” as well as a “conversion attack” as made – the different speaker attack means that the voice used to authenticate itself was a completely different one on purpose. The conversion attack however is the attacker’s voice morphed into the original speaker’s one.
The “False Acceptance Rate” (FAR) shows that in both conversion attack scenarios the system granted access to more than 50% of the voices played back – enough to say that the system fails significantly against a voice conversion attack. It also shows that there is indeed a difference in the results based on the quality of the conversion samples.

Having tested the machine-based speaker verification it is kind of eagerly awaited to see how the human-based verification will perform.
For this setup, online workers from Amazon Mechanical Turk (M-Turk, a crowdsourcing marketplace) were recruited to give their voices to build a model for the attack. The setup consisted of two parts: A “famous speaker study”, and a “briefly familiar speaker study”. The former aimed for an attacker to mimic the voice of a popular celebrity – one that many participants knew and would be able to recognize more easily. For that scenario, the voices of Morgan Freeman and Oprah Winfrey were used by collecting samples from some of their speeches. The latter intended to re-create the situation where somebody received a call from a person he or she met just briefly before – like at a conference. The participants from both studies conducted the tests and were asked, after listening to each of the vocal samples, to state whether the voice they just heard belonged to one of the famous speakers – or in the second case, to one of the briefly familiar speakers. The results from both of these studies are shown below:

Source: “All Your Voices Are Belong to Us” by D. Mukhopadhyay et al.

They show that the participants were a bit more successful in detecting a “different speaker” (an unknown voice), than verifying the original one – but the rate of successfully detecting a conversion attack was around 50%, which is not really a comforting value. The indicator “not sure”, that the participants were able to state shows, that they got confused. If this scenario should happen in real life, it is to be expected that this confusion could highly affect a person’s ability to verify a speaker’s identity.
With the briefly familiar speakers, the success rate of detecting a conversion attack was about 47%, which means that also over 50% of the users could not say for sure if an attack was present.

Let’s recap for a moment – we’ve seen that with modern means of technology it is rather easy and accessible to mimic a voice and trick people into believing that it is actually the real voice of a person familiar to them – with a possible success rate over 50%, depending on the quality of the samples used.

But why can we be tricked so easily? Isn’t there a way to sharpen our subconscious decision-making when it comes to speaker legitimacy detection?

Well, relating to the first question, another study by A. Neupane, N. Saxena, L. Hirshfield, and S. Bratt tried to find a biological relation to the rather poor test results.
In their paper – that describes a brain study based on the same tests from the studies described before – they try to find that relation.
Why a brain study? Previous studies have found differences in neural activation in the human brain in similar areas when users were viewing real and counterfeit items like websites and Rembrandt paintings.
In their study, Neupane and his team tried to confirm that some specific “and other relevant brain areas might be activated differently when users are listening to the original and fake voices of a speaker”.

To investigate this, they conducted the same tests, but monitored the users’ brain activities using a neuroimaging technique called “fNIRS” (Functional Near-Infrared Spectroscopy), by which activities in neural areas of interest can be inferred by examining changes between oxy-Hb and deoxy-Hb.
There are basically only a few neural activation areas of interest for this kind of scenarios. They are listed below:

Source: “The Crux of Voice (In)Security:
A Brain Study of Speaker Legitimacy Detection” by A. Neupane et al.

For brevity’s sake, only the applicable abbreviations are used furtherly.

You can see the three test runs where first the Original Speaker Attack is perceived, the second frame shows the Morphed Voice Attack and the third one the Different Speaker Attack. During the tests, the active regions around DLPFC, FPA and STG (working memory and auditory processing) show that the participants were actively trying to decide if the voice they heard was real or fake.

Following their hypothesis, the team tried to prove that there should be a difference in the Orbitofrontal Area (OFA), where the decision making and trust processes take place, especially when comparing the original speaker vs. the morphed voice.
But surprisingly, there were no such statistically significant differences! That suggests that the morphed voices may have sounded identical enough to the original voices to remain untroubled by skepticism on the part of the human brain. Further, a higher activation in FPA and MTG were observed when the participants were listening to the voice of a familiar speaker, compared to an unfamiliar speaker. This illustrates that the human brain processes familiar voices differently from the unfamiliar ones.

To sum up, here’s what we learned from all of that:

  • Human voice authenticity can easily be breached
  • People seem to detect attacks against familiar celebrities voices better than briefly familiar voices, but still an uncertainty of about 50% remains
  • The brain study surprisingly shows that even though users put considerable effort in making real vs. fake decisions, no significant difference is found in neural areas of interest with original vs. morphed voices

Still wonder what that means for you?

Well, first, we should all be aware of the fact that a vocal impersonation of individuals is indeed possible, even with reasonable effort. That could target politicians as well as family members, friends or employees of your bank. Voice phishing via phone becomes a real threat, especially when an attacker is able to perform an attack where his or her voice can be morphed “on the fly” (without prior rendering or preparation of spoken statements).

It is also important to mention that the studies described were conducted with young and healthy participants. Imagining older people or people with hearing disabilities becoming victims of such attacks, the might perform even worse against those than the participants of the studies.
Finally, voice morphing technologies will probably advance faster in time than our brains evolve – our very own “biological weakness” remains.

Now, isn’t there anything we can do about that?

Probably the most important thing about all of these findings is to become aware of the possibilities of such attacks. It helps not to rely only on information given to you via phone, especially when it comes to handling sensitive information or data.
With social media becoming a growing part of your lives, we should nevertheless be wary about posting our audio-visual life online, especially not in a public manner, where samples of our voices become available to everyone.

A tip against voice phishing is to never call back to provided phone numbers. If the caller claims to be from your bank – look up the phone number online, it might be a much safer option.

Conclusively, voice is not the only way of biological identification that contains flaws – even though in our own perception it is kind of unique. Regardless, it should never be used solely to ascertain a person’s identity.
But even with security through strongly encrypted private keys, at some point in human interaction the link between machine and human needs to happen – and it is where we will continue find weak spots.

References

  • “All Your Voices Are Belong to Us: Stealing Voices to Fool Humans and Machines” by D. Mukhopadhyay, M. Shirvanian, N. Saxena
  • “The Crux of Voice (In)Security: A Brain Study of Speaker Legitimacy Detection” by A. Neupane, N. Saxena, L. Hirshfield, S. E. Bratt
  • “Sprachverarbeitung: Grundlagen und Methoden der Sprachsynthese und Spracherkennung” by B. Pfister and T. Kaufmann
  • https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/
  • http://www.koreaherald.com/view.php?ud=20190317000115

Social Engineering – Learn From the Best!

Kevin David Mitnick, Social Engineering, Hacker, Manipulation

It isn’t always necessary to attack by technical means to collect information or to penetrate a system. In many cases, it’s more effective to exploit the human risk factor. To successfully protect yourself and your company from social engineering, you’ve to understand how a social engineer works. And the best way to do this is by listening to the world’s most wanted hacker Kevin David Mitnick. Nowadays, the former social engineering hacker uses his expert knowledge to advise companies on how to protect themselves against such attacks. This blog entry is based on his bestseller “The Art of Deception: Controlling the Human Element of Security”. It sheds light on the various techniques of social engineering and enumerates several ways in which you can arm yourself against them.

Continue reading

Security and Usability: How to design secure systems people can use.

Security hit a high level of importance due to rising technological standards. Unfortunately it leads to a conflict with Usability as Security makes operations harder whereas Usability is supposed to make it easier. Many people are convinced that there is a tradeoff between them. This results in either secure systems that are not usable or in usable systems that are not secure. Though developers are still struggling with the tradeoff, this point of view is outdated somehow. There are solutions that do help to design secure systems people can use.

Continue reading