Insider Threat Use Case: Detecting and Stopping Cryptojacking

Cryptocurrency is a hot topic right now, and even though its price is drastically falling across the board, this incredible technology will have lasting impacts on the world for years to come. Though a majority of the focus on cryptocurrencies has been on their negative uses, such as ransomware, the trade of illicit goods, or an easier way of laundering money, there are many positive applications of cryptocurrencies that should be considered. In fact, cryptocurrencies are currently paving the way for a new era of global commerce and trade outside of a central regulation authority.

With the recent public spotlight on cryptocurrency, many people are exploring ways to mine the technology using their existing hardware. Normally, this method isn’t that profitable and comes with the risk of damaging your hardware if left unchecked. There are tons of new tools and methods to help you get started with mining. Below is an example of ccminer on a Windows system.

A ccminer on a Windows SystemFigure 1: A ccminer on a Windows System

It’s perfectly acceptable for someone to use their own hardware to mine cryptocurrencies. However, many people attempt to utilize corporate resources to expand their mining empire, which can be a dangerous practice. Fortunately, this activity is easy to detect and block. In fact, a majority of mining applications are already flagged as malicious by corporate antivirus solutions. For example, Cylance detected ccminer and cpuminer as seen below.

Cyclance Detects ccminer and cpuminerFigure 2: Cyclance Detects ccminer and cpuminer

Even if the mining application is not blocked, miners need to connect to mining pools, which usually run on non-traditional ports, such as 3333. Luckily, most organizations already block these ports.

Port 3333 is BlockedFigure 3: Port 3333 is Blocked

Passively Running Crypto-Mining Applications

Seems pretty easy to detect and block on a corporate network, right? Unfortunately, it’s not quite that simple. There are ways to run crypto-mining applications and go undetected. Various websites, such as Coinhive, CoinImp, Coinpot, and others allow you to mine by simply visiting a webpage.

Web Page Enables MiningFigure 4: Web Page Enables Mining

These applications don’t have a high return on investment (ROI), and a portion of the mining goes to the overarching script owner. However, they offer a quick and easy way to mine cryptocurrency without the need to install anything on the target system. This works particularly well if you can get a large number of systems to visit a website and mine on your behalf.

Coinhive is the most commonly observed web application crypto-mining provider. It delivers quick and easy JavaScript that can be injected into existing websites and advertisements, allowing the miner to profit from small amounts of CPU utilization over time. While it is possible to notify website visitors that this is happening, often attackers will run this application passively in the background. This occurs by copying and modifying the Coinhive JavaScript code. This method of passively running crypto-mining applications is referred to as cryptojacking.

When Copied and Modified, Coinhive JavaScript Allows for Passively Mining CryptocurrencyFigure 5: When Copied and Modified, Coinhive JavaScript Allows for Passively Mining Cryptocurrency

Passively mining cryptocurrency in the background is a far less significant risk than other possible attack scenarios. It is even less risky than a user collecting from cryptocurrency faucets—that is, until passively mining cryptocurrency becomes more widespread and impacts energy costs or even destroys hardware.

Fortunately, detecting this activity is really straightforward. In fact, browser add-ons such as uBlock Origin, will block a majority of cryptominers by default. And if you’re on a website or are otherwise affected by a cryptominer, you’ll see your web browser processes spiking. With LogRhythm NetMon, you can use a simple domain rule to see who is hitting known cryptomining websites, making this activity easy to track and monitor.

LogRhythm NetMon Gives You Visibility Into Who is Frequenting Known Cryptomining WebsitesFigure 6: LogRhythm NetMon Gives You Visibility Into Who is Frequenting Known Cryptomining Websites

Use Case: Detecting Cryptojacking at LogRhythm

At LogRhythm, we typically support developers who choose to run cryptominers on their websites as opposed to advertisements. After all, ads have a tendency to deliver malware. Previously, LogRhythm did not block known mining sites until they became a problem.

For example, over the course of a week, we noticed a few systems were consistently sending traffic to Coinhive. Normally we wouldn’t be concerned, but this was consistent, around-the-clock mining activity from a few end-user systems, a development server, and a personal system registered on our guest network.

Devices Consistently Send Traffic to CoinhiveFigure 7: Devices Consistently Send Traffic to Coinhive

In addition to the alerts generated within the SIEM when the uptick in Coinhive traffic began, two of the affected users submitted IT tickets, noting their systems were slow and that fan icons were spinning non-stop. When we investigated their hosts with Carbon Black Response, we found that the culprit was Internet Explorer running as a background process.

Internet Explorer Runs as a Background ProcessFigure 8: Internet Explorer Runs as a Background Process

This immediately looked suspicious, so we decoded the Base64 encoded PowerShell and validated that this launched Internet Explorer in headless mode.

The Base64 Encoded PowerShell is DecodedFigure 9: The Base64 Encoded PowerShell is Decoded

This code was likely taken from Rvrsh3ll’s CrypoCureencyPowerShell example and compressed.

Identifying the Culprit

While digging into this suspicious activity, our encoded PowerShell alarms began to trigger on additional systems. Each contained the same mining key and were executed by the same user (our culprit), with the exception of the end-user laptops.

Additional Systems Contain the Same Mining KeyFigure 10: Additional Systems Contain the Same Mining Key

Upon checking in with LogRhythm CloudAI, we confirmed that the user behind this activity was our top most anomalous user during this time period. We’ll refer to this user as “Nick” for the purposes of this blog.

LogRhythm CloudAI Identifies Top Anomalous UsersFigure 11: LogRhythm CloudAI Identifies Top Anomalous Users

We traced all authentication activity from Nick’s system to a select few development servers, where Nick used PsExec and Remote Desktop to launch the PowerShell script across other hosts that he access in the development VLAN. For the laptops, we reviewed camera footage and endpoint logs for the time period the scripts were detected. We then determined that Nick used a USB Human Interface Device (HID) to run the script when his co-workers left their systems unlocked.

Nick Uses a USB Human Interface Device (HID) to Run a Script on his Co-Workers’ SystemsFigure 12: Nick Uses a USB Human Interface Device (HID) to Run a Script on his Co-Workers’ Systems

All in all, this was a simple insider threat scenario that we easily detected and stopped before this individual turned LogRhythm into a part-time cryptocurrency mining operation. This example highlights the need for focused user entity and behavioral analytics (UEBA) across the organization, as threats to your business can come in many shapes and sizes.

If you’re looking to detect and block this activity on your network, I suggest reviewing the CoinBlockerLists developed by ZeroDot1 available here: https://github.com/ZeroDot1/CoinBlockerLists. These lists can be integrated with the SIEM and Network Monitor to increase visibility into this activity on your network.