Forensic Case Files: Unauthorized Bitcoin Mining

“This makes me very angry, very angry indeed.” 

– Marvin the Martian

In Duck Dodgers in the 24½th Century, Daffy Duck (playing the part of Duck Dodgers) battles Marvin the Martian in a contest over territorial rights to Planet X.  Duck Dodgers claims the planet for Earth after discovering it contains a rare element. Just as Duck Dodgers claims the planet, Marvin the Martian lands and claims it in the name of Mars.  A battle for territory ensues that leads to the destruction of Planet X.

If there’s one thing that’s sure to get anybody’s goat, it’s ending up in a battle over your own server.  When somebody does something to your computer without your permission, whether it’s as trivial as changing your desktop wallpaper or as serious as installing malware to your server, it’s frustrating. When it happens in a business environment, it can potentially put customer data at risk.

In this case study, our client came to us after they found something disturbing on one of their servers. They had discovered unauthorized Bitcoin mining operations on an isolated server they used for Disaster Recovery testing. Our client also told us they’d been temporarily locked out of their own machine. Their own password wouldn’t work!

The trend of unauthorized cryptocurrency mining is increasingly common. A recent report by Kaspersky estimates that up to 1.65 million machines are affected by malware customized for mining cryptocurrencies such as Bitcoin.

Unauthorized Bitcoin Mining… and More?

Unauthorized Bitcoin mining and other cryptocurrency mining affects computers throughout the world without their owners' knowledge or consent.

Unauthorized Bitcoin mining and other cryptocurrency mining affects computers throughout the world without their owners’ knowledge or consent.

Our client had conducted an internal review once they had identified the compromise before contacting us. The affected server wasn’t a production environment. However, they wanted to ensure that whoever had done this hadn’t compromised any of their client’s data. And they wanted to know the full extent of the problem.

The system had been open to the Internet via RDP (Remote Desktop Protocol), and once our client had found the compromise, they had immediately disabled RDP to prevent future intrusions. It wasn’t clear exactly how the intruders got in, nor what they had done once inside, but our client’s internal review did discover two things of great interest.

Two Intruders

Their internal review discovered two pieces of malware on the machine: FlowSpirit and MinerGate. FlowSpirit, “the Best Traffic Bot Ever Created,” is black-hat “link magnification” freeware. It boosts traffic to websites, increases search engine rankings, and boosts pay-per-click activity by generating artificial website traffic. This bot commonly ends up on a machine as an add-on downloaded during the installation of other free software.

MinerGate is cryptocurrency mining software. It uses spare CPU cycles to generate digital currency for the user. The client’s server was used for Disaster Recovery testing. Obviously, no one, save for the mysterious intruder, intended to use it for web browsing or bitcoin mining. But unfortunately, unauthorized mining of this nature is becoming more common. According to a SecureList report from September 2017, over five thousand computers have had MinerGate installed to them without the user’s knowledge.

The client used malware-scanning software packages to check the server and identified no further cases of malware, but still had further concerns. Our client wanted to know how the unwanted software got onto the machine. They also wondered if their own malware scanning tools had missed something.

A Second Opinion

The client sent an image of their Windows Server 2012 R2 Datacenter environment server to Tetra Defense, formerly Gillware Digital Forensics, for forensic examination. During our initial review of the file system, we found a zipped copy of NLBrute in the Downloads folder for the user “Administrator” right off the bat. Uh-oh! This software tool helps crack Remote Desktop Protocol passwords.

Screenshot of back.bat when run.

Screenshot of back.bat when run.

Digging a bit deeper, I found two deleted folders containing single text files that had once lived on the Administrator’s desktop. These folders and files had simple names: 1/1.txt and 2/2.txt. I also discovered a folder in the C:\Windows directory called “back,” as well as a file named “back.exe” in the same location. In this case, I found that “back” stood for “back door.”

Batch File Scripting

Screenshot of VPS Tools.bat when run.

Screenshot of VPS Tools.bat when run.

Inside the “Back” folder I found several old-school batch files, including one named “back.bat” and another named “VPSTools.bat.”

These batch file scripts contained a lot of interesting functionality. They worked together with another batch file to both brute force VPS and establish a new user. A third batch file would supply a username and password once a successful brute force had occurred. These batch files worked in conjunction with each other to automate a classic sticky keys privilege escalation hack.

VPSTools.bat also contains a more direct clue in the form of the URL within the script, as well as some references to an Iranian hacking team. However, free hacking tools can be shared widely. The origins of a hacking tool do not always indicate who the current attacker is.

Mining for More Artifacts

Review of the registry files, shellbags, jumplists, userassist, and link files revealed additional evidence of bitcoin mining and use of the link magnification software. Fortunately, we found no evidence of any direct attention paid to any of our client’s customer VMs. Windows Event Logs showed several Iranian IP addresses attached to the machine via RDP. We also found evidence of ongoing attempts to brute force an additional target via RDP. These attacks had still been ongoing up until the time the client disabled RDP.

Fortunately, our clients had kept this server completely isolated from their production environment and all other customer data. They also used Pfsense to connect to the internet. As a result, the server was effectively sandboxed. In this case, in fact, it acted as an unintentional honeypot. In all, this intrusion was brief in time, encompassing less than a week of time, and was handled well by the client.

Don’t Underestimate the Vulnerabilities of Virtual Environments

All of this goes to show that in cloud and virtual computing environments, vulnerabilities are still present and compromises can still occur. Unauthorized cryptocurrency mining can happen in virtual environments too, not just physical ones. Far too many people, unfortunately, fall victim to a false assumption about virtual machines. They believe that a virtual environment is less at-risk to various cyber threats than a physical environment. But in truth, a virtual environment has just as many vulnerabilities as a physical one. In a world of ever-sneakier cybercriminals and other ne’er-do-wells, you cannot afford to leave your environments, virtual or otherwise, at risk. Otherwise, you might find yourself in a territory battle with unwanted visitors.