How to Use Cortex XDR to Monitor Cryptojacking Malware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter

poc-xdr-cryptojacking.jpg

 

In this PoC, we will use Cortex XDR to monitor how the malware known as Adylkuzz, a cryptocurrency miner, behaves when it is allowed to run freely on an endpoint. During the PoC we will try to understand how Adylkuzz spreads, maintains persistence and evades detection, and how Cortex XDR can help us detect these kinds of malwares using both traditional and security approaches, as well as behavioral analytics. 

Malware used: Adylkuzz (c.exe)

 

What is Cryptomining?

 

Cryptomining is the process of using specialized software to verify transactions on a blockchain and adding them to the public ledger. In order to perform this function, a miner must solve complex mathematical equations, which requires a significant amount of computational power. When a miner successfully solves an equation, they are rewarded with a certain number of cryptocurrency units. This process is known as mining, and the person performing the mining is known as a miner.

 

Cryptomining can also refer to the illegal use of someone else's computer resources to mine cryptocurrency without their knowledge or consent. This type of cryptomining is known as malware-based or illicit mining, and it's a significant security concern because it can cause system slowdowns and crashes and can also consume a large amount of energy which can cause hardware damage if the hardware is not designed to withstand heavy load.



What is Cryptojacking?

 

Cryptojacking is a type of cyber attack in which attackers infect a victim's computer with malware that uses the victim's resources to mine cryptocurrency without their knowledge or consent. The malware runs in the background and uses the victim's CPU and GPU power to mine coins and send them to the attacker's wallet. This type of attack is often difficult to detect because the malware runs in the background and does not typically cause any visible disruption to the victim's computer. The victim may only notice a slow down in their computer performance or an increase in their electricity bill as a result of the increased power usage.

 

Unlike cryptomining, in Cryptojacking, the attacker does not typically gain any direct financial benefit from mining the cryptocurrency, instead, the attacker uses the victim's resources to gain the cryptocurrency and keep them for their own use

 

About Adylkuzz

 

Adylkuzz is a type of malware that is used to perform cryptomining on a victim's computer. It was first discovered in May 2017 and is similar in functionality to the WannaCry ransomware that was discovered around the same time. Adylkuzz uses the same exploit (EternalBlue) as WannaCry to propagate itself across a network and infect computers. However, instead of encrypting the victim's files and demanding a ransom, Adylkuzz uses the infected computers to mine Monero cryptocurrency and sends the mined coins to the attacker's wallet.

 

Adylkuzz is particularly notable because it is a fileless malware and it uses the built-in Windows command-line utilities (WMIC and PsExec) to propagate itself across a network. This allows it to evade detection by traditional anti-virus software. Additionally, once a computer is infected with Adylkuzz, it will actively kill any rival cryptomining malware that is running on the computer to ensure that it can use all of the computer's resources for itself.

 

Adylkuzz also has worm-like characteristics, it is able to propagate itself to other computers on the same network by exploiting the same vulnerability as WannaCry. This ability to spread itself quickly makes Adylkuzz particularly dangerous, as it can infect a large number of computers in a short period of time.

 

Monitoring the Activities

 

For this PoC, we used a hosted windows virtual machine running Windows 10 Enterprise. 


We start off by creating a policy in report mode in order to allow the executable malware to run “freely” on the machine without XDR blocking it, while we monitor the activities.

 

This process involved creating:

 

  1. New prevention profile rules for malware and exploit.
  2. Creating a new policy rule, in which we applied the newly created prevention profiles.

 

mavraham_0-1676391603800.png

 

Now we have enabled the machine to monitor the entire flow of malware execution, without having XDR prevent the malicious file from running.

 

Spreading and pre-execution

 

As mentioned above, Adylkuzz, like many other forms of malware, utilizes social engineering tactics to trick users into installing it. This can be done in a number of ways, such as disguising the malware as a legitimate program or update, or by using phishing emails to lure users into clicking on a link that will install the malware on their computer.

 

In our instance, we had the file ‘c.exe’ downloaded and ready to execute on the machine. 

 

mavraham_1-1676391603823.png


Post Execution 

 

Once we have executed the “c.exe” file a new process is launched named ‘wuauser.exe’. Upon investigating the alert generated in Cortex XDR we can also note the c.exe file has disappeared and instead placed a new executable in the Fonts folder - a clear attempt at obfuscating the purpose of the file (there are not .exe files in the Fonts folder by default).

 

mavraham_2-1676391603827.png

 



Analyzing the alert generated by wuauser.exe we can also see through the Cortex XDR causality view that the file is unsigned, which should raise further suspicion.

 

mavraham_3-1676391603711.png

 

 Maintaining persistency


Looking at the registry changes made by the malicious file, we can tell the new service called WELM is masquerading as a Windows Event Log Management, a tool described by the malware as one meant to “prove event log to access management information”.

When in fact, the true purpose of the service is to establish a foothold in the infected endpoint, and make sure the miner will continue to run, even after reboot. The new process is set to run automatically every time the computer resets itself. To make sure it remains persistent, when the service fails it will also try to run again every 1 minute.

 

mavraham_4-1676391603825.png



mavraham_5-1676391603826.png

 

Cortex XDR analytics generated an Analytics BIOC alert that revealed that the process called c.exe.exe, which has a lower integrity level than SYSTEM, created a service called WELM. This means that a process with lower privileges was able to create a service with high privileges, often an indicator of malicious activity.

 

mavraham_6-1676391603821.png

 

Network analysis

 

Looking at the Network Connections tab in the causality chain, we can see that the malware initiated connection with two different URLs:

 

08.super5566.com - Adylkuzz has been reported to connect to this URL and related C&C server for multiple purposes:

  1. Report installation 
  2. Download cryptocurrency CPU miners
  3. Download additional configuration and updates

 

mavraham_7-1676391603645.png

 

 

Checking the domain’s reputation in VirusTotal also results in it being flagged as malicious by 7/90 vendors.

 

mavraham_8-1676391603657.png

 

icanhazip.com - a popular site that returns your external IP address.

 

mavraham_9-1676391603764.png

 

While initially this can seem like a harmless attempt, upon further investigation it appears that at one point in the site’s life, malware authors kept writing malware that would call out to icanhazip.com to find out what they had infected. If they could find out the external IP address of the systems they had compromised, they could quickly assess the value of the target. It is likely that adylkuzz utilized incanhazip.com in the same fashion.


Cortex XDR has not only identified the connection to the URL, but also raised an XDR Analytics BIOC alert notifying that a non-browser process accesses a website UI through a GET request, an uncommon method to download data from websites, likely with the purpose of sending that data back to the creator of the malware.

 

mavraham_10-1676391603701.png

 

mavraham_11-1676391603744.png

 

Conclusion

This article explored the potential risks of cryptomining and cryptojacking, particularly focusing on the Adylkuzz malware and how the Cortex XDR platform can help detect and prevent such attacks. During the proof of concept, Cortex XDR was able to identify the malware's behavior, including how it maintains persistence, evades detection, and reports back to its creator by analyzing its network connections, registry changes, and other activities. 

 

Want to learn more about cryptojacking attacks & responses? Read the blog Playbook of the Week: Cloud Cryptojacking Response.

Sources

VirusTotal

Adylkuzz-Cryptocurrency Mining Malware

Cybersecurity Insiders: All About Adylkuzz Malware Cyber Attacks

icanhazip: How a simple IP address tool survived a deluge of users

https://app.any.run/tasks/6f07fb16-d4fe-4ac3-b077-8928cdc39ea0/

  • 4769 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Labels