Search This Blog

Showing posts with label Coin Mining. Show all posts

Apple's APSDaemon Vulnerability Abused by Malware Distributors



Attackers can maliciously redirect users on websites sharing counterfeit products, adult content or videos and dupe them into installing malware before they even land on the intended website, it's one of the most popular ways of generating revenue amongst hackers who acquire access to websites by exploiting the vulnerabilities in an installed plugin – it could be a security flaw or outdated software.

Typically, 'malicious redirects' are operated by hackers with the intent of generating advertising impressions, however other consequences of 'malvertising' can be relatively dangerous causing significant damage to unprotected machines. The campaign revolves around the idea of pushing malware and spam-laden advertisements onto the browsers. In 2019, attackers were seen launching such campaigns against popular web browsers namely Google Chrome, Microsoft Edge, Opera, and Safari.

Recently, malware distributors have launched a new malware campaign that makes use of this 'web pages redirect' to exploit a DLL hijacking flaw in Apple's Push Notification service executable Windows to get a cryptocurrency miner installed on the targeted user's system.

What is DLL hijacking?


DLL (Dynamic Link Libraries) are extensions of various applications running on any operating system as most of the applications require storing code in different files, when a user uses an application, it may or not use certain codes – those codes are stored in a different file and are loaded into RAM only when there's a requirement, this reduces the file size while optimizing the usage of RAM and preventing the application from becoming too big to function smoothly.

As these DLLs are essential for running almost all applications on our systems, they are found in different files and folders on users' computers. Now, if an attacker succeeds in replacing the original DLL file with a counterfeit one carrying malicious code, it is termed as DLL Hijacking.

A program that became the latest victim of the aforementioned flaw is Apple's Push Notification service executable (APSDaemon.exe) that had been vulnerable to DLL hijacking. Since, it is responsible for loading AppleVersions.dll upon execution, if it fails to check whether the authentic AppleVersions.dll is being loaded, it could allow cybercriminals to replace the DLL file with a fake one containing malware.

Running in an authentic executable by Apple had allowed the malware to function with less to no risk of being detected by antivirus software, moreover, the threat actors have also employed a hashing algorithm to make the detection even difficult.

Stantinko botnet's strategy now shifts to crypto-mining


Stantinko botnet that's been involved in various criminal ventures has now added a Monero crypto-mining module to its arsenal. Stantiko has since 2012 carried out a range of criminal activities like fraud, ad injections, social network fraud and brute-force password-stealing attacks to Soviet nations targeting Russia, Ukraine, Belarus, and Kazakhstan. But lately, researchers at ESET, discovered that a major source of Stantinko’s monetization since at least August 2018, comes from Monero crypto-mining module.


ESET describes the module as, "highly modified version of the xmr-stark open-source crypto-miner," Stantinko’s mining module, dubbed CoinMiner. Stantinko is so powerful that it can "exhaust most of the resources of the compromised machine." ESET elaborate, that each sample of the model is unique and compile a different module for every victim. "This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection," said ESET. CoinMiner. Stantinko is divided into four logical parts with distinct capabilities. The main component does the actual mining, and the other three parts perform the following functions-
•suspending other (i.e. competing) crypto-mining applications
•detecting security software
•suspending the crypto-mining function if the PC is on battery power or when a task manager is detected, to prevent being revealed by the user CoinMiner.

Stantinko doesn't communicate with the mining pool directly, rather it uses a proxy with IP address derived from the description texts, of YouTube videos. This module communicates with the proxies by the hashing algorithm that takes place over TCP and encrypted by RC4. It adapts to adjustments of algorithms to mine the most profitable cryptocurrency. YouTube when alerted of the scam by ESET, removed the offending channels.

Preventing Detection
CoinMiner.Stantinko is very smart in preventing detection, it removes itself in the presence of a competitor. It temporarily suspends mining if there’s no power supply. "Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control," Hrcka concludes. "This remotely configured crypto-mining module, distributed since at least August of 2018 and still active at the time of writing, shows this group continues to innovate and extend its money-making capabilities."

Exposed Docker Apis Used By Attackers In Creation Of New Containers That Perform Cryptojacking


Earlier this year it was revealed that attackers are now utilizing insecure Docker And Kubernetes systems in order to redistribute containers that have been used to mine coins. These containers are packages that include an application and all of the dependencies that are needed to run it. The packages are then redistributed as containers to Docker or Kubernetes structures accordingly.

Even Trend Micro lately detected an attacker scanning explicitly for insecure and exposed Docker Engine APIs and its utilization to deploy containers that download and execute a coin miner.
Docker containers are redistributed on a rostrum referred to as the Docker Engine, wherein they may run within the background together with different containers deployed to the system. 

If Docker Engine isn't accurately safeguarded, attackers can remotely make use of the Docker Engine API to redistribute the containers in their very own advent and start them at the insecure system.
Container Creation

When the container is deployed and stimulated, it releases an auto.sh script that further downloads a Monero miner and configures it to launch instinctively. The script even downloads the port scanning software, in an effort to test for the various vulnerable Docker Engine instances on port 2375 and 2376 and additionally try to spread to them.

Scan all networks seen from the host, with a scan rate of 50,000 packets per second, for open port 2375 and 2376; the result is saved in local.txt (anonymized/defanged):
masscan “$@” -p2375,2376 –rate=50000 -oG local.txt;
Conduct lateral movement by infecting or abusing more hosts found in previous reconnaissance:
sudo sed -i ‘s/^Host: \([0-9.]*\).*Ports: \([0-9]*\).*$/\1:\2/g’ local.txt;
sudo sh test3.sh local.txt;


With this method, a whole lot of Docker Engine containers can be gathered that mine coins for the attacker.

Although Docker Engine API abuse isn't new, but it continues to be a hassle due to the fact that the administrators don't legitimately secure their systems. To keep attackers from abusing the insecure Docker Engine implementations, Trend Micro proposes that the administrators  make use of the following security measures:


  • Harden the security posture. The Centre for Internet Security (CIS) has a reference that can help system administrators and security teams establish a benchmark to secure their Docker engine.     
  • Ensure that container images are authenticated, signed, and from a trusted registry (i.e., Docker Trusted Registry). Employing automated image scanning tools helps improve development cycles.  
  • Enforce the principle of least privilege. For instance, restrict access to the daemon and encrypt the communication protocols it uses to connect to the network. Docker has guidelines on how to protect the daemon socket.
  •   Properly configure how much resources containers are allowed to use (control groups and namespaces).
  • Enable Docker’s built-in security features to help defend against threats. Docker has several guidelines on how to securely configure Docker-based applications