Coinhive: Goodbye! Nice to know you!

‘Cause baby, now we’ve got bad blood
You know it used to be mad love
So take a look what you’ve done
’Cause baby, now we’ve got bad blood, hey!
Now we’ve got problems
And I don’t think we can solve ’em
You made a really deep cut
And baby, now we’ve got bad blood, hey!

Taylor Swift, Bad Blood

Coinhive announced that they are closing shop March 8, 2019. I just tweeted the news as I was not in the mood to blog and write that day.

#Coinhive : Goodbye… Nice to know you— Menard Osena (@Menardconnect) February 28, 2019

And that night I thought about it more. I also visited and read my coinminer post (that incidentally turned 1 year 🙂 recently ), so allow me to share some personal insights here in my blog:

What does Coinhive closure mean?
This means the Coinhive JS files will STOP functioning on March 8, 2019. That day is same day as Monero/XMR fork (block 1788000), a move by the Monero community to be more ASIC-resistant.

Overall, this mean less web cryptojacking and this is beneficial for public. I remember at one point Coinhive got a 30% hashing power for all Monero mining network. I don’t have updated hashing power estimates of coinhive and Monero but one thing for sure coinhive percentage is smaller now.

Should we celebrate it?
Yes of course. One bad actor gone is always good news for me (and I guess for the the rest of the good guys too!)
But let us not lower our guards because it is wise to consider the hydra effect (cut one head, grow two more).

Quo Vadis?
I am still seeing lots of MALXMR and other mal Coinminers out there so cryptocurrency malware mining is very much alive. There is a lot of factors at play here so as of the moment it’s difficult to guess what is in store for the coinmining and the overall threat landscape.

In my opinion, the motivation for the Cryptojacking threats is more related to the exchange/price of Bitcoin. Current Bitcoin is trading below 4K USD, this is a mere fifith of the peak value (remember highest BTC price tag is at around 20K USD, Dec 2017). Current BTC price is same level as Q3-2017 (pre-coinhive days in 2017). So I think that if BTC exchange/price increases, Monero/XMR price follows and we can sure to see increased malicious cryptojacking/mining activities.

So allow me to send some shoutout “Goodbye Coinhive, Nice to know you”!

Other articles you can check out ZDNET and Brian Krebs

Before I end this post, here are some disclosure/disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin

On Cryptocurrency Mining Malware and Electroneum

Down to my last match fire I touch just to feel
Why is it easier to burn than it is to heal?

The Chainsmokers, XYLO, Setting Fires

Note: this article was created 1st week of March 2018 when there was no notable malware family messing with Electroneum (ETN)….yet 

While investigating some suspicious activities from one of our product’s log, we stumbled upon an interesting cryptocurrency miner that abuses a new cryptocurrency Electroneum.

We connected this malicious file to a newly created  Russian domain that also hosts some “cool” assortment of live malware files (POWLOAD, IRCBOT backdoor, and this SilverSpace cryptocurrency mining malware).

Screen capture of the newly-created russian domain with open directory


The POWLOAD connection

The MS word document (instructions.doc) found on this domain is very similar to some Trojanized Microsoft document we have seen in some previous malicious spam campaigns, wherein it uses powershell commands to execute malicious files.

As of analysis time (early March 2018), we have seen similar POWLOAD Trojanized MS document in US, Russian Federation, Japan and Canada.

We believe that this POWLOAD document (or the other mal file in the web server) will drop and execute the malicious cryptocurrency miner Silverspace to complete the infection chain.

Silverspace coinminer

This malicious cryptocurrency mining malware have some elaborate Anti-AV, Anti-Virtual Machine, Anti-Debug and analysis tool, and anti-process monitoring tools module that we usually see on Ransomware and other malware related files.

Another unique find for this cryptocurrency mining malware is that it abuses the Electroneum cryptocurrency by mining using a popular Electroneum mining pool (

What is Electroneum?

Electroneum is a new crypto kid on the block.

image credit:

Electroneum (ETN for short) is based on Monero blockchain and it uses Cryptonote hash algorithm. Like Monero it promises more secure and private transaction when compared to Bitcoin.  Electroneum dubbed their cryptocoin as the mobile cryptocurrency and they launched their mobile miner app on the 1st week of March 2018 after joining GSMA

Electroneum uses the cryptonight/cryptonote algo, so technically any mining tool for Monero/XMR (XMRig, XMR Stak, etc.) can be used for Electroneum mining.  ETN have been increasing both in popularity and market capitalization and this is promising development for their mining community and ETN stakeholders. But sorry to break the news that this can also mean good news for our malicious threat actors.

On ETN mining profits and payouts

We traced the Electroneum address used by the cryptocurrency mining configuration and found out the address have mined know that this miner profits so far 1st 2 weeks of March 2018

  • 416 ETN as of March 15, 2018 6PM GMT+8

So your friendly AV Security Product Manager predicts that this Silverspace cryptocurrency mining malware can be morphed and propagated via exploit like other powershell/powload coinminers out there. And malicious actors can switch back to Monero mining or other cryptonote coins (hello SUMO, hi GRFT), and I’m excited about the possibilities for this miner 🙂 .

Fast Forward

Our friends from Microsoft published their malicious coinminer related to Electroneum

MS article seems to point to an XMRig clone abusing ETN. Grats to Microsoft folks for the good presentation and big data analytics on infection.

Trend Micro has a related piece on XMrig clones via Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware and TM Security Intelligence blog collab post by yours truly.

IoC (Indicators of Compromise):

  • SHA-256: 3c21841151f3a2e32092f0e39250445057ec6667608cc80bf53443431a25aaca

Whats next???

For me? Maybe I will write another article explaining more about the mining profits and mining pool findings. Or maybe I will switch back to Monero threats and coinhive discussions (burn baby burn). Who knows, I might open up and discuss my ICO’s experience here too hihihi!

Took me several months to have a follow up post to my cryptocurrency mining malware article  🙂 so for now, let’s celebrate that I have finally posted one about Electroneum here at AV Security Product Manager dot com 🙂 Hooray!!!


Special thanks to Johnlery Triunfante and Matthew Camacho for the analysis, and to my teammates at TrendLabs HQ for the support. As always you guys are awesome 🙂

Before I end this post, here are some disclosure/disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin

On Cryptocurrency Mining Malware

We don’t deal with outsiders very well
They say newcomers have a certain smell
You have trust issues, not to mention
They say they can smell your intentions
You’re lovin’ on the freakshow sitting next to you
You’ll have some weird people sitting next to you
You’ll think “How did I get here, sitting next to you?”
But after all I’ve said, please don’t forget

Twenty One Pilots, Heathens

Note: This article was conceptualized mid February 2018. I am reposting it here to jump-start my articles about cryptocurrency and malware for 2018.

We are seeing increase in cryptocurrency mining malware activity (aka coinminer) in the overall threat landscape scene. In the threat samples we have seen from the labs, we have observed several notable findings:

  • the favorite cryptocurrency to mine/abuse is Monero (a shift from previous Bitcoin)
  • the resource sought/hijacked is CPU (with some dash of GPU mining) and
  • these coinminers can be generally categorized into 2 groups: scripts (web miners) and executable miners
  • In the executables, Windows files dominate, with some Mac OS, and linux files from time to time

Monero, the new Cryptocurrency Mining Malware King?

What is Monero?

Monero is a cryptocurrency that promises anonymity better than Bitcoin.  As per Monero website, sending and receiving addresses as well as transacted amounts are obfuscated by default. They claim that transactions on the Monero blockchain cannot be linked to a particular user or real-world identity. It is therefore logical for cybercriminals to make use of this for their activity, given the improved privacy and anonymity.

Monero can be mined machines’ CPU. Monero crypto-mining uses a compute-heavy algorithm called CryptoNight, which by design, performs to run well on consumer CPUs. As CPU is a widely available resource among consumers, distributing cryptocurrency miners covertly in desktops seems feasible for the malicious actors and using the victim’s computing power (e.g. hardware and electricity costs) is attractive as cryptocurrency mining provides a good monetization venue for their malicious campaign.

This CPU mining approach was the same one being used and abuses in the early stages of Bitcoin. I have observed that since Bitcoin CPU mining cannot be done profitably nowadays, the shift will be for more cost efficient and affordable crypto like Monero. I believe ASICs, Mining Rigs and Cloud Server Farm combo is way to go with bitcoin, but this strategy needs huge investment. Also mining difficulty for Bitcoin is so high now when compared to the early years of bitcoin.

I am also theorizing that the current price of bitcoin seems to affect cybercriminal usage, because high prices of BTC mean it is too costly to procure/exchange bitcoin thus affecting the value/profits/RoI of the activity.

My thoughts on Coinhive…
Coinhive is a website provider Monero cryptocurrency miner that you can plug and play on your website using JavaScript technology.

Coinhive works by providing website publishers a Javascript code that they can embed into their website. What this code does is that it “covertly” uses the website visitor’s CPU processing power to mine the Monero cryptocurrency. This is a good alternative for monetization of the website.

The challenge with Coinhive is that we have seen that it is heavily abused and most of the times website visitors won’t know that their CPU resource is being used without their knowledge. Scripts and website plugins are widely publicized in the internet on how easy to abuse Coinhive to force the cryptocurrency mining without user intervention.

We have seen Coinhive related infections and we can see it can be another venue for malvertising (for full story refer to this link). Take note Coinhive is not the only website providing this kind of JavaScript Monero miner via simple JS and API calls.


For more cryptocurrency mining malware insights, please read my article posted in Trend Micro Security Intelligence Blog entitled: Cryptocurrency-Mining Malware: 2018’s New Menace?

What’s Next?

I am planning to post more articles about executable coinminers, other cryptocurrency being targeted and abused, and some infosec topics and mixes soon. Watch out for it here at

Before I end this post, here are some standard disclosure/disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone and do not necessarily represent my employer’s positions, strategies or opinions. Read more about me here.

If you want to get in touch, you reach me me via Twitter or Linkedin

Image credits:
Monero Logo –
Coinhive Logo – Coinhive website

Repost: Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware

Note:  In my previous post, I promised more #tech #infosec #security insights on #Cryptocurrency #Bitcoin #Monero so let me do this repost of my recent collab post. Personal insights to follow soon 🙂

Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware

By Jon Oliver and Menard Osena

As new trends and developments in the malicious mining of cryptocurrency emerge, a smart and sustainable way of detecting these types of threats is swiftly becoming a cybersecurity necessity. By using Trend Micro Locality Sensitive Hashing (TLSH), a machine learning hash that is capable of identifying similar files, we were able to group together similar cryptocurrency-mining samples gathered from the wild. By grouping together samples based on their behavior and file types, detection of similar or modified malware becomes possible.

Through TLSH, we came up with clusters for the cryptocurrency-mining malware. These are clusters that will analyze and detect cryptocurrency-mining threats by computing the mathematical “distance scores” between one file and another. Our algorithm generates a center TLSH of a coinminer malware that a group of other malware are close to.

Clustering malware samples allows security researchers to create one-to-many patterns that work proactively. The reason for this is that automated systems (or indeed reverse engineers) can examine the members of a malware group and identify similarities among the members. When our systems are examining a new file, they can look for elements which are exhibited by a malware group and also confirm that the new file falls within the constraints of the malware group.

In addition to this, TLSH also has the functionality of immediate and scalable searching and crosschecking of large amounts of possibly malicious or unknown files against known threats.

Table 1. A sample of five out of the 123 cluster members with TLSH values that have very close distance scores when compared to the center TLSH value

Note: We have identified the center TLSH value against which hash values from files being examined are compared to determine similarity. Trend Micro Proactive Detection: Coinminer_TOOLXMR.SM2-WIN32.

We have applied TLSH to detect similarities in cryptocurrency-mining malware. The threats discussed in this post are detected by both Trend Micro Predictive Machine Learning and by the real-time scan patterns for Coinminer_XMRMINE.SM, Coinminer_TOOLXMR.SM2-WIN32, and Coinminer_MALXMR.SMN1-WIN32.

Among the cryptocurrency-mining malware samples gathered, we found that a majority were mining for monero, which uses the mining algorithm CryptoNight.

Malware Moving to Monero

Bitcoin has been the cybercriminal’s go-to cryptocurrency for mining malware, what with its sudden rise in value that even peaked at $20,000 in 2017. However, it appears Monero is taking the lead. Though its value ($224 as of writing time) is far less than bitcoin’s ($9,000 as of writing time), it can be mined on consumer PCs and laptops. This, partnered with its untraceable transactions, enables malicious actors to illicitly mine cryptocurrency on a wider range of targets.

We also detected samples that used modified open-sourced code XMRig to mine monero or other CryptoNight-running digital currencies.

Figure 1. A sample of a modified XMRig command-line mining tool from a clustered sample

Note: The modified XMRig version is 2.4.1 while the latest available XMRig version on Github as of writing is 2.4.5.

Figure 2. A screen capture of a malicious sample of a modified XMRig command-line mining tool

Note: Trend Micro researchers provided test mining configuration files (mining pool address/port and Monero wallet address) for testing purposes.

One of the reasons why XMRig is favored by threat actors is its being an open source code, making it easy to adopt and reuse in cryptocurrency-mining attacks. It is important to note, however, that cybercriminals are not alone in favoring this command-line miner tool — even legitimate cryptocurrency-mining enthusiasts use it as well.

Cryptocurrency-mining Malware

Over the course of just a few years, the use of cryptocurrency-mining malware has attracted much attention from cybercriminals looking to profit from the increase in cryptocurrency prices through malicious means. Using malware, they abuse others’ computing resources to obtain valuable cryptocurrency surreptitiously and illegally.

Last year, we saw cryptocurrency mining swiftly gaining traction. Cryptocurrency mining was the most detected home network event by Trend Micro™ Smart Home Network™ while Smart Protection Network™ sensors detected a spike in cryptocurrency-mining malware.

Cryptocurrency mining malware has adverse effects on its victims’ resources. Mining consumes enormous amounts of electricity and exhausts computing power, and malware can do the same — even to the point of overheating a smartphone’s battery that it bursts open. This gives us a glimpse of just how far threat actors are willing to go to explore new, uncharted means of changing the threat landscape for their own gain.

As illegal cryptomining events continue to surge and cybercriminals diversify attack methods, the importance of creating solutions that will provide protection from various iterations of cryptocurrency-mining malware becomes all the more pronounced.

Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware. It features high-fidelity machine learning that uses TLSH to secure the gateway and endpoint, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, either steal or encrypt personally identifiable data, or carry out malicious cryptocurrency mining. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud SecurityUser Protection, and Network Defense.

Original Post from: Trendlabs Security Intelligence Blog
Full article link -> Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware


Repost: Cryptocurrency-Mining Malware: 2018’s New Menace?

Cryptocurrency-Mining Malware: 2018’s New Menace?
by: Menard Osena

Will cryptocurrency-mining malware be the new ransomware? The popularity and increasing real-world significance of cryptocurrencies are also drawing cybercriminal attention — so much so that it appears to keep pace with ransomware’s infamy in the threat landscape. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers in 2017.

Figure 1. In 2017, cryptocurrency mining was the most detected network event in devices connected to home routers (based on Trend Micro Smart Home Network feedback)

What started out in mid-2011 as an afterthought to main payloads such as worms and backdoors has evolved into such an effective way to profit that even cyberespionage and ransomware operators, and organized hacking groups are joining the bandwagon.

Bitcoin, for instance, was valued at around US$1,000 in January 2017 but has since ballooned to over $11,000 today. It even peaked at a record $20,000 per bitcoin. Monero’s (XMR) story was the same, with a value that shot up from $13 in January 2017 to $325 in February 2018. The volatile yet sharp increases in their value give the shift some weight. Where there’s money to be made, expect threat actors to try to be in on it.

Their use of cryptocurrency-mining malware and its meteoric ascent in the threat landscape is a case in point. As shown below, cryptocurrency-mining malware’s prevalence gained momentum, peaking at 116,361 in October 2017 before stabilizing throughout November and December. We detected the most cryptocurrency-mining malware in Japan, India, Taiwan, the U.S., and Australia.

Figure 2. Cryptocurrency-mining malware detections in 2017
(based on Trend Micro Smart Protection Network)

Figure 3. Country distribution of cryptocurrency-mining malware detections in 2017
(based on Trend Micro Smart Protection Network)

Other paradigm shifts are expected to be signs of things to come for cybercriminal cryptocurrency mining: the abuse of legitimate and grayware tools, particularly Coinhive, the penchant for mining Monero, and the emergence of fileless cryptocurrency miners.

From Bitcoin to Monero
Coinhive provides users and companies an alternate monetization platform by offering an embeddable JavaScript code that will use the site visitor’s CPU to mine Monero. This method’s apparent convenience and customizability did not escape cybercriminals. In fact, malicious versions of Coinhive’s miner were reported to be the sixth most common malware in the world, hitting even the official websites of organizations in the U.S. and U.K. as well as cloud servers of high-profile companies. The miner also spread through malvertisements.

It’s no surprise that Monero would be Coinhive and the cybercriminals’ cryptocurrency of choice. The algorithm used to mine Monero — CryptoNight — is designed to be resistant to ASIC mining. It’s thus more suited to calculating hashes on consumer hardware CPUs.

While bitcoin mining is still technically possible by using CPU and graphics processing unit (GPU) or a combination of both, it’s no longer as viable as it was especially when held up against dedicated rigs using application-specific integrated circuit chips (ASICs) and cloud-mining providers. Meanwhile, a miner can run 24/7 for a year, and it still won’t yield a single bitcoin.

Monero is also more pseudonymous than bitcoin. Its use of ring signatures makes it difficult to follow trails in transactions made through Monero’s blockchain — address, amount, origin, and destination, senders and recipients, to name a few.

Fileless Cryptocurrency-Mining Malware
Just like how ransomware matured, we’re starting to see the use of notorious exploits and methods for deploying fileless malware to install miners. Coinhive notes, for instance, that 10-20 active miners on a website can turn a monthly profit of 0.3 XMR — or $97 (as of February 22, 2018). An army of zombified systems translates to more illicit payouts.

A cryptocurrency-mining malware we found last year, which exploited EternalBlue for propagation and abused Windows Management Instrumentation (WMI) for persistence, is an example of this. In fact, the Monero-mining Adylkuzz malware was reportedly one of the first to exploit EternalBlue before WannaCry. The longer the system and network remain unpatched, the more they are at risk of re-infection.

A typical infection chain in fileless cryptocurrency-mining malware, as shown below, involves loading the malicious code to the system’s memory. The only physical footprint indicating an infection is the presence of a malicious batch file, an installed WMI service, and a PowerShell executable. For propagation, some use EternalBlue exploits, but we also saw others employing Mimikatz to collect user credentials in order to access them and turn the machines into Monero-mining nodes.

Indeed, vulnerabilities will also be one of the main doorways for cryptocurrency-mining malware. This is demonstrated by the recent intrusion attempts we observed on Apache CouchDB database management systems. JenkinsMiner, a remote access Trojan also toting a Monero miner and targets Jenkins servers, reportedly earned its operators over $3 million worth of Monero.

Figure 4. A typical infection flow of fileless cryptocurrency-mining malware
(click to enlarge)

Thwarting Cryptocurrency-Mining Malware
Cryptocurrencies aren’t inherently prohibited, at least in many countries. Given their decentralized nature, they have regulatory frameworks from which their trade is legally overseen. Mining them illicitly through malware, however, is a different matter.

But while cryptocurrency-mining malware’s impact may not be as palpable or damaging as ransomware’s, they are no less of a threat. In December last year, the Loapi Monero-mining Android malware showed how they could physically damage a mobile device.

But cybercriminal cryptocurrency mining isn’t just about device wear and tear, or even the power consumption involved. It’s also a reflection of the ever-evolving technology landscape and the risks and threats that can come with it. And just like ransomware, we expect cryptocurrency-mining malware to be as diverse as they are common, using a plethora of ways to infect systems and even inadvertently turn their victims a part of the problem.  This highlights the need to complement security mechanisms with defense in depth, adopting best practices not only for enterprises and everyday users but also the devices’ design and equipment manufacturers.

Figure 5. Trend Micro’s proactive solutions against fileless cryptocurrency-mining malware
(click to enlarge)

Trend Micro XGen security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware. It features high-fidelity machine learning to secure the gateway and endpoint, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, either steal or encrypt personally-identifiable data, or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Original Post from: Trendlabs Security Intelligence Blog
Full post link Cryptocurrency-Mining Malware: 2018’s New Menace?

Additional #tech #infosec #security insights on #Cryptocurrency #Bitcoin #Mining to follow soon, so watch out for it 🙂


On and Cryptocurrency Mining

“When able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near”
Sun Tzu, Art of War

I came across this article last week:

<image credits:>

If you find it TL;DR : my rough translation will be:

The news site is telling their viewers to:

  • Pay them $$$ for news access (subscription model) or
  • Show their Advertisements; else
  • Mine them some Monero/XMR

This is like premium subscription model (usual for some US news sites) vs Ads/Adsense model (freemium) vs Coinhive model. Wow! Just wow!

And from an #InfoSec perspective, I find this move so wrong on many levels. Initially, I wanted to rant out in twitter

But I chose to have an open mind and weigh things out first. Why not a blog post for on this topic? Maybe this can be a good way of “furthering the dialogue” and this is why we have this post 🙂 )

I’m not a regular visitor of All I know is that they are US/American news/opinion website. I also checked they seem to be Top 1000 site in US, Top 5000 Global site according to Alexa siteinfo

<Screen capture from siteinfo>

So green light and good website creds for me imho.

Some interesting points on their announcement (highlighted)

How does Salon make money by using my processing power?

The demand for computing power across many different industries and applications is potentially very high. We intend to use a percentage of your spare processing power to contribute to the advancement of technological discovery, evolution and innovation.

For our beta program, we’ll start by applying your processing power to mine cryptocurrencies to recoup lost ad revenue when you use an ad blocker. We plan to further use any learnings from this to help support the evolution and growth of blockchain technology, digital currencies and other ways to better service the value exchange between content and user contribution.


In any case, the possibilities for this sort of technology are limitless: In the future your spare computing power may go to solving the kinds of complex math problems that form the integrity of blockchains, but it can also be used for humanitarian and scientific projects such as helping research how proteins fold, to aid in biological discovery or helping pay for misdemeanor prisoners’ bail, or to see if we can better predict the impact of climate change.

Your spare computing power can even help analyze astronomical signals to figure out if extraterrestrials are trying to contact us. Some scholars have proposed using spare computing power to help secure voting and verify the integrity of democratic elections.

Uh-oh! That “spare processing power to contribute to the advancement of technological discovery, evolution and innovation” and “extraterrestrials are trying to contact us” cards again 🙂 I honestly feel this is sugar-coating the risks posed by cryptocurrency mining issue 🙂

And what will they mine?

What is Salon doing with my computer if I decide to opt-in?

Salon is mining digital currencies (for our beta, Monero). To do that, we are instructing your processor to run calculations. Think of it like borrowing your calculator for a few minutes to figure out the answer to math problems, then giving it back when you leave the site. We automatically detect your current processing usage and assign a portion of what you are not using to this process

Monero. XMR. Mucho Monero!!!

Don’t get me wrong now, I am not saying that “Monero is bad” or “Monero is evil”. I would just like to put in the discussion table that recent infosec events show that this crypto (Monero/XMR) tops other crypto in Mal activity. Some related links here and here.

(sidenote: I may write more about this Monero/XMR cryptocurrency in the future so this can be sort of a multipart post)

To sum up my thoughts, this change by is a risky security move. It’s also a tricky business model.

And I will be watching closely on how this one will unfold…

Before I end this post, here are some Disclosure/Disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin

On Capture the Flag

Do you have l33t skills on targeted attacks, Internet of Things (IoT) and Industrial Control Systems (ICS/SCADA) and cybercrime? Interested in having some extra cash (JPY 1,000,000 (approximately US $8,700) or want to have have some fun while learning and building more knowledge in the InfoSec industry?  If yes, then read on…

Trend Micro is running an educational contest called Trend Micro CTF (Capture the Flag) 2017 this month. It is a global competition intended to help build skills among young professionals (20 years old +) and seasoned veterans alike in the field of cybersecurity.

Trend Micro Capture the Flag 2017 dubbed as the Raimund Genes Cup is the 3rd of the annual CTF cyber event we are organizing, and this year it will focus on the challenges across 4 InfoSec disciplines including targeted attacks, cybercrime, IoT, and SCADA.

Trend Micro is also offering an amazing opportunity for the top 10 online qualifying teams and will cover travel expenses to Japan (up to JPY 200,000 / approximately US$1,810/ conditions apply) as well as three nights hotel accommodation. Even if you are not really interested in the prizes, this is a great opportunity for you to test your skills and learn!!!

Online qualifiers will be on June 24-25, 2017 and will be done online!

Register your team HERE

For more details please visit the Press link  and the Trend Micro CTF 2017 page

Good luck!!!

Some Disclosure/Disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin


I posted google’s announcement on the SHA1 Shattering in twitter several weeks ago

And I was surprised that a fellow infosec dude replied and tweeted

and it seems that the platform he is hinting does not have migration path or plan about it (or none that we know of). And its still MD5 :(.

This got me thinking  maybe this SHA1 can be a good topic for this blog so I looked into the details so that I can explain it in a simple way and answer what’s with this SHA1 being broken? and why should we care? or should we not?
SHA1 is broken. 

Google and the researchers demonstrated this by crafting 2 PDF files with different contents but same SHA1 hash.  They released the geeky how-to docs publicly. Good visualization too 🙂

Image Credits: Shattered.IT

So in a nutshell, it’s now possible to create a file to match a SHA1 of another file. So if you are using SHA1 as primary identification of files/certs, consider migration to other hash like SHA256 or SHA3.

How easy to do the attack?

Very hard (needs 6,500 yrs of single-CPU computing power or 110 years of single-GPU power). But of course with Google firepower, they fast-tracked things up drastically (experts say this is 3 years earlier than previous projection). My key learning here is given GPU advancements + cloud computing nowadays that “very hard” attack can be “so easy”, as long as you have the right resources ($$$, kaching-kaching, moolah).

Several experts estimated that such attack needs 75K USD budget, just rent some computing firepower via AWS, problem is solved :). Imho, 75K is peanuts to nation-states and large cybercriminal groups (whether its FUD or not, not my forte).

What are the usual systems potentially impacted? SHA-1 is used for digital signatures, file integrity, and/or file identification among others. So Digital Cert sigs, Email PGP sigs, Vendor file signatures, software updates, GITs, etc may be vulnerable.

SHA1 Certs have been depracated since 2015. Major browsers is OK and safe with Google doing early protection for Chrome and (other Google-related services too) and Firefox provided a fix a day after the disclosure.

GIT and software repo have a healthy discussion with Linus Torvalds  giving some good explanation on the impact to GIT.

Should we care?

Are you (or your tools, software, systems) heavily dependent on SHA1 for file integrity? If yes, then you should care and plan the migration right away. Migration path is SHA256 and SHA3. Exploit described above is demonstrated with PDF, and since this is in already public expect other file types to follow soon. This is not IF now but WHEN.

On Ransomware

“They can beg and they can plead
But they can’t see the light
Coz the boy with the cold hard cash
Is always Mr. Right”

Material Girl, Madonna

I was planning to write about Ransomware for a long long time but I don’t know where to start. Will I start with the email that my childhood friend sent me in 2015 (frantically pleading “Halpppp me, I got this HELP_YOUR_FILE Virus and I’m doomed)? Or when ransomware first pique my interest (shout out goes out to Bundespolizei police ransomware c. 2012)? When?  What to share? Help!!!

But of course I’m good at procrastination, so as of February 2017 still zero post on ransomware 🙂 . But let’s end that because I promised that I will do more articles this year on all my blogs and I want to start it right. This is also in support of my all my infosec post belong to AVSecurityProductManager Blog, so here we go. For starters I’m sharing this Youtube video

Sorry I’m really a sucker for digital-DIY kitties. OK maybe just the bad kind of DIY kits (blame it on Vicodines of the macro poppy kit fame, sorry I’m old school virus dude mon!). Honestly I’m torn between sharing and suppressing this ransomware video advertisement in youtube. But sadly, this is a good demo to show how easy it will be creating/modding a ransomware (even dummies can do it huh). Not sure on how long this one will be up in youtube though.

I know Stampado/Philadelphia is kinda old (I think it may be active around September 2016). Maybe a decryptor is out already. But given the dynamics and motivations for ransomware (cold hard cash + someone is still paying the ransom) is here to stay, I guess this Ransomware problem will not go away easily.

Ruining Madonna’s lyrics

They can beg and they can plead
But they can’t decrypt it right
So the boys with the cold hard cash
Will buy bitcoins right???

(Please don’t kill me if my lyrics mod skills sux)

Lastly, I support NO More Ransom!!! Visit No More Ransom for more solutions and insights.

I will do a part 2 on ransomware soon…

Video credits to Youtube. Thanks goes out to Brian Krebs for his post on this topic.

On Pump and Dump Spam Run

I thought they were an extinct in the wild technological mal-species already. But just yesterday I got this spammy mail via my mailbox:


Image 1. Suspicious Email

Sorry I choose not comment on the company as I do not have verifiable info on them nr their industry. But I did not subscribe the affected mailbox to any stock-monitoring feeds so your paranoid Security Product Manager will tag this issue as SPAM. And since all my infosec post belong to this blog here are some additional security insights.

Dissecting the content of the mail…

[Name of supposed sender] here.

My NEWEST MONSTER PICK is – [company name here]. And they trade under the ticker symbol – [Symbol1] or [Symbol2]

I don’t know if you know this, but technically, 0.0001 is the lowest that a stock can trade at on the open market…

0.0001 is THE FLOOR!

So it stands to reason, if you get in at the ground level (THE FLOOR ), the stock CANNOT go lower.

So technically you have limited your downside.

Go buy [Symbol1] NOW and quadruple your money quick!

Actually the unsolicited nature of this email was the first red flag. The text “Go buy NOW and quadruple your money quick” and “So technically you have limited your downside” provide secondary red flags. Any get rich quick scheme will trigger my infosec spider-sense :).

Pump and Dump Scam run? Call it Maybe…

Some interesting thoughts on spam came to my mind which may be a good post in the future. I noted that there seems to be a “new” breed of spam mails targeting those who needs “high-end” systems users list. I don’t know if this is prevalent already. Maybe I can feature them here soon. Watch out for it. Soon.