On Cryptocurrency Mining Malware and Electroneum

Down to my last match fire I touch just to feel
Why is it easier to burn than it is to heal?

The Chainsmokers, XYLO, Setting Fires

Note: this article was created 1st week of March 2018 when there was no notable malware family messing with Electroneum (ETN)….yet 

While investigating some suspicious activities from one of our product’s log, we stumbled upon an interesting cryptocurrency miner that abuses a new cryptocurrency Electroneum.

We connected this malicious file to a newly created  Russian domain that also hosts some “cool” assortment of live malware files (POWLOAD, IRCBOT backdoor, and this SilverSpace cryptocurrency mining malware).

Screen capture of the newly-created russian domain with open directory

 

The POWLOAD connection

The MS word document (instructions.doc) found on this domain is very similar to some Trojanized Microsoft document we have seen in some previous malicious spam campaigns, wherein it uses powershell commands to execute malicious files.

As of analysis time (early March 2018), we have seen similar POWLOAD Trojanized MS document in US, Russian Federation, Japan and Canada.

We believe that this POWLOAD document (or the other mal file in the web server) will drop and execute the malicious cryptocurrency miner Silverspace to complete the infection chain.

Silverspace coinminer

This malicious cryptocurrency mining malware have some elaborate Anti-AV, Anti-Virtual Machine, Anti-Debug and analysis tool, and anti-process monitoring tools module that we usually see on Ransomware and other malware related files.

Another unique find for this cryptocurrency mining malware is that it abuses the Electroneum cryptocurrency by mining using a popular Electroneum mining pool (etn.spacepools.org)

What is Electroneum?

Electroneum is a new crypto kid on the block.

image credit: electroneum.com

Electroneum (ETN for short) is based on Monero blockchain and it uses Cryptonote hash algorithm. Like Monero it promises more secure and private transaction when compared to Bitcoin.  Electroneum dubbed their cryptocoin as the mobile cryptocurrency and they launched their mobile miner app on the 1st week of March 2018 after joining GSMA

Electroneum uses the cryptonight/cryptonote algo, so technically any mining tool for Monero/XMR (XMRig, XMR Stak, etc.) can be used for Electroneum mining.  ETN have been increasing both in popularity and market capitalization and this is promising development for their mining community and ETN stakeholders. But sorry to break the news that this can also mean good news for our malicious threat actors.

On ETN mining profits and payouts

We traced the Electroneum address used by the cryptocurrency mining configuration and found out the address have mined know that this miner profits so far 1st 2 weeks of March 2018

  • 416 ETN as of March 15, 2018 6PM GMT+8

Predictions?
So your friendly AV Security Product Manager predicts that this Silverspace cryptocurrency mining malware can be morphed and propagated via exploit like other powershell/powload coinminers out there. And malicious actors can switch back to Monero mining or other cryptonote coins (hello SUMO, hi GRFT), and I’m excited about the possibilities for this miner 🙂 .

Fast Forward

Our friends from Microsoft published their malicious coinminer related to Electroneum

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/

MS article seems to point to an XMRig clone abusing ETN. Grats to Microsoft folks for the good presentation and big data analytics on infection.

Trend Micro has a related piece on XMrig clones via Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware and TM Security Intelligence blog collab post by yours truly.

IoC (Indicators of Compromise):

  • SHA-256: 3c21841151f3a2e32092f0e39250445057ec6667608cc80bf53443431a25aaca

Whats next???

For me? Maybe I will write another article explaining more about the mining profits and mining pool findings. Or maybe I will switch back to Monero threats and coinhive discussions (burn baby burn). Who knows, I might open up and discuss my ICO’s experience here too hihihi!

Took me several months to have a follow up post to my cryptocurrency mining malware article  🙂 so for now, let’s celebrate that I have finally posted one about Electroneum here at AV Security Product Manager dot com 🙂 Hooray!!!

Acknowledgments

Special thanks to Johnlery Triunfante and Matthew Camacho for the analysis, and to my teammates at TrendLabs HQ for the support. As always you guys are awesome 🙂

Before I end this post, here are some disclosure/disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin