Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.

We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware.

Attack Description

On January 10 2016, GuardiCore Global Sensor Network detected an automated attack uploading suspicious files to FTP hosts. Usually, uploading files to a vulnerable FTP server would go unnoticed in organizations but our Sensor Network identified an anomalous behaviour where identical incidents continued to pile up, arriving from all over the world.

Since its first release, the malware has evolved rapidly. Till today, we’ve seen two different variants of PhotoMiner and over a dozen versions, indicating a rapid pace of evolution. The first variant was compiled on December 9, 2015 and included the core miner and basic propagation abilities. The second variant was released February 3, 2016 and quickly became the dominant version we can observe in the wild.

Spreading and Infecting

Over time, PhotoMiner added new capabilities including a unique multi-stage infection mechanism. First, insecure FTP servers over the world are compromised. Then, innocent websites hosted alongside the FTP servers are engineered to infect their visitors with malware. Finally, unsuspecting website visitors are infected with malware that does not only mine crypto-currency, but also seeks to infect additional FTP servers and systems in local networks.

PhotoMiner uses two types of attack techniques:

The primary attack method takes advantage of insecure FTP servers and clueless users. Since websites are frequently accessible over FTP, the operators of PhotoMiner are able to easily infect website source code and from there, innocent users. This method poses a long term danger to website security.

This is a simple two-stage attack;

By brute forcing random IP addresses and working off a user/password dictionary, weakly protected FTP servers are located and attacked.

Once a successful login attempt is made, a copy of the malware is uploaded to each writable server. At this point, each and every file capable of being rendered to a user (such as HTML, PHP and aspx files) is infected with the following string:

At this stage, rendering the page will cause a vulnerable browser to serve as a download. A careless user will click Open and let the malware in. Recent variants of the malware have upgraded this attack by adding server-side code injection and attempting to install a Linux based miner.

The target server IP, its credentials and the list of infected files are sent to the malware’s backend servers. With this information, the attackers can later login to the infected FTP servers, infecting more files and pivot into additional victims.

The second method is based on attacking Windows endpoints and servers reachable in the local area network using the following steps:

PhotoMiner uses built-in Windows systems tools such as ‘arp’ and ‘net view’ to read the ARP cache and to scan the local network segment using the BROWSER protocol.

Next, it attempts to brute force a connection over SMB. With each successful connection, PhotoMiner attempts to drop copies of itself into every accessible remote startup location. After any successful copy, it will use WMI scripting to execute local copies.

Some variants stealthily open a public Wi-Fi access point with the hardcoded name of “Free_WIFI_abc12345” which can lure innocent users into the network and get them infected.

Malware In Depth

PhotoMiner is built in a modular fashion, creating a standalone executable focused on mining Monero and a complex wrapper that is responsible for the persistence mechanism and further infections. This wrapper is comprised of two main variants with multiple sub versions:

The first variant img001.scr is unique in its use of NSIS , a custom scripting language.

Built for installers, NSIS is a perfect fit for writing simple installers including malware. The code is easy to read and debug, enabling the attackers to easily iterate and add features

The second variant photo.scr is a native binary that implements the img001.scr functionality in native code

Both variants include multiple sub versions where differences range from bug fixes to changes in the infection technique. Despite the multitude of versions, they follow the same order of operations. As such, we will describe them together, mentioning distinct abilities only when required.

During the initialization stage, PhotoMiner performs householding tasks such as persistence mechanism installation and collecting configuration data for the miner: To install a persistence mechanism, the PhotoMiner registers as a startup program using the following:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\

%HOMEPATH%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

While basic, this technique does work and today does not automatically mark a program as “malicious”.

Configuration data is acquired by communicating over standard HTTP with a list of predefined hostnames, all serving a generic configuration file. Currently the given configuration is a list of Monero pools and wallets from which the malware randomly picks a recipient. This configuration file is scrambled using a basic reverse-dictionary. This means that for each scrambled character, a matching character is retrieved from a hardcoded dictionary, while non scrambled characters are safely skipped over.

At this stage basic details about the computer such as operating system version and IP are sent to C&C servers. PhotoMiner connects with C&C servers to communicate its progress rather than accepting “commands” and infact does not include any remote access capabilities. Our attackers have built a resilient backend, spread over multiple domain names and using VPS servers rotated across different hosting providers. However, thanks to several mistakes made by the attackers such as reusing servers and IP addresses the different campaigns are tied together through shared servers.



After initialization, the malware “spins off” the miner as a separate process and goes on to spread itself. This minimises the danger posed by antivirus programs to the miner itself. The mining module itself is a packed version of BitMonero, the core implementation of the Monero worker and is a legit program which is not likely to attract unwanted attention.

Detecting and Preventing PhotoMiner Attacks

PhotoMiner may infect FTP servers regardless of the hosting software and use the full computing power of any victim Windows machine.

For endpoints, implementing recommended security policies will easily prevent attacks, such as application whitelisting and endpoint firewalls which prevent outbound connections. If not an option, up to date browsers will prevent drive-by downloads such as used here.

Deploy a security solution that provides in-depth visibility into the data-center such as Guardicore Reveal™ to immediately alert on these types of malware executed on a machine it protects.

FTP servers shouldn’t allow unauthorized connections by locking down allowed IP addresses and making sure strong user/password combinations are in use.

If an infected server is detected, verify its code files are sanitised and remove all copies of the malware from the server.

Conclusion

Infecting websites through unprotected FTP servers is a classic attack that seems to be gaining popularity once again. By creating an infection that is hard to disrupt, the writers of PhotoMiner have created a botnet that is undoubtedly here to stay.

A non-secure service facing the internet, such as an unprotected FTP server, is one of the most common ways attackers use to first penetrate an organization. Attackers currently using their botnet for mining may in the future use stolen credentials and infected machines to move laterally inside the data center and compromise the most valuable assets of the organization.

IoCs

File hashes

photo.scr_ver29 MD5 6b422988b8b66e54e68f110c64914744 SHA256 8a2a28d164a6d4011e83ae3f930de8bf1e01ba2e013bee43460f2f58bdaf4109

photo.scr_ver17 MD5 6b422988b8b66e54e68f110c64914744 SHA256 a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad

photo.scr_ver22a

MD5 e14c3ac5c7ebafe906ac8b7ae0bd4b92 SHA256 8cf156211c55955c006e30eee85d06776b6a8c43dcd9010a88e5d4391e30837c

photo.scr_ver22b MD5 beea8b5d0a35f73ecbfd0ca8fcf96694 SHA256 727865815de231bb0be0dcf1e41258dc8f9563a37bb3c32cac9eb0332ed7848f

photo.scr_ver22c MD5 fe9787b3d1c40d4cec154511f7725da6 SHA256 cdf743f542226971129e8c037fa2ea29ee488566848887ff8de3dd166b0636b8

photo.scr_ver24a MD5 e3b35ae837911135c70acb0ece15bf84 SHA256 5f522ebe3f4b2f1797249e431077725c45c76424dc21f7d16d5772ac35607f62

photo.scr_ver24B MD5 aba2d86ed17f587eb6d57e6c75f64f05 SHA256 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d

information.vbe

MD5 e9ffdb716af3d355b25096a8ed4de8ef SHA256 30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b

IMG001.scr MD5 fbbcf1e9501234d6661a0c9ae6dc01c9 SHA256 d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c



File names

images.scr

NsCpuCNMiner32.exe

NsCpuCNMiner64.exe

Information.vbe

IMG001.scr

Domains

stafftest.ru

hrtests.ru

profetest.ru

testpsy.ru

pstests.ru

qptest.ru

jobtests.ru

iqtesti.ru

managtest.ru

testworks.ru

Indicative strings