Introduction 

Despite the market value of cryptocurrency itself decreasing in the final quarter of 2022, the number of known cryptocurrency mining software variants had more than trebled compared to the previous year. The intensive resource demands of mining cryptocurrency has exacerbated the trend of malicious hijacking third-party computers causing slower processing speeds and higher energy bills for many companies.

Cryptomining is often overlooked by security teams but is indicative of a gap in an organization’s defense in depth technologies and represents unauthorized access to the digital estate. Ignoring cryptomining as a compliance issue can open the floodgates to further compromises and continued access to organizational resources by threat actors.

Although having a security team able to react to and investigate malicious resource hijacking attempts is essential, there will inevitably be occasions when relying on human response alone is not enough. Having a round-the-clock autonomous decision maker able to respond instantaneously is paramount to ensuring a 24/7 defense strategy.

In August 2022, Darktrace detected and responded to an ongoing incident of attempted cryptojacking on the network of a customer in the logistics sector, when a threat actor launched their attack outside of normal business hours in an effort to evade the detection of the human security team. This blog explores how Darktrace AI Analyst and the human SOC team worked in tandem to detect and contain this threat, while providing unparalleled visibility to the customer.

Darktrace Coverage

The initial compromise was detected when Darktrace DETECT observed a new user agent on a customer server attempting to connect to an external endpoint that was rarely visited outside of business hours. Darktrace AI Analyst autonomously investigated the endpoint and determined that it redirected to a domain which downloaded an executable file (.exe). Following this, the device began making connections to endpoints associated with mining the Monero cryptocurrency, which automatically triggered an Enhanced Monitoring model, whereupon the Darktrace SOC team sent a Proactive Threat Notification (PTN) to the customer, alerting their security team to this anomalous activity. 

The Darktrace SOC team liaised with the customer via the Ask the Expert (ATE) service, and confirmed the activity, initially reported by Darktrace’s AI Analyst investigation, was related to malicious cryptomining activity. Thereafter, Darktrace RESPOND took immediate action by isolating six critical servers to contain the malicious cryptomining activity and prevent any further compromise.

The attack vector of the cryptomining malware was determined through a packet capture (PCAP) of the suspicious file detected by AI Analyst. The PCAP showed that following the initial download of the file, it modified its own permissions to become an executable. While the Darktrace SOC team continued its investigation, the customer was able to maintain contact with the team and gain full visibility over their network through the Darktrace Mobile App. 

Working in tandem, Darktrace was able to instantly identify and investigate the anomalous activity in real time using DETECT and followed this up with an autonomous investigation with Darktrace AI Analyst, without the need for any human interaction. The Darktrace SOC team was then able supplement this autonomous response, providing precious reaction time for the customer to identify and mitigate this cryptojacking incident. 

Interestingly, the IP addresses associated with this cryptomining had not been previously reported by open-source intelligence (OSINT) sources, with VirusTotal listing the first public scan as the same date as this attack. This reflects Darktrace’s ability to detect and respond to novel and previously undetected threats as soon as they arise directly through its AI capabilities.

Conclusion

The continued prevalence of malicious cryptomining software underlines the need for instantaneous and autonomous defenses. In addition to hardening an organization’s attack surface, responding to more compliance-focused threats like cryptomining will enable organizations to close gaps which lead to more damaging compromises. Darktrace’s suite of products offers both an AI-driven system which alerts users to malicious downloads and connections, and a dedicated SOC team which works in tandem with its AI to advise security teams and assist them in containing threats at their earliest stages.

In this case, the cryptomining malware was quickly identified and mitigated despite occurring outside of business hours, and there being a lack of OSINT information regarding its indicators of compromise. Leveraging AI gives security teams a round-the-clock defense that responds instantaneously to even novel threats. When combined with human SOC teams, Darktrace offers a formidable defense against an ever-growing sophisticated threat landscape.  

Credit to: Victoria Baldie, Director of Analysis.

Appendices

Darktrace Model Detections 

Below is a list of model breaches in order of trigger. 

• Model Breach: Compromise / High Priority Crypto Currency Mining 
• Model Breach: Device / Initial Breach Chain Compromise 
• Model Breach: Compromise / Monero Mining 

IOCs

165.227.154[.]84 - IP Address - C2 Endpoint

c0136a24781c4ebcafb3c9fdeb22681f6df814b4 - SHA-256 - File downloaded

MITRE AT&CK Mapping

Lateral Movement:

T1210 - Exploit of Remote Services

Command and Control:

T1001 - Data Obfuscation 

T1571 - Non-Standard Port

T1095 – Non-Application Layer Port

T1071 – Web Protocols

Initial Access:

T1189 – Drive by Compromise

Resource Deployment:

T1588 – Malware

References

[1] https://securelist.com/cryptojacking-report-2022/107898/