In this article, we’ll teach you how to think like threat hunters and use the open source tool YARA alongside Censys to find Coinhive, a cryptocurrency miner service. Created to help security analysts, YARA (now managed by VirusTotal) allows users to write complex rules/descriptions to identify and classify malware. Yara is flexible enough to let you iterate over HTML tags, a technique we’ll use further down in this post.
Attackers will often create “new” malware simply by changing a few minor traits of known malware in order to get around security protections. YARA and tools like it let you group together malware that follow similar patterns and behavior in order to find similar malware and prevent security risks. Thanks to tools like YARA, threat analysts can more easily track these “new” malware infections and prevent attacks.
Real-World Attacks Using Coinhive
According to research by TrustWave’s SpiderLab team, Coinhive affected more than 200,000 MikroTik routers in August 2018. At the time, SpiderLab security researcher Simon Kenin told BleepingComputer:
“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”
These particular attacks seemed to affect mostly Brazilian websites, but the SpiderLabs report asserted that the attacker would likely spread the malware to a broader, global audience after measuring success in Brazil.
While the impact was broad for this particular attack, MikroTik promptly released a patch that prevented any additional exploits from hitting their customers.
Finding Coinhive Infections with Censys + YARA
We want to focus here on a similar threat hunting process, but how you can use a script to help weed out the false positives when your search results are too large to go through manually. That’s where YARA rules come into play.
In our script, we wrote rules to search for any domain names located between script open and close tags, which prevents matches on plaintext fields. Here’s a screenshot of the output to give you an idea of how we’re refining our search results:
Some creative thinking on your part as a threat hunter will help you find the real power of Censys malware searches and helpful open-source tools like YARA can help you automate some of the analysis and filter out the noise.
What to do if you find Coinhive on any of your domains
Here are a few tips for how to thwart Coinhive if you find it in your assets:
- Change and enforce strong passwords for users and service accounts that have access to edit or update website content.
- Update the password for any third-party sites or services that may have access to edit or update website content.
- Enforce multi-factor authentication on admin accounts and user accounts that can change website content.
- Review and update WordPress plugins. Ensure that installed plugins are still under active development.
- If possible, setup audit logging on your web and database servers. Open source tools like OSSEC or OSQuery can alert admins to anomalous behavior on the server.
This particular example is just one example of infinite possibilities. We’d love to hear what you’re turning up—share with us on Twitter (@censysio). Together, we can build a community where we share findings and tactics, peer-to-peer to help fight attackers and threats.