In this article, we’ll teach you how to think like threat hunters and use the open source tool YARA alongside Censys to find Coinhive, a cryptocurrency miner service. Created to help security analysts, YARA (now managed by VirusTotal) allows users to write complex rules/descriptions to identify and classify malware. Yara is flexible enough to let you iterate over HTML tags, a technique we’ll use further down in this post.
Attackers will often create “new” malware simply by changing a few minor traits of known malware in order to get around security protections. YARA and tools like it let you group together malware that follow similar patterns and behavior in order to find similar malware and prevent security risks. Thanks to tools like YARA, threat analysts can more easily track these “new” malware infections and prevent attacks.
Real-World Attacks Using Coinhive
According to research by TrustWave’s SpiderLab team, Coinhive affected more than 200,000 MikroTik routers in August 2018. At the time, SpiderLab security researcher Simon Kenin told BleepingComputer:
“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”
These particular attacks seemed to affect mostly Brazilian websites, but the SpiderLabs report asserted that the attacker would likely spread the malware to a broader, global audience after measuring success in Brazil.
While the impact was broad for this particular attack, MikroTik promptly released a patch that prevented any additional exploits from hitting their customers.
Finding Coinhive Infections with Censys + YARA
Threat hunters will be pleased to know that Censys allows users to search web page source using regular expressions. Recently, we showed users how to find Magecart malware using Censys. Since Magecart operated by injecting malicious Javascript on the root page of websites, we could search for infected websites through by looking for links to the known script sources hosting the malicious code in the raw HTML. For Magecart, it returned few results so we could manually inspect the search results to ensure the HTML in the HTTP(S) body contained a script link to one of the suspicious domains. At that time, we mentioned that if the search results turned up a larger number of domains, the manual process would become unwieldy, but that you could automate the false positive check with a script.
We want to focus here on a similar threat hunting process, but how you can use a script to help weed out the false positives when your search results are too large to go through manually. That’s where YARA rules come into play.
Like Magecart, one of the ways attackers deliver the Coinhive code family is to inject it into legitimate websites. Attackers use Coinhive to use the site visitor’s (aka the victim’s) browser to begin mining cryptocurrency for them, using the victim’s CPU to do the heavy lifting and freeing up the attacker’s machine. We created a useful script that reads the list of suspicious domains that are using the known malicious Coinhive Javascript code. It uses the Censys Python library and the Python Yara library.
This script reads the list of domains and dynamically constructs a Censys search for mentions of the infected domains in web page body text, using the custom YARA rule to further refine the search results and weed out any false positives. These false positives often include mentions of the sites in the text, but not in a command to tell the browser to execute that Javascript.
Here’s an example of a search you might run, using domain names that are known to be used to deliver malicious Javascript code. You could use Censys to search for those in any host detail, see below:
The YARA script we included in this post then whittles those search results down to script code hits. Unfortunately, YARA isn’t able to natively parse HTML, so even though we want to search website script tags for the malicious Javascript code related to Coinhive, we have to create a workaround to parse tags. Yara can iterate over its capture groups and search those, so we use script tag open and close patterns to extract just the fragments we want.
In our script, we wrote rules to search for any domain names located between script open and close tags, which prevents matches on plaintext fields. Here’s a screenshot of the output to give you an idea of how we’re refining our search results:
Some creative thinking on your part as a threat hunter will help you find the real power of Censys malware searches and helpful open-source tools like YARA can help you automate some of the analysis and filter out the noise.
What to do if you find Coinhive on any of your domains
Here are a few tips for how to thwart Coinhive if you find it in your assets:
- Change and enforce strong passwords for users and service accounts that have access to edit or update website content.
- Update the password for any third-party sites or services that may have access to edit or update website content.
- Enforce multi-factor authentication on admin accounts and user accounts that can change website content.
- Review and update WordPress plugins. Ensure that installed plugins are still under active development.
- If possible, setup audit logging on your web and database servers. Open source tools like OSSEC or OSQuery can alert admins to anomalous behavior on the server.
This particular example is just one example of infinite possibilities. We’d love to hear what you’re turning up—share with us on Twitter (@censysio). Together, we can build a community where we share findings and tactics, peer-to-peer to help fight attackers and threats.
