Understanding and Detecting Crypto-Mining Malware

DetectCryptoMining

DetectCryptoMining is a tool written in Python designed to monitor, detect and mitigate against crypto-mining malware.

Please run the tool on Windows 10 since it has been tested on this operating system. Although the components of the tool are OS X and Linux compatible, I have not tested whether all the functionality of the tool works correctly on either of these operating systems.

Setting up, running the DetectCryptoMining tool:

1. Install Python 3.
2. Install the tool's required python packages: pip install PyYAML psutil PyQt5 numpy matplotlib dnspython pywin32
3. Traverse to the DetectCryptoMining\DetectCryptoMining.py file location within the repository.
4. Run the DetectCryptoMining.py file: python DetectCryptoMining.py
5. The program will then ask you whether you would like to update the mining pool IP addresses for improved mining detection. If it's your first time running the tool or you haven't updated the IPs for 24hrs enter in y for yes. Otherwise enter n for no to save time.
6. Once the tool has finished querying for mining pool IP addresses its GUI will popup. Snap the tools GUI to be fullscreen.
7. Next click the 'Start monitoring' button on the GUI to start the program.
8. If at anytime you want to stop the program click the 'Stop monitoring' button.
9. While the tool is running, one can modify the trusted process whitelist by clicking the 'Modify Process Whitelist' button. Clicking the button will cause the whitelist.txt file to be opened with notepad. To add a new trusted process to the whitelist append the process's name to a newline. Any process names added to the whitelist must be in lowercase and verbatim to how Windows names them. To remove a no longer trusted process from the whitelist simply delete its name from the whitelist. Once you have finished updating the whitelist save the document and close it. As soon as the whitelist.txt has been saved the tool will proceed to use the updated whitelist for the next round of monitoring/detection.

Using the GUI to evaluate detections and mitigate against potential mining:

1. Instance where detection rules are met are displayed by the GUI by a bar graph and two tables.
2. Should you see a process you don't recognise that is repeatedly meeting detection rules you should consider taking action against the process.
3. To mitigate and kill a suspicious mining process go to the bottom table and look for the row containing the suspicious process you want to kill. One you have found its row click its corresponding kill button label as 'Kill '.
4. Once the kill button is clicked all the process associated with the suspicious processes name are killed preventing any further crypto-mining.

View DetectCryptoMining's Class Documentation:

Go to: https://robh0.github.io/DetectCryptoMiningDocs/

If the documentation website is down:

1. Traverse into the following directory: cd DetectCryptoMining\docs\_build\html
2. Open the index.html file with a browser of your choice. This will display the sphinx generated documentation.

To view DetectCryptoMining's UML Class Diagram traverse to and open the DetectCryptoMining\UML\DetectingCryptoMiningUML.png file.

Testing DetectCryptoMining tool against Xmrig miner on Windows:

Decrypting the crypto-miners:

Disclaimer: By decrypting the CryptoMiners container you accept that I'm not responsible for any possible damaged caused by either of the crypto-miners. To protect your host device from potential damage caused by the crypto-miners I recommend running tests within a Windows 10 virtual machine (e.g. VirtualBox). One can download official Windows 10 virtual machine disk images from either: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ or https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/.

1. Download the installer of the free and open source file and disk encryption software VeraCrypt from https://www.veracrypt.fr/en/Downloads.html.
2. Run the installer to install VeraCrypt.
3. Once VeraCrypt has been installed run VeraCrypt and click the 'Select File' button and select the CryptoMiners.txt VeraCrypt container found at FullUnit_1920_RobertHoldsworth\CryptoMiners\CryptoMiners.txt.
4. Once you have selected CryptoMiners.txt click the 'Mount' button at the bottom left of the VeraCrypt GUI.
5. VeraCrypt will then prompt you to enter a password. Enter the password miner into the password input field and click the 'OK' button.
6. VeraCrypt will then proceed to decrypt the CryptoMiners.txt container and mount it as drive allowing you to access the Xmrig and Xmr-Stak mining files.

Quick start testing (Xmrig only):

1. Make sure you have installed the required python packages for DetectCryptoMining: pip install PyYAML psutil PyQt5 numpy matplotlib dnspython pywin32
2. Make sure you have decrypted and mounted the Veracrypt CryptoMiners.txt container that holds the Xmrig miner.
3. Double click the startTest.bat batch file. This will sequentially start the miner with the correct configurations and then start up the DetectCryptoMining tool ready for testing.
4. If at any point you use DetectCryptoMining's GUI to kill the Xmrig processes the mining processes are killed however the command prompt parent process isn't killed causing the xmrig command prompt output to freeze but not close.

Manual testing (Xmrig and Xmr-Stak):

1. Make sure you have installed the required python packages for DetectCryptoMining: pip install PyYAML psutil PyQt5 numpy matplotlib dnspython pywin32
2. Make sure you have decrypted and mounted the VeraCrypt CryptoMiners.txt container that holds both the Xmrig and the Xmr-Stak miner.
3. Go to the mounted container using file explorer or clicking the mounted drive on the VeraCrypt GUI.
4. If you want to run Xmrig go to the xmrig-5.10.0\xmrig.exe file location within the mounted VeraCrypt container and double click the xmrig.exe executable. If you want to run Xmr-Stak go to the xmr-stak-rx-win64-1.0.4\xmr-stak-rx.exe file location within the mounted VeraCrypt container and double click the xmr-stak-rx.exe executable.

CryptoWebsite

CryptoWebsite is a website designed to simulate a sustained high CPU utilisation level that a web-based crypto-mining JavaScript function would usually produce as a symptom of crypto-mining.

Using CryptoWebsite:

1. Go to its webpage by using the following URL: https://robh0.github.io/HostedCryptoWebsite/
2. Select a number from the drop down menu to determine the duration at which the CPU intensive function should run for. The greater the number the longer the duration the function runs for.
3. Click the 'Start mining' button to start heavy CPU function.
4. An alert will pop up once the heavy CPU function has returned. Press the 'Start mining' button again should you wish to start the heavy CPU function again.