Cryptomining has become a popular method for attackers to profit from compromised systems. By installing cryptocurrency mining software on a host, attackers can utilize the host’s CPU and GPU resources to “mine” cryptocurrency, which can then be exchanged for non-digital currency or used for purchases. The attack has become so prevalent, it has earned its own technique name: “cryptojacking.”
It is important to quickly identify when a host is running cryptomining software so the host’s performance does not suffer from high resource utilization. A key indicator is the network traffic. Most attackers connect their miners to a mining pool, a centralized server that coordinates mining among multiple hosts to share resources. The miners will reach out to the pool server at an interval to receive updates and send mining data.
But how can we detect these cryptomining connections?
Mining traffic used to be easy to identify, as most pool servers listened on distinct ports such as 3333 or 7777, which came to be associated with cryptomining traffic. However, new pools have started to use different ports to avoid detection. Some even disguise their connections by receiving data over port 25 or SSL on port 443. While the well-known ports are still in use by many pools, the port number alone is not a high confidence indicator of mining traffic. Other monitoring tools such as deep packet inspection technologies may also not be able to identify mining traffic encrypted over SSL.
The easiest way to detect cryptomining traffic would be to monitor for connections to the pool servers by using a threat intelligence list of all known mining pool server IP addresses. However, a comprehensive list of mining pools from threat intelligence vendors can be difficult to find or not exist at all, and maintaining your own list requires a lot of manual work and will quickly become outdated.
We have found a few reasons that may explain why cryptomining pool threat intelligence is not widely available and difficult to develop:
- The cryptomining network is volatile. Anyone can create a new mining pool, and existing pools may add new servers or change IP addresses.
- The network is also decentralized. There is no single location to find pool server information, as cryptomining protocols do not require knowledge of all mining pools to function.
- Knowing the domain name of a mining pool may not be enough information; mining pools often use different subdomains for the individual pool servers. A mining pool may have many different servers for hosting different cryptocurrencies or load balancing across regions, and this information is usually only found on the mining pool’s website.
Our approach: translating cryptomining pools into actionable threat intel
We set out to address these issues by building a solution that automatically enumerates the mining pools and their subdomains and translates them to IP addresses for use as a threat intelligence feed. We used several different collection techniques to make the information as accurate and timely as we could, given the known difficulties. Our methodology is below.
The first step is to gather a list of active mining pools. There are several public websites that aggregate statistics from the mining pools of various cryptocurrencies. We can then automate web requests and API calls to the sites to download the mining statistics, which include the active pools and their domains and websites.
The mining pool websites usually contain information on how to connect a miner to the pool, which details the pool server’s domain or IP address to use in the miner’s configuration. We observed that some websites use similar web frameworks and store the information in the same location. We can automate web requests and API calls to download the web content of the mining pool websites and parse out the pool server’s domains.
If we cannot find the pool server domains on the website, we can still attempt to find them a different way.
The domain of the mining pool website is often not the same as the domain for the individual pool servers, which receive the mining traffic. We observed that most pool server domains follow a similar naming convention that is derived from the pool’s website domain:
|Pool Website Domain||Pool Server Domain|
Most pool server domains are comprised of the website domain prepended with specific strings. These subdomains typically contain keywords that reference the cryptocurrency or cryptomining in general.
Using our list of active pool domains, we can pipe them into several open-source subdomain enumeration tools, such as findomain and Sublist3r. These tools query a variety of sources to find any subdomains related to a specific root domain. We can then filter the output to show only relevant subdomains that contain cryptocurrency keywords.
The final step is to combine our lists of enumerated pool server domains and resolve them to IP addresses.
We now have an up-to-date threat intelligence list of cryptomining pool server domains and IP addresses. This list can be integrated into detection technologies to alert on connections to the IP addresses or DNS lookups for the domains. Network technologies, such as firewalls, can also ingest the lists and proactively block connections to the pool servers.
GreyMatter, ReliaQuest’s SaaS security platform, provides a curated threat intelligence list of high confidence indicators, now including indicators for cryptomining pools, that can be integrated with network and endpoint technologies to increase the fidelity of detections in your environment.
ReliaQuest GreyMatter automatically collects, normalizes, and prioritizes threat intelligence in a consumable format for your SIEM and EDR. ReliaQuest GreyMatter processes all IoCs and only sends those with the highest fidelity, so your security controls report fewer false positives.