Play all

Intro

ryptomining malware is still a thing

Mining pools 101

We developed different strategies to identify Stratum servers

Let's hunt for interesting samples

Processing workflow (static analysis)

Here are some way to specify Stratum server

Dynamic analysis

Extracting Stratum configuration from PCAPS

Looking for stratum servers over the Internet

Search Engines for Connected Hosts

Keywords to identify stratum servers

Identifying Mining Pool Websites

Extracting config: JS config file + API call

Extracting config: parsing HTML

Extracting config: (Parsing HTML) + API Call

Stratum TCP Scanner

Collected data

Default ports?

Scanning Internet

Docker exploitations?

Killing the competition

Very persistent miner

Description:

Explore the world of cryptomining malware and mining pools in this NorthSec 2019 conference talk. Delve into strategies for identifying Stratum servers, hunting interesting samples, and conducting static and dynamic analysis. Learn various methods to specify Stratum servers, extract configurations from PCAPs, and search for connected hosts using specific keywords. Discover techniques for identifying mining pool websites, extracting configurations through JS files, HTML parsing, and API calls. Gain insights into Stratum TCP scanning, collected data analysis, and potential Docker exploitations. Understand the persistence of miners and the competitive nature of cryptomining malware.

Trick or Treat - Unveil the "Stratum" of the Mining Pools

NorthSec

Add to list

#Conference Talks #NorthSec #Information Security (InfoSec) #Cybersecurity #Network Security #Network Traffic Analysis #Programming #Software Development #Software Testing #Dynamic Analysis #Static Analysis

0:00 / 0:00