Investigating Cryptocurrency Malware Compromise on a Windows Server
This article will help us identify posible instances of cryptocurrency malware.
Symptoms
This are some of the symptoms that your server may present in the case of having a crypto malware:
- Server running slow.
- High CPU usage.
- High GPU usage .
- High bandwith use AND network connections to unusual endpoints
Checking CPU/GPU and directories.
- Check the status of your CPU/GPU, usually cryptocurrency uses both CPU and the GPU at 100% capacity.
- Check "C:\Windows\system32" for recently created ".dll" files.
- On the properties of these files you will notice that the "original filename" was test.dll
Checking Services and Task scheduler
- We can start "services.msc" to see the active services on our system.
- Check for services that does not have a description.
- Opening our Task Scheduler we can see tasks scheduled to be started at a certain time to makes sure the adware components are always present.
- You will notice that the task's Author is the servers administrator group or SYSTEM.
Checking Port connections.
- Using netstat or procexp we can check on what proccesses we are connected to.
- We have to keep an eye for the following ports as they are used by cryptocurrency malware: 14433, 14444, 3333, 3334, 3335, 3336, 4444, 45560, 45700, 5555, 5556, 6666, 7777, 8788, 8888, 8899, 9999
Checking Bandwidth Utilization
High sustained unexpected bandwidth utilization is often a common symptom.
Because attackers usually compromise systems intending to run a network
service on them, there might be a service running on the system, so listening
to an odd port could indicate a compromised server.
-
To review network connections for TCP, run the following command in PowerShell:
NetStat -naop 'TCP'
-
To review network connections for UDP, run the following command:
NetStat** -naop 'UDP'
-
To count specific connections, run one of the following commands:
NetStat** -naop 'TCP' find /c ":<port>"
NOTE: The Sysinternal TCP view offers alternative graphical tools
for this review.
This kind of malware is very difficult to find as it takes the root configuration as if it were an admin user, and the processeses take files or directories that are used by the OS.
A good recomendation to prevent this, is to block the port connections to well-known mining pools as the ones stated in this article, to keep our antimalware software up to date, and make the use of whitelist for applications.
If you ever find this kind of symptoms on your system reach out to the technical suppor as this could riks both the costumer and rackspace infraestructure.
You can check on this article if you want to know more specific things about cryptocurrency malware:
Detecting Cryptocurrency Mining in Corporate Environments
Related articles
For more information, review the following sources:
- Investigate a compromised Windows server - Rackspace
- Documentation to Sysinternals - Microsoft
- Live link to sysinternal tools - SysInternals
- Sophos AntiRootkit - Sophos
- Detecting Cryptocurrency Mining in Corporate Environments - SansOrg
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.
Updated about 1 year ago