Black Hat reports: Lurk Downloader & cryptocurrency mining hijacker

2 billion mobile devices vulnerable: Black Hat report
2 billion mobile devices vulnerable: Black Hat report

During Black Hat Dell SecureWorks' threat reports included details on its research into the Lurk Downloader and hijacking attempts on large hosting companies' networks.

Dr. Stone-Gross at Dell SecureWorks Counter Threat Unit analysed the Lurk Downloader - malware hiding within digital information, such as a media file. Lurk's algorithm embeds encrypted URL's into an image by manipulating pixels to download and use secondary malware payloads. It is unlikely that intrusion prevention or detection systems are able to detect digital stenography concealed data, allowing Lurk to remain hidden.

In February, Lurk was spread through an HTML iFrame on websites, and viewers with vulnerable versions of Adobe Flash were infected with a DLL file. The DLL dropper downloads and extracts the DLL payload, which scans the system for security products, and if no threat is detected, the device is added to an integer array list which is sent to a command and control server. It then installs itself and creates a registry key ensuring its DLL will be loaded to the COM client specified by the CLSID, corresponding to Internet Explorer's PNG plugin image decoder. The payloads downloaded are used for click-fraud, it phones track.helpertrack.com to receive a compressed and encrypted click-fraud template.

Dr Stone-Gross discovered that the download URL could be found by examining the bytes of the encrypted pictures, and certain threat indicators can detect Lurk activity.

Pat Litke and Joe Stewart, also in the Dell SecureWorks Counter Threat Unit, Threat Intelligence division, reported on having researched a highjacker taking over large hosting companies' networks between February and May. The highjacker redirected cryptocurrency miners' connections to a highjacker-controlled mining pool, and collected their profit. The highjackers redirected legitimate mining traffic to a malicious server, posing as a legitimate pool.

Research into the highjacking attempts found that the highjackers attempted to broadcast illegitimate routes on BGP for an entire week, unnoticed by crypto-currency mining communities, suggesting initial highjacks were unsuccessful. BGP is an external routing protocol connecting internet networks, and making them aware of other networks' existence. Both ends of connected networks must be manually configured to communicate, ensuring malicious networks can't highjack traffic without intervention from a legitimate network.

Researchers contacted a miner who lost profits, and observed the correlation of highjacking events and payouts normally received from his mining pool. The highjacked mining pool meant many crypto-currencies were impacted. The protocol made it impossible to identify which ones, but the activity has been traced to specific addresses. By adding a firewall rule to block traffic to the highjackers' mining server, the miner rejected the hijack on April 11th, and his payments returned to normal.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US