BSidesTLV 2018 Recap - Nothing like 127.0.0.1

Last week I had the pleasure of giving a talk about the evasions of Cryptominers with Thomas Roccia at BSidesTLV2018.

alt
Right from the start, at the entrance to the venue, you could notice the amount of work and thinking the BSidesTLV team invested in making it as much fun and welcoming for everybody. While in the registration line I noticed how much focus the organizers put on the little details and the excitement level started to climb. After finishing the registration and getting our badges, we walked into the main hall - an auditorium which was already pretty full, and on the podium, Omer Zohar was speaking about his research on UnblockableChains. Finding a seat, I got my first swag for the day thanks to Virusbay.
alt

After a few more great talks and a short Lunch break, it was our turn to speak. Yet again the event team did a great job, making sure everything was set up correctly, and that we were comfortable with the settings. Checking our mics and laptop, making sure the video is working, and our slides in focus. We even found some time to play with a beach ball on stage, as everybody was getting back in.

alt

Personally, I believe the atmosphere prior to our talk really made a difference. Presenting in such a welcoming environment can't possibly go wrong. Both Thomas and I spoke about the overall problem and rise of Cryptominers, discussed the evasion tactics they use for bypassing security products and hide from power users, dive into case studies and examples of such behavior, offered defensive tactics and finally did some gambling predicting what’s coming next.

alt

To make a long story short I had so much fun, there is nothing like participating and presenting at your local BSides chapter. The atmosphere was fantastic, seeing all the familiar faces, meeting and drinking with friends and of course learning from all these smart people combined made it a super fun event.

BSidesTLV2018 was EPIC, can't wait for next year

The slides for our full talk are available here:

I will also upload the full video when it is ready.
Big kudos and thank you to BSidesTLV team, you guys are fantastic.

Video has been released:


CoinMiners Samples

Due to the requests of many, we decided to share the related malware samples from the presentation.

You can download the samples from the link below.

By downloading the samples, you are agreeing that they are only going to be used for research purpose and you understand this are malicious malware and can heavily damage your systems if not handled in a secure sandbox environment.

Also if you decide to use them or learn from them for malicious intentions you suck.

Cryptoshuffler
18cc6c59074f782b94ca0c2065b1245073b7b427

XIAOBA
69199e81914f50dd795ba9cc2732473abaa19430

Waterminer
1852bf95b91bc50fb10cd0388595d88ce524dca9607aa3621e7b2587f326ec9d (original mod)
b23ce6a8af6cbf7dae517f6736aa69c451347f6b5e7e66d5a1339a4d74e10e66 ( downloader)
715c3a8f7d5cd921b321a4fa180862315846f408b903d9d2888ae95912dbb9ca (payload)

UIWIX
3860c2526fc8acf5366573cdeb0a292036398d3ee9e7d9764a60ec5d0812582a
146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc

GhostMiner
4b9ce06c6dc82947e888e919c3b8108886f70e5d80a3b601cc6eb3752a1069a1 (Neutrino.ps1)
9a326afeeb2ba80de356992ec72beeab28e4c11966b28a16356b43a397d132e8 (Neutrino.ps1)
40a507a88ba03b9da3de235c9c0afdfcf7a0473c8704cbb26e16b1b782becd4d (WMI.ps1)
8a2bdea733ef3482e8d8f335e6a4e75c690e599a218a392ebac6fcb7c8709b52 (WMI64.ps1)

Adylkuzz
12a718b71bc81c7c965837f0bd2a487ae6d02693

Evrial
8a100d3324a2c579fcc56203d9f14e0d6e3448b3ed65769136c8dc21376ef0e5

Please make sure you use proper security steps such as sandbox and isolated environment.

This file was uploaded for research and defense purpose only. If you plan to use this for malicious reasons you suck.

Malware Samples