We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

Cryptomining Rapid Config

Cryptomining Rapid Config

What is Cryptomining?

In order for people to obtain cryptocurrency without purchasing it, the currency needs to be mined. Mining uses the processing power of a computer to solve mathematical problems with hashing functions to mine “coins.”

Obviously, having computers running cryptominers becomes a problem when people within and outside of your organization are using your systems without your knowledge. Mining can impact your business processes and electricity bills.

How can Cb Protection Help?

Customers with their endpoints running Cb Protection in High Enforcement will likely be protected from the majority of cryptoming processes. But for added protection or for those endpoints that have not yet moved to High Enforcement (or are not planned for High Enforcement), the Cryptoming Rapid Config can help.

Rapid Config Details

The Cryptomining Rapid Config focuses on blocking or reporting on executables and command lines matching specific parameters.

Executables

As with most Rapid Configs you can choose to Do Nothing, Report, or Block the items or behaviors in the section. This Rapid Config consists of a single section which defaults to reporting on Cryptomining file executions.

In the process of researching Cryptominers our Threat Research team determined that the majority of these executables had the following filenames or paths:

  • *\streamerData\*
  • *\streamer\*
  • *\cpuminer.exe
  • *\xmrig.exe
  • *\mvlover\*
  • *\cpuchecker.exe
  • *\newcpuspeedcheck\*
  • <windows>\Taskhost.exe

You might be wondering why taskhost.exe is on that list. While taskhost.exe is a Windows process, it’s doesn’t reside in the Windows directory, the legit taskhost.exe location is in the system32 directory. So if taskhost.exe is running out of the Windows directory, it is likely a malicious file.

crypto 1.png

If you are getting blocks or reports on legitimate files because of this list of executables, you can add exceptions. For example, if you have an internally developed application that resides at C:\Program Files\MyBiz\streamer\ and it is getting blocked, you could add the application name to the exception list like *\streamer\myapp.exe.

Command Lines

There are several common parameters that are used by cryptoming tools when they are launched. These commands are:

  • -coinbase-addr
  • -coinbase-sg
  • -algo
  • -cputest
  • -cpu-priority
  • -cpu-affinity

Using the cmdline macro, the Cb Protection Windows agent can look for any of these parameters when an executable is launched. If it sees any process launching with any of these parameters, the process will be terminated.

crypto 2.png

Just like with the executables you can add exceptions to this list. For example, if you have an executable called myapp.exe that uses a -cpu-affinity parameter, you can exclude your application from being blocked or reported on by adding this <cmdline:*-cpu-affinity*>myapp.exe in the Command Lines That Should Not Be Reported area.  

Labels (1)
Tags (1)
Comments

 Will this cause any issue with 7.x agents?  i know it only works on 8.x but would be nice to apply to all policies and as we upgrade we have this already good to go.

Article Information
Author:
Creation Date:
‎01-11-2019
Views:
388
Contributors