XMR Detection and Removal Procedures

Update - March 28th, 2018 3:30 PM Eastern US Time

The XMR.xml and XMR_Log.xml files have been updated to version 5 in order to detect and remove the Monero (XMR) Cryptocurrency Miner software based on the storage location changes on the endpoint.  The payload used by the attacker has changed and the changes to the script surround a payload called OneDriveStandaloneUpdater.exe and associated files with the attack.

It is recommended to run these scripts if your server is not on: 9.3.0.35 or later, 9.4.0.36 or later, or 9.5.0.5 or later.

Update - February 16, 2018 9:00AM Eastern US Time

The XMR.xml and XMR_Log.xml files have been updated to version 4 in order to detect and remove the Monero (XMR) Cryptocurrency Miner software based on the storage location changes on the endpoint.  While the payload is the same (Monero (XMR) Cryptocurrency Miner software), the registry keys where the software is launched from have changed.  Specifically, version 4 now adds the following registry key checks for detection and removal:

HKLM:\SOFTWARE\Microsoft\Tcpip\a

HKLM:\SOFTWARE\Microsoft\Tcpip\b

HKLM:\SOFTWARE\Microsoft\Tcpip\c

HKLM:\SOFTWARE\Microsoft\Tcpip\d

HKLM:\SOFTWARE\Microsoft\Tcpip\x

It is recommended customers run this updated procedure on their systems.

Update - February 5, 2018 2:45 PM Eastern US Time

Updated XMR.xml and XMR_Log.xml to version 3 to detect and remove additional registry entries (listed at the end of this document) and to update the download site from IP=191.101.20.254 in addition to Dropbox URLs. . It is recommended customers run this updated procedure on their systems.

Overview

This document presents automated methods to detect and remove Monero (XMR) Cryptocurrency Miner software if it is present on endpoints.  The Monero (XMR) Cryptocurrency Miner software downloads from Dropbox and writes to several registry keys, technical details of which we have provided in Section III at the end of this document.  

This guide can be used for both SaaS and on-premises VSAs.

I. Automated Detection Agent Procedure

Detection Option 1 (Recommended) - Agent Procedure with Custom Fields

The VSA allows up to a maximum of 40 custom fields.  If you already are utilizing all 40 custom fields, please use Detection Option 2 - Agent Procedure Log, detailed later in this document.

This Option will import two Agent Procedures, a View and a Report which will allow you to scan endpoints to determine if they have been affected by the Monero Miner (XMR) software.  It populates a custom field with “System Affected” or “System Unaffected” enabling you to determine if endpoints have been impacted.  

Steps:

  1. Create New Custom Field called XMR - Navigate to Audit -> View Individual Data -> Machine Summary.  Select any machine and the right frame will load information about that machine.  In the right-hand frame under the “Summary” tab, click the button for “New Custom Field” and in the dialog pop-up, name the new custom field XMR as type = string.  The new custom field must be named: XMR.
  2. Import XMR.xml - Navigate to System -> Server Management -> Import Center and import  the attached XML file (attached at the bottom of this document) which is named XMR.xml
  3. This will import 2 agent procedures, a view,  and a report.
  4. Edit the new XMR View - Navigate to any page that has views in the top right, Agent->Agents->Manage Agents for example.  Near the top right of the screen click the View drop-down and select the View titled: XMR.  Click the Edit button and in the dialog box scroll to the bottom of the list.  In the section called “Advanced agent data filter  Define Filter…” click the Define Filter button.  Scroll to the bottom and you will see a field called XMR and in the data field enter “System Affected”(Including the quotes) and save the view.
    • Note: There are certain conditions in which "System Affected" is not associated with the correct Custom Field within the view > Define Filter. Ensure that the XMR custom field has the "System Affected" value and the rest of the values are wildcards (*).
  5. Schedule XMR Endpoint Check Agent Procedure - Navigate to Agent Procedures->Manage Procedures->Schedule/Create.  Locate/search for the procedure called "XMR Endpoint Check" and schedule the procedure to run on all agents (please distribute this to run over a period of time to avoid impacting performance.  The procedure will populate the custom field (XMR, created in step 4 above) with "System Affected" or "System Unaffected".
  6. Determine if any systems are affected using XMR View - After the procedure has run, you can now view any affected systems by selecting the View=XMR.  This View will only show machines that returned System Affected (blank results indicate no machines were found to be affected).

Alternatively, you can determine if any systems are affected by running editing and running the XMR report that was imported.  Follow the steps below to edit the XMR report.

  1. Navigate to Import Center->Reporting->Reports and locate/search for the report called XMR.  
  2. Select the XMR report and click the button for Edit.  You will see an image of a table in the middle of the screen and in the top header there are icons for “configure” (a gear icon) and save (a disk icon) - click the “Configure” (gear icon)
  3. In the “columns” section, scroll down until you see the custom field you created called XMR and drag it to the right as a column in the report.  Delete the row that is the default “Custom Field 01” as it is not needed and then click Next.
  4. On this page, you can add groupings and order by, or just click Next to leave the default.
  5. Under Advanced Filters, change the Customer Field 15 to the custom field you created called XMR and click Finish and then Save the changes.
  6. You can now select the XMR report and click Run Now from the top navigation bar and it will run the report (which will ONLY contain data if systems are affected - if it is blank, no endpoints are affected).

Detection Option 2 - Agent Procedure Log

 

The VSA allows up to a maximum of 40 custom fields.  If you are not already using all 40 custom fields, we recommend skipping this section and using Detection Option 1 - Agent Procedure with Custom Fields that is detailed in the section above.

This Option will import two Agent Procedures and a Report which will allow you to scan endpoints to determine if they have been affected by the Monero Miner (XMR) software.  It populates the Agent Procedure Log with “System Affected” or “System Unaffected” enabling you to determine if endpoints have been impacted.  

Steps:

  1. Navigate to System -> Server Management -> Import Center and import  the attached XML file (attached at the bottom of this document) which is named XMR__Log_.xml.
  2. Navigate to Agent Procedures->Manage Procedures->Schedule/Create.  Locate/search for the procedure called "XMR Endpoint Check (Log)" and schedule the procedure to run on all agents (please distribute this to run over a period of time to avoid impacting performance.  The procedure will which will write “System Affected” or “System Unaffected” into the procedure log.
  3. After the procedure has run, navigate to Info Center->Reporting->Reports and locate/search for the XMR (Log).  Running this report will display any agents that have the text “System Affected” in their agent procedure logs (a blank report indicates no affected systems were found).

II. Automated Removal Agent Procedure

The following steps will run an Agent Procedure to automatically remove the Monero (XMR) Cryptocurrency Miner software from endpoints.  Please note, this Agent Procedure will stop PowerShell if it is running to ensure the software can be completely removed.  After the Agent Procedure has completed, please reboot the endpoint to ensure the removal is completed. 

  1. Navigate to Agent Procedures ->Manage Procedures -> Schedule / Create and click the button in the top header called “Manage Files”.  In the dialog pop-up, select the link for “Shared Files” and create a “New Folder” called XMR.  The new folder must be named: XMR.
  2. Click the link to your new folder, called XMR, and then click the button “Upload Files” and upload the attached file (attached at the bottom of this document) named: CacheTask and sihboot.xml.
  3. Navigate to Agent Procedures->Manage Procedures->Schedule/Create.  Locate/search for the procedure called “XMR Endpoint Cleanup" or “XMR Endpoint Cleanup (Log)" - whichever option you had used to detect the software in the above section.
  4. Schedule the procedure to run on all endpoints that you found to be impacted (please distribute this to run over a period of time to avoid impacting performance).  
  5. After the Agent Procedure has completed, it is required to reboot the endpoint to complete the removal.

III. Technical Information for Manual Removal

The Monero (XMR) Cryptocurrency Miner software (xmrig.exe) is downloaded from various Dropbox URLs (hxxps://dl[.]dropboxusercontent[.]com/s/*) and from an IP:191.101.20.254  and places the software into various registry keys and an additional key which creates a task entry to run the software.  The manual steps to remove the software from the endpoint are:

1. Stop Powershell if it is running

2. Check for the existence of the following registries and delete them:

HKLM:\SOFTWARE\Microsoft\Powershell\Scripts\a

HKLM:\SOFTWARE\Microsoft\Powershell\Scripts\b

HKLM:\SOFTWARE\Microsoft\Powershell\Scripts\c

HKLM:\SOFTWARE\Microsoft\Powershell\Scripts\d

HKLM:\SOFTWARE\Microsoft\Powershell\ScriptInit

HKLM:\SOFTWARE\Microsoft\Policies\Start

HKLM:\SOFTWARE\Microsoft\Policies\System

HKLM:\SOFTWARE\Microsoft\Policies\System\a

HKLM:\SOFTWARE\Microsoft\Policies\System\b

HKLM:\SOFTWARE\Microsoft\Policies\System\c

HKLM:\SOFTWARE\Microsoft\Policies\System\d

HKLM:\SOFTWARE\Microsoft\RemovalTools\a

HKLM:\SOFTWARE\Microsoft\RemovalTools\b

HKLM:\SOFTWARE\Microsoft\RemovalTools\c

HKLM:\SOFTWARE\Microsoft\RemovalTools\d

HKLM:\SOFTWARE\Microsoft\RemovalTools\x

HKLM:\SOFTWARE\Microsoft\RemovalTools\1

HKLM:\SOFTWARE\Microsoft\Tcpip\a

HKLM:\SOFTWARE\Microsoft\Tcpip\b

HKLM:\SOFTWARE\Microsoft\Tcpip\c

HKLM:\SOFTWARE\Microsoft\Tcpip\d

HKLM:\SOFTWARE\Microsoft\Tcpip\x

3. Open Task Scheduler and remove any entries that have Actions as follows (* are wildcards):

*HKLM:\SOFTWARE\Microsoft\Powershell").ScriptInit*

*).Start*

*HKLM:\SOFTWARE\Microsoft\RemovalTools").x)*

4. Open Task Scheduler and, in the left-hand frame, navigate to Task Scheduler Library->Microsoft->Windows->Wininet and select it.  In the right middle top frame select CacheTask and then in the middle bottom frame select Actions.  Remove any entries that are running a PowerShell script.  Normally, the only entry will be “Custom Handler”.

5. Open Task Scheduler and, in the left-hand frame, navigate to Task Scheduler Library->Microsoft->Windows->WindowsUpdate and select it.  In the right middle top frame select sihboot and then in the middle bottom frame select Actions.  Remove any entries that are running a PowerShell script.  Normally, the only entry will be “Start a Program - %windir%\system32\tzsync.exe”.

5. Open Task Scheduler and, in the left-hand frame, navigate to Task Scheduler Library->Microsoft->Microsoft->Windows->Time Zone->SynchronizeTimeZone and select it.  In the right middle top frame select sihboot and then in the middle bottom frame select Actions.  Remove any entries that are running a PowerShell script.  Normally, the only entry will be “Start a Program - %systemroot%\System32\sihclient.exe /boot”.

6. Reboot the endpoint and ensure the scheduled tasks no longer exist

 

Was this article helpful?
7 out of 8 found this helpful
Have more questions? Contact us