Detection Malware

How Hackers Create Bitcoin Mining Network?

In this article, we will talk about the hackers who set up a Bitcoin mining network.

We created a fake e-commerce website in hopes of seeing an interesting situation.

Then,  we wrote a C # application that will send me the applications, processes and software installed on the device as an e-mail, when it is run.

We have sent “Password Shower.exe” (the application that will mail the information to me) and the encrypted “Bitcoin Wallets.rar” file to my Ubuntu server whose username and password are “root”. Our goal here was for the attackers to pull the .exe file into Windows environments and learn what tools they used there. Although it was obvious that there was a trap, we started to wait if it did.

If you want to investigate security cases about cryptocurrency, can use online blue team lab for free.

3 days later the server was accessed and after seeing the “Bitcoin Wallets.rar” file, the attacker ran the malicious .exe file on her/his machine.

The same day, the attacker had installed the Bitcoin miner software on my Ubuntu machine. When we examined how much the processes and processes running on our server use CPU power, we saw that almost all the power of the CPU is used for crypto money mining.

We listed to the directory where the mining software was installed and found the Bitcoin address of the attacker in the “” file.

When we searched for the wallet address on the site, I saw that he/she has not yet earned an income.

Before the miner software was installed, we noticed the abnormal increase in bandwidth and looked at the bash history and examined the commands the attacker ran.

When we examined the commands that the attacker ran, we saw that he downloaded the .zip file from “” and executed the “fnlg” file in the zip file. Likewise, we downloaded the file on the virtual machine and started investigation.

fnlgShell script
filtruShell script
cleanlogsShell script
pass.fnlASCII Text

When we looked inside the bash script “fnlg”,  first saw that it runs “cleanlogs” and other software respectively.

As can be seen from the contents of the “cleanlogs” file, it destroys the log files.

We ran Wireshark and the “fnlg” file in the zip on our virtual machine, started monitoring the traffic, but could not observe any different behavior. In the Hybrid-analysis reports, we saw that the files were detecting the virtual environment by checking the “CPUID”.

We raised a new server from DigitalOcean to continue the analysis, started writing all the traffic to the pcap file with “tcpdump” and ran the “fnlg” script.

The script started scanning 22 ports of all IP addresses, starting with 46, which we gave as a parameter.

Then it tried to establish an ssh connection with addresses with open ports and tried to brute-force login to IP addresses where it could get a response.

Finally, it printed the IP addresses that it can log in with SSH on the screen

As a result, we see that the attacker can use the servers he/she has captured using the strength of weak passwords both for Bitcoin mining and to have more servers. Although he/she does not use high-level techniques, he/she can get what he wants.

Share on social media