Mo' Monero Mo' Problems: An Analysis of Cryptomining Malware

so my name is Joshua Reynolds and welcome to more monaro more problems I just wanted to give a brief introduction as to who I am so I am currently a senior technical analyst with CrowdStrike where I do a large amount of reverse engineering and Intel analysis on various tractors I previously was at Cisco in a similar capacity but I was working on the product front so I was producing indicator content for two product lines and as mentioned I am one of the cofounders of yegg sec if you are not part of our community yet and you'd like to become a part of it even if you're not necessarily in Edmonton all the time we still love you to have in

our love to have you in our slack and become a part of the community so you can ping us on egg sec on Twitter that's probably the easiest way to get an invite and we'll usually provide consistent updates on on that platform and I'm also the co-author of the sate malware analysis course that is a part of their information security systems diploma so they started a two-year program that you can do and in the second year actually this semester that starting is the first time that that malware analysis course is going to be taught so that's pretty exciting and if you want to hit me up that's my twitter handle there at the bottom so when I was

thinking about concepts for this talk I really liked hip hop and I really liked biggie so that's kind of like play on words for for the title and eyes pretty much everybody in this room knows a cache pretty much rules everything around you so and this is the same thing with criminal threat after groups where they need recurring revenue as well because they have bills that need to be paid they have to pay their rent they have to buy their family's food etc and a large amount of these groups live in countries that they don't have a lot of choices in terms of professional careers I was lucky enough to have a prosperous prosperous security

career in Canada but not a lot of these guys have the same kind of choices that I do not to shine a lime light on these guys but just to give you some other motivational perspectives they have to make money too so this is a quote from a biggie song that is quite good as well if you want to check it out so specifically I wanted to talk about Manero today because this is the primary crypto currency that's being mined by malicious cryptocurrency miners and I'll talk to you or sorry I'll talk about how exactly and why that is so just a brief overview of what Manero is it is a crypto currency based on the crypto note

protocol so unlike most of the popular crypto currencies it is not a fork of Bitcoin it was built from the ground up and they established a what's called the egalitarian proof of work so for most crypto currencies you have a proof of work that basically says that you did some amount of work in order to receive a part of the currency or a block on most block chains and in this instance they try to make it as accessible to any computing device as possible so everybody has a vote that's the egalitarian term so they also implemented a number of privacy features so I now go through those and it is much more private than Bitcoin which

essentially has every transaction and every address and transaction between those addresses is published to their blockchain which will be there forever so I'll go over those concepts so just to quickly go over the Kryptonite protocol which is that egalitarian proof of work it is a stick resistance so for those of you who not are not involved in the in the crypto space Asics are essentially specialized computing devices for calculating sha-256 hashes at a very rapid rate so those are usually done on graphics cards because they allow increased performance over normal CPUs and so for what these guys with crypto no protocol sorry kryptonite protocol is that they made it memory bound so it's very difficult to make

Asics have good performance when there's a memory requirement and they made this two megabytes in size so this fits quite well within the l3 cache of most modern CPU cores so then therefore it would have rapid access to to that l3 cache in theory and they also made it so it requires random access to ram so this is also difficult to implement on Asics and they've also required the use of CPU instructions that are also difficult difficult to emulate on GPUs so if you look at like I looked at the exome rig source code they have a number of Intel instructions on the x86 version that are specialized when conducting the actual mining process so I just wanted to go

through the privacy features as well as mentioned so the way that transactions are performed in payments in cryptocurrency is that they are signed so if I sign a transaction and publish that the blockchain then that transaction is going to go to the receiver but also since I've signed that with my private key you can say that I signed that transaction and therefore it originates from me the way that Manero gets around this is they have what's called group signatures so it's essentially a a crypto implementation that says okay well the transaction originated from this group of signatures but not necessary this this group which was signed but it's not necessarily tied to a specific individual there's no way you can prove

that I I myself which is a part of that group had submitted that transaction they also generate one-time addresses for anonymous transactions so within the Bitcoin for instance you can see a particular transaction occurred with a transaction address but in Manero that's not possible because if I was to send a payment I would give some what's called like a stealth address and then they actually derive a one-time key from from that stealth address which is then used for the transaction so it's all done with one-time keys it's kind of like having a burner phone where you call and do your drug dealer whatever and then you break the phone like in all the movies right so that's kind of the

approach they've taken from a cryptographic point of view which is which is quite cool so what is malicious mining though it's essentially making use of an infected machine for mining whatever cryptocurrency that you'd like it's gaining popularity with a large of different botnets and malware distributors because it I believe it was initially gaining a lot of popularity because cryptocurrency was gaining so much popularity and therefore the prices were very very inflated in my opinion and they this provides recurring revenue so if you have a large amount of infected systems and you're mining on those infected system systems on a monthly basis you're constantly making revenue whereas things like ransomware you're not gonna be making that revenue

back you're going to be essentially getting a one-time payment possibly by encrypting everybody's files so the other point is that this is much less invasive and things like ransomware because you're pretty much just using up CPU cycles and people's electricity rather than having an evasive tactic of making people never be able to get their photos back in things like that so I think I think this is why a lot of malware authors are moving to this and why do they mine mineiro specifically well you can probably guess by what I've alluded to earlier there's an increase in on amenity there's the egalitarian proof provides a means of doing this mining on commodity hardware so the average CPU is still

decent and mining this cryptocurrency whereas something like Bitcoin CPUs are not very good and when you infect a system as a malware author it is more often than not going to just be commodity Hardware because the average person just has the average computing power right so the mining difficulty is also fairly low so for those you still try to like mine Bitcoin it is fairly difficult in comparison to the mining for in China and things like that who have massive computing power and it's used in underground markets so a lot of these guys will buy kits in order to distribute their malware so like document kits that will generate a large amount of obfuscation and they'll rent

out botnets for spam distribution and to do all these things and typically they'll do payments in cryptocurrency rather than using something like PayPal do you do that on a non amenity and a lot of underground markets like the Silk Road are similar to what the Silk Road was accept payments and Manero as well and when I initially came up with this concept for this talk and when I was doing a large amount of this research in like January of this year things were exploding right you had ridiculous gains in every single cryptocurrency not just Manero and that was resulting in a lot of these guys being able to cash out and buy like islands like I'm pretty sure

some of the malware was some of the some of the ransomware authors just cashed out and like Tesla crypt gave up their master key I don't know if they're still around but they probably could have cashed out and just retired essentially that's that's how crazy the games were in January so let's talk about mining pools so essentially this is the concept of shared processing power being used from many different nodes and in order to - single block so you can think of kind of the same concept of study at home so in a search of extraterrestrial life you have a large amount of CP instructions that need to be executed and the SETI organization provided a

means of doing this by just offering up your CPU cycles which is pretty cool and it's the same same concept essentially and based on the amount of hash rate you provide then the block that you mine as a group is then split up accordingly and since you have increased hashing power between a large amount of different computers within that single pool then you have obviously an increased likelihood of finding a block because you have much more transactions sorry many more transactions that are occurring so this is an example of a pool my necks marcom they provide some pretty interesting statistics so when I took this screenshot in August they had they were peeking around over 500,000

connections per I believe that's per second and then their hash rate was was hitting hitting around 120 mega hashes per second which is enormous if you're kind of involved in the in the crypt of space or well it's enormous and from my perspective so that's pretty interesting and then they provide some other cool statistics like the difficulty level and then the block count and when payments were set out and things like that so this is actually really useful for tracking malware authors and we'll kind of go into that but why do malware authors use mining pools well there's a few interesting advantages to using a pool where you don't really need a a wallet on the endpoint system you just

need a unique identifier so more often than not it'll just be a wallet address that they provide to the pool in order to say hey I did this mining and then they also commonly make use of open source clients like X X M rig so this is a screenshot of the hybrid analysis sandbox output and basically it's just showing the process command-line arguments so in this instance W script IX e was being used to execute a VBS script and this subsequently executed a mining application so these parameters are essentially just what's needed for the excimer egg miner application and as you can see the - o parameter is providing the stratum protocol which is essentially the communication protocol

with the mining pool and the mining pool is provided as well and the accompanying port and then the unique identifier so in this case they are providing a wallet address so as I kind of alluded to it's really good for Intel so if you can get a wallet address I can get a whole bunch of different information from these mining pools that they publicly publish so what's cool is more often than not you can see the number of infected system systems based on a wallet address because this all this information is freely available within the pool you can also see their hash rate and most importantly and what's mostly what's kind of most of interest to most people is the number of

mined blocks so this is essentially the amount of currency that has been mined from this address or sorry that's being provided to this address as payment for mining so you can also report these addresses to the public mining pools and get them banned so that's a pretty fun hobby because you can essentially cut the head off of a lot of these operations because they rely on these mining pools in order to create to generate currency and if you report the address to the pool they can no longer do so but because you can get banned for the mining pools these guys have subsequently been rolling their own pools so this is quite interesting in that you see a large more and more

people rolling their own pools and we'll look at a Malheur variant that does that so here is an example so I took this address from some commodity mining malware and looked it up on my next marcom and then you get a whole bunch of history pertaining to that address so you can get things like the amount or sorry that the average hash rate total paid so 111 XMR I didn't really look at the price this morning for Manero but I think it's around like 11 grand us which is pretty good and then you can get all their like transaction history and stuff like that so this is really good for Intel work so as there's a large amount

of blue teams in this audience I wanted to provide a way for most you to be able to track and stop these infections so on after every section I'm going to provide some blue team highlights so this list is really good and is frequently updated by 0.1 and you can use these mining pool addresses to track infections in your environment so if you look at and all of your DNS lookups in your environment and you see one for say my next marcom it's likely that you have a mining infection you can also send call these addresses so there are some semi legitimate ones based on what you allow for your browsing policy in your environments but

if you just sinkhole all the addresses they won't be able to the malware won't be able to connect to the pools and therefore not be able to mine and I also suggest taking a look at your process command-line arguments for things like stratum so I just provided like a really basic regex stratum TCP there won't be any legitimate applications that I'm aware of that will be that will include those command-line arguments you can also look for hosts within the command command line arguments themselves but obviously that will be fairly taxing because the list is quite large so let's talk about infection vectors though like I've alluded to the malware but how is it actually going to get into your

environments so the predominant technique is called mal spam so this is just a generic term that industry uses to refer to any malicious spam that has attachments that can be used to gain code execution within your environment so typically this mal spam will just be an attachment that downloads an execute malware or contains malware in and of itself so you can actually ship like a full PE binary within like a window a Microsoft Word document and these are a couple of examples so macros VBA macros can gain full code execution on sandbox code execution on your machine so just hitting that enable macros button in Microsoft Word they can get full access to your user line processes and things

like that you can also embed an oily object so if you drag and drop an executable in Microsoft Word and you double click on that executable then it will actually open and execute there's a few warnings but most people will just fall for them there has been instances where miners have been shipped using document exploits as well and scripts so all these scripting file types can be used to gain access to active ActiveX controls and then they can gain code execution on your machine as well so I'll be going over how to kind of get around a lot of these issues from a blue team perspective but let's go into an actual example so this is an example

from our traffic analysis so this is a public website that you don't need to register for or anything like that Brad who runs it is really good at getting new content out and he gives everything so you get a you get like a peek app you get all the files involved and you can do whatever analysis you want so I basically took something that he did an IFC diary on and then expanded it out because he didn't do like a full reversing session on on the malware so this is actually the office gated JavaScript and this is a debug session I just did in Chrome it's quite nice to have like an interactive debug session

for JavaScript and in this instance they were just using a concatenation of a whole bunch of x-rays and these are just characters and then the offsets into the array as well and then this just resulted in this like F delimited string and then just splitting and joining on that string produce this command line so in this instance are using PowerShell to execute and download a file so in this instance it's a portable executable and then they're using invoke WMI method within PowerShell to execute that downloaded executable in the temp directory so let's go over the actual binary that was dropped so in this instance it was a binary that dropped more binaries but it had some

interesting functionality so this dropper binary has the capability of propagating over there four USB drives and your network drives it requires some interaction and I'll go into how that actually works and what was really cool and that I thought was cool is it will actually monitor for cryptocurrency addresses in your clipboard so if you're like mining on your computer and you go to make a payment to say somebody for some some form of goods they will just look for that in your clipboard and then replace it with their own address so when you go to send that currency it will just go to them instead of who rightful sender was so I thought that was pretty neat and it

has the capability of downloading the miner binary which we'll go over as well so for those of you do not do malware analysis it is very common for the binary x' for the malware binaries to have some an analysis tricks so in this instance they had a bunch of processes in memory that they were looking for they will typically look for a virtual environment so sandboxes and reversers will typically run malware in these virtual environments so like there's VirtualBox VM ware and if they see these processes in memory the malware will just exit they won't do any more functionality and here's an anti VM trick so they're looking to resolve this whine function from the import address

table and if they can successfully get an address to that function and they will exit as well so this is a this is super common you'll often see auntie VM tricks so for example like I was just doing this analysis in a virtual environment and they were able to exit but if you just break on the exit function then you can typically look up the call stack and then determine kind of where in the code they might have some anti virtualization tricks so here's just the code for the network and try propagation so they will look for the drive type in a loop so they will constantly look for connected devices and drives and if it is either the

removable or the network drive type then they will create a shortcut on that USB or network drive that corresponds to either executable files on that drive or on that network share or they will just create on USB sticks they will create a shortcut for the name of the USB on the USB and that L&K file will have these command-line arguments to execute a copy piece of malware on whatever device that is so most often than not some of you would probably fall for that and they would just click on that icon and then they would get infected with the minor as well so so this is the clipboard replacement functionality so here they're just monitoring the the clipboard they're

just getting the contents of that clipboard in a loop within a separate thread and then they're just looking for a number of heuristics it's really basic like I think the one that I put on there in this case it's literally looking for the number two in in your clipboard and then they'll replace it with this corresponding address that looks a little bit similar so really basic but I think this is pretty effective in most scenarios for most people that are dealing with crypto currency so this eventually drops a minor so it downloads and executes a minor over HTTP and what's some interesting functionality is with the minor itself is it will actually map ntdll functions itself so this is this

is kind of unique in that a lot of antivirus products will be hooking user lines functions that are commonly used by applications and not necessarily those that are with an NT DLL which are undocumented windows API functions and they will not mine if you have task manager dot exe open so I thought that was kind of kind of cool so if you if your CPU spikes and you're like what the hell and then you open task manager it'll just stop mining so that was pretty cool and then they drop it config as well so when I alluded to those arguments earlier that you could look for within your Windows Event log er in this case you can't look for those

because they have the config stored in a JSON file so this is the task manager function so it literally just uses the create tool help 32 snapshot API and then it just iterates through all the processes in memory in a loop looking for task manager txc so it's pretty basic and then this is that config that they drop so they have the construct from a bunch of different pieces in memory and in this instance the mining pool they were using was Manero hash comm unfortunately though they were banned from that pool when I got to it so that was unfortunate I was really looking forward to seeing how much money they made but in this instance somebody

reported this address and as you can see the address has been bent due to botnet mining activity so cool yeah so as blue team's what can you do about Mouse spam well if you can I would just disable macros altogether within Microsoft Office I know that's not really viable for most enterprise environments but some other things you can do is require signing of those macros so I know again this is not always viable one thing I would suggest doing is disabling ActiveX controls from macros and you can do that in this blog post and when noticed effective defender exploit guard is really awesome on Windows 10 I did a talk at b-sides Calgary about a whole

bunch of different malicious document types and I was kind of grilling Microsoft on their lack of security around this but if you can install Windows 10 in your environment and you can enable all this different functionality in this blog it's just going to up your security by like ten times and there's not a whole lot that you have to do obviously you probably have to test some compatibility issues on your gold image and things like that but it's Windows 10 is really really awesome from a security perspective so scripts just set up some default handlers for all these different file types like you can literally just set it so if somebody double clicks on a dot GS file it just

opens a notepad instead of executing commands it's really really basic stuff that not a lot of people do and they can just avoid these talks altogether but attacks all together by doing this I'd also suggest checking out like app Locker and software restriction policy these are a means of restricting where executables can you execute with your environment in this instance this entire talk could have been stopped by just not allowing this thing to drop in tempo next Q like well like how many times are legitimate or how many legitimate use cases are there for executing binaries and slash temp right it's not a whole lot so that's what I'd suggest take a look at those so another way that these

are infecting environments is via remote and local code execution so this is actually making use of available exploits more often than not I don't believe I've seen a zero-day being used for spreading crypto miners to to spread them so some remote code execution examples are V s and B so eternal blue yes there are still machines on the internet that are vulnerable to eternal blue Apache struts and Oracle WebLogic so in our great keynote this morning kind of alluded some internet-facing applications that are very commonly exploited and those are some of them and local command execution or code execution so an example of this which can also be found on that malware traffic analysis site is rig which is a

very common exploit kit was dropping a crypto miner via a flash exploit so let's look at a remote code execution example in this instance it was some pretty rudimentary malware that was written in Python and basically they just wrapped a Python wrapper around a bunch of binaries that were leaked by the shadow brokers who of you know or actually I should say who doesn't know who the shadow brokers are or what okay so last year there was a really weird group called the shadow brokers that started writing all these really odd medium posts about how they had a bunch of NSA exploits and they're trying to sell them for like a million bitcoins and our million dollars in Bitcoin and

nobody really took them up on that offer and do you do too some world events they leak these binaries and I should say these are alleged NSA binaries and these were fairly short shortly after these were instrumented by by a well now we know it's a nation-state based on what happened last week so a North Korean was indicted with charges on programming wanna cry which is a worm that was propagating across the internet last May and basically did the u.s. government attributed that I talked to him but basically they used these binaries that were allegedly NSA derived in order to spread this malware across the internet so this piece of mining district distribution malware also uses the same

binary x' and that's referred to as eternal blue and it will perform scanning of your local of your local network and it will look at random remote addresses and I'll show you how that functionality works basically if it finds a an SMB port that's open it will attempt to exploit it so this is the Python so basically how this works on Windows is you can actually use something like PI to exe to distribute Python and this will be executed by a Python interpreter that's provided with the binary so in this instance this is the local scanning literally all this the red does well it will gather a bunch of ip's your slash 20 run range on your local subnet and then this

thread will just look if the port is open and then it will attempt to exploit it this is their remote scanning functionality basically what this does is it reads this text file and I'll show you what that looks like and then it will basically choose a list of 30 IP addresses to attempt to exploit within a separate thread and this is what that text file looks like so it's a whole bunch of different IP ranges I didn't really look into this too closely but my guess is that they probably wanted to limit their remote targets to non-government entities and things like that but I'm assuming this is why they don't just choose a IPS at random and

it's tend to exploit them so this is really rudimentary malware but it's pretty funny so they will look to see if it is vulnerable to eternal blue by using this eternal blue function and I'll show you what that looks like and basically they'll return if it's if it's good and then an architecture then that means it's exploitable so if it's x86 they'll use a 64-bit version of their DLL and if it's an x86 version they'll use that version so I'll show you what that DLL does so this is what that eternal blue function does so it literally just provides the parameters into this eternal blue executable so this is actually the lead executable from the shadow brokers and this is how

easy this stuff is to use right so you can provide a target IP address as a parameter and then some other parameters for the supported architectures and then just run it against the remote IP or local IP of assistance so yeah super easy to use these tools which kind of makes sense for who from based on pre develop them but basically they'll just look for these strings and if it's vulnerable then they will return what architecture it was so for those of you who are not familiar with these tools there was an implant upon successful exploitation of maternal blue called double pulsar and this implant allowed you to migrate from kernel address space into user lines and in

this instance they're just providing L SAS as the default process to migrate into and then they're providing that yellow that I referenced earlier so let's look at what that deal looks like so literally all the DLL does that they ship with double pulsar upon successful exploitation is it will reach out to this dot ru domain and then download a minor binary and then this is the mining config for that final mining payload so again they're using a config file in this case to probably avoid using those command-line arguments but as you can see this is actually a pool a pool they rolled themselves this is not a public pool cool so from my local code

execution perspective for blue team's update your stuff it's not rocket science I know I know it's not always viable in corporate environments I know you guys have gold images and you have to test stuff and make sure everything's working kind of some more defense and depth stuff that you can do like disable flash and Java plugins they really don't have to be enabled all the time at the very least if you can do click to play that's a super good way of doing it especially like even at home for your loved ones like disabling things so you can just click on them and enable them when they need to be that's a really good way most

modern browsers like Chrome it's really good for sandboxing most of these applications that are notoriously bad for for exploits so they sandbox flash and they sandbox their PDF reader as well so even if they're able to gain initial code execution within your browser they like they highly limit the amount of api's that are available from that sandbox environment and they can't necessarily escape that sandbox and break in to your to your computer not all exploits require sandbox escape but it sets the bar like that much higher and if you can find a remote code execution vulnerability or sorry a local code execution vulnerability in Chrome it's worth a lot of money so that kind of shows you like how how high the bar

gets set by these kinds of modern browsers windows to finder exploit got'em gonna keep like selling this Windows 10 again this is essentially what he met turned into so II met essentially was a external application that was developed by Microsoft to stop a whole bunch of different memory corruption vulnerabilities from being exploited on Windows so they'll stop things like rob chains and a whole bunch of these different exploitation techniques so I'd highly encourage you to check that out or if you're running Windows 7 you can still run older versions of email okay so for the remote code execution stuff I really like this blog that I'll chem tough put out around the shower brokers stuff at the time when when wanna cry

came out and and ultimately let's face it if you're scrambling to lock down your internet exposed SMB servers in response to the recent revelations from shadow brokers you're probably in trouble and it's not because of the NSA so if you have SMB services facing the Internet don't like you really really don't need to have them facing the Internet even if you have like a Remote Desktop Protocol environment just have that port facing Internet and if you can really help it don't have any wrote desktop clients or sorry servers facing the Internet you really don't need them just have a VPN service and that's this is what literally every large company does is they have a VPN service that you

connect into you then you have access to all your internal resources you don't even need a facing a wet sorry a public facing intranet or anything like that just really have a VPN service ask yourself like does this service need to be facing the internet like does this I don't know industrial control system you need to be facing the internet like these are literally questions people ask themselves and they still do it so and then minimize your public facing services so kind of that's the overall arching goal of this ensure proper configuration so there is there was a big push over the recent years for no sequel databases like and I hate this stuff because you have these sales

guys who walk into health organizations and government organizations and they were like hey use this new database and they don't know why but they buy it anyways and then the default configuration in I'm not sure if this is still the case is no authentication so literally you have like all these internet facing databases full of health records and and you'll see like so many news stories about all these misconfigured services like there's literally no security vulnerability here other than miss configuration and the person who set it up didn't know what they were doing they made it face the internet so like it's literally as trivial as that most of the time defense and depth stuff most of the

people in this room should hopefully know a lot of these concepts like practice least privilege the service that's facing the internet does not need to be running as root they don't need to have su privileges they don't need to be they don't need to have access to the internal environment try and minimize your pivots like there should really be no public facing services that have access to internal resources that they don't need obviously if it's a public facing service with a back-end like a database you can create an interface for that they really don't need to be facing having access to things like HR or accounting or other parts of your company Network segregation like there's

still giant companies who have flat networks and it like boggles my mind like I have a lot of friends who are pen testers and they're like yeah man I finished that engagement in like an hour and I'm like what how and they're like oh I just like went into the network and I popped ad by like using relay and then I got an admin hash and like all this stuff and they you can literally destroy these environments in seconds because they're just flat networks that use Active Directory with old versions of SMB and it's still like super to do all these things in 2018 so implement Network segregation and if you can just put every public service within

India TM said that doesn't have access to any of your other network resources so that's pretty much all I had I know I did pretty good for time but I just wanted to give some shouts so jello snake I'm probably pronouncing it's handle wrong I did some really good work in this area he's a researcher I Minerva labs and he did these two b-sides talks on YouTube which were really good as well I got some of my resources from him Brad at traffic our traffic analysis what I did this talk I wanted to do it from my personal research rather than through work because I was going through some changes at the time and he provided

a really good way of just getting access to those samples that I went through today 0.1 he or she has a really good job at updating this blocker list and it provides a means of the rest of us to block a large amount of the cryptocurrency related domains that could be using it variously within corporate environments cool I think we have a little bit of time for questions so there's my boy biggie rest in peace so if there are any questions just raise your hand oh there's some questions over here perfect oh yeah and this is my source is the source was fine hello you mentioned that in one of the exploits they went from JavaScript of

PowerShell could you explain how that happens yeah so under Windows there's a there's a process called a Windows scripting host and there's also a command line and scripting house that scripting host was written by Microsoft they believe to be able to write a lot of their or an interface with their operating system and scripting languages so like this is completely I know I was debugging in Chrome but this is when you when you're executing this on Windows it's completely external to Chrome and the windows scripting host will basically interpret that JavaScript and then I can send you some code if you want but basically you can establish an ActiveX object from that JavaScript so this is unique to the window scripting

host so they essentially have like a JavaScript API for themselves and then once you get that ActiveX object you can just do like shell execute and then execute power shell from it yeah it is like when people started doing this I was just like what I didn't yeah it's things are a lot better now I'm like Windows 10 but it's still fairly trivial to get code execution on Windows in a number of different means from attachments so this is why it's still like people get fished so like I'm I'm tracking a large like large remote groups right now and like they'll get access to be able to jackpot ATMs from bag networks from like a fish so that

literally their initial infection vector is just like a JavaScript attachment like they'll send like a whole bunch of different attachments and then once they get one point of code execution on a single usual line box and the pivots ad and then they'll find like the ATM that the ATM banks at the company and then they'll like literally cash out and then they'll get mules to grab all the cash and then yes it's crazy but any more questions

I'm curious what's the general behavior of the miners if they find like they can't talk to their DNS or whatever do they just give up do they do something malicious do they wait I yeah that's one thing I kind of wanted to look further into I believe that they will just not mine because if you provide like the mining pool parameters and they're unable to resolve the the pool I don't think there's any point of them mining because they don't have a like a an actual wallet address to publish to I know they have like that command and argument but I believe they will just know online but having said that I haven't tested that myself

any other questions cool awesome Thank You Roy [Applause]