Execution: Cryptocurrency Mining Hash Match

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

VM Threat Detection detected cryptocurrency mining activities by matching memory hashes of running programs against memory hashes of known cryptocurrency mining software.

To respond to these findings, do the following:

Step 1: Review finding details

1. Open an Execution: Cryptocurrency Mining Hash Match finding, as directed in Review findings. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected, especially the following fields:

     • Binary family: the cryptocurrency application that was detected.
     • Program binary: the absolute path of the process.
     • Arguments: the arguments provided when invoking the process binary.
     • Process names: the name of the process running in the VM instance that is associated with the detected signature matches.

     VM Threat Detection can recognize kernel builds from major Linux distributions. If it can recognize the affected VM's kernel build, it can identify the application's process details and populate the processes field of the finding. If VM Threat Detection can't regognize the kernel—for example, if the kernel is custom built—the finding's processes field isn't populated.

   • Affected resource, especially the following fields:

     • Resource full name: the full resource name of the affected VM instance, including the ID of the project that contains it.

3. To see the complete JSON for this finding, in the detail view of the finding, click the JSON tab.

   • indicator
     • signatures:
       • memory_hash_signature: a signature corresponding to memory page hashes.
       • detections
         • binary: the name of the cryptocurrency application's binary—for example, linux--x86-64_ethminer_0.19.0_alpha.0_cuda10.0.
         • percent_pages_matched: the percentage of pages in memory that match pages in known cryptocurrency applications in the page-hash database.

Step 2: Check logs

1. In the Google Cloud console, go to Logs Explorer.

   Go to Logs Explorer

2. On the Google Cloud console toolbar, select the project that contains the VM instance, as specified on the Resource full name row in the Summary tab of the finding details.

3. Check the logs for signs of intrusion on the affected VM instance. For example, check for suspicious or unknown activities and signs of compromised credentials.

Step 3: Review permissions and settings

1. On the Summary tab of the finding details, in the Resource full name field, click the link.
2. Review the details of the VM instance, including the network and access settings.

Step 4: Research attack and response methods

1. Review MITRE ATT&CK framework entries for Execution.
2. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

To assist with detection and removal, use an endpoint detection and response solution.

1. Contact the owner of the VM.

2. Confirm whether the application is a mining application:

   • If the detected application's process name and binary path are available, consider the values on the Program binary, Arguments, and Process names rows on the Summary tab of the finding details in your investigation.

   • If the process details aren't available, check if the binary name from the memory hash signature can provide clues. Consider a binary called linux-x86-64_xmrig_2.14.1. You can use the grep command to search for notable files in storage. Use a meaningful portion of the binary name in your search pattern, in this case, xmrig. Examine the search results.

   • Examine the running processes, especially the processes with high CPU usage, to see if there are any that you don't recognize. Determine whether the associated applications are miner applications.

   • Search the files in storage for common strings that mining applications use, such as btc.com, ethminer, xmrig, cpuminer, and randomx. For more examples of strings you can search for, see Software names and YARA rules and the related documentation for each software listed.

3. If you determine that the application is a miner application, and its process is still running, terminate the process. Locate the application's executable binary in the VM's storage, and delete it.

4. If necessary, stop the compromised instance and replace it with a new instance.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.