Execution: Cryptocurrency Mining YARA Rule

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

VM Threat Detection detected cryptocurrency mining activities by matching memory patterns, such as proof-of-work constants, known to be used by cryptocurrency mining software.

How to respond

To respond to this finding, do the following:

Step 1: Review finding details

1. Open an Execution: Cryptocurrency Mining YARA Rule finding, as directed in Review findings. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected, especially the following fields:

     • YARA rule name: the rule triggered for YARA detectors.
     • Program binary: the absolute path of the process.
     • Arguments: the arguments provided when invoking the process binary.
     • Process names: the name of the processes running in the VM instance that is associated with the detected signature matches.

     VM Threat Detection can recognize kernel builds from major Linux distributions. If it can recognize the affected VM's kernel build, it can identify the application's process details and populate the processes field of the finding. If VM Threat Detection can't regognize the kernel—for example, if the kernel is custom built—the finding's processes field isn't populated.

   • Affected resource, especially the following fields:

     • Resource full name: the full resource name of the affected VM instance, including the ID of the project that contains it.

   • Related links, especially the following fields:

     • Cloud Logging URI: link to Logging entries.
     • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
     • Related findings: links to any related findings.
     • VirusTotal indicator: link to the VirusTotal analysis page.

3. To see the complete JSON for this finding, in the detail view of the finding, click the JSON tab.

Step 2: Check logs

1. In the Google Cloud console, go to Logs Explorer.

   Go to Logs Explorer

2. On the Google Cloud console toolbar, select the project that contains the VM instance, as specified on the Resource full name row in the Summary tab of the finding details.

3. Check the logs for signs of intrusion on the affected VM instance. For example, check for suspicious or unknown activities and signs of compromised credentials.

Step 3: Review permissions and settings

1. On the Summary tab of the finding details, in the Resource full name field, click the link.
2. Review the details of the VM instance, including the network and access settings.

Step 4: Research attack and response methods

1. Review MITRE ATT&CK framework entries for Execution.
2. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

To assist with detection and removal, use an endpoint detection and response solution.

1. Contact the owner of the VM.

2. Confirm whether the application is a mining application:

   • If the detected application's process name and binary path are available, consider the values on the Program binary, Arguments, and Process names rows on the Summary tab of the finding details in your investigation.

   • Examine the running processes, especially the processes with high CPU usage, to see if there are any that you don't recognize. Determine whether the associated applications are miner applications.

   • Search the files in storage for common strings that mining applications use, such as btc.com, ethminer, xmrig, cpuminer, and randomx. For more examples of strings you can search for, see Software names and YARA rules and the related documentation for each software listed.

3. If you determine that the application is a miner application, and its process is still running, terminate the process. Locate the application's executable binary in the VM's storage, and delete it.

4. If necessary, stop the compromised instance and replace it with a new instance.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.