Trick or Treat - Unveil the "Stratum" of the Mining Pools

Explore the world of cryptomining malware and mining pools in this NorthSec 2019 conference talk. Delve into strategies for identifying Stratum servers, hunting interesting samples, and conducting static and dynamic analysis. Learn various methods to specify Stratum servers, extract configurations from PCAPs, and search for connected hosts using specific keywords. Discover techniques for identifying mining pool websites, extracting configurations through JS files, HTML parsing, and API calls. Gain insights into Stratum TCP scanning, collected data analysis, and potential Docker exploitations. Understand the persistence of miners and the competitive nature of cryptomining malware.

Intro
ryptomining malware is still a thing
Mining pools 101
We developed different strategies to identify Stratum servers
Let's hunt for interesting samples
Processing workflow (static analysis)
Here are some way to specify Stratum server
Dynamic analysis
Extracting Stratum configuration from PCAPS
Looking for stratum servers over the Internet
Search Engines for Connected Hosts
Keywords to identify stratum servers
Identifying Mining Pool Websites
Extracting config: JS config file + API call
Extracting config: parsing HTML
Extracting config: (Parsing HTML) + API Call
Stratum TCP Scanner
Collected data
Default ports?
Scanning Internet
Docker exploitations?
Killing the competition
Very persistent miner