Cryptocurrency mining
A cryptocurrency is a digital asset that uses strong cryptography to manage security for financial transactions, such as bit coins. Cryptocurrencies do not use centralized digital currencies or banking systems.
Rather than stealing personal data or credentials, cryptomining malware takes over computer resources to mine for cryptocurrency. Over the last few years, these types of attacks are happening more frequently as criminals target endpoints, servers, smartphones, and other electronic devices to generate revenue.
These types of attacks can do more than steal cryptocurrency; IBM® QRadar® can help you protect your network from the subsequent performance slow downs, increased energy costs, and extra server costs in cloud-based networks that cryptocurrency attacks can cause.
Simulating the threat
The Cryptocurrency mining simulation mimics a Trojan virus that is buried in an event payload that is received from a Kaspersky Security Center log source.
- On the Log Activity tab, click Show Experience Center.
- Click Threat simulator.
- Locate the Cryptocurrency mining simulation and click Run.
| Content | Description |
|---|---|
| Events | Virus found The log source for the incoming event looks similar to this example: Experience Center: KasperskySecurityCenter. |
| Log sources | Experience Center: WindowsAuthServer @ EC:
<machine_name> Experience Center: WindowsAuthServer @ EC: <user_name> |
On the Log Activity tab, you can see the Virus found events that are coming into QRadar. These events indicate that a virus or other type of malware were found in the event payload.
Detecting the threat: QRadar in action
In this simulation, the Virus found event indicates that the event payload that was received from the Experience Center: KasperskySecurityCenter log source contains a virus. The Custom Rule Engine (CRE) processes the event, which triggers a rule that creates a new event named Detected a Cryptocurrency Mining Activity Based on Threat Name (Exp Center).
To warn you about the potential threat, the CRE also creates an offense called Detected a Cryptocurrency Mining Activity Based on Threat Name (Exp Center). The offense is indexed so that it groups all the contributing events with the same threat name into a single offense.
Investigating the threat
The following IBM QRadar content is created by the Cryptocurrency Mining threat simulation. After you run the simulation, you can use this content to trace and investigate the threat.
| Content | Name |
|---|---|
| Saved Search | EC: Cryptocurrency Mining |
| Incoming event | Virus found The log source for the incoming event looks similar to this example: Experience Center: KasperskySecurityCenter. |
| Rule | Detected a Cryptocurrency Mining Activity Based on Threat Name (Exp Center) |
| Generated event | Detected a Cryptocurrency Mining Activity Based on Threat Name (Exp
Center) The log source for events that are generated by QRadar is the Custom Rule Engine (CRE). |
| Offense | Detected a Cryptocurrency Mining Activity Based on Threat Name (Exp
Center) The offense is indexed based on the EC Threat Name; all events that trigger this rule and that have the same threat name are part of the same offense. Depending on the events and rules that exist in your environment before running the use case, the name of the offense might include preceded by <offense name> or containing <offense name>. |