Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem

itman · Jan 25, 2018

Malware that secretly mines Monero is becoming a real problem in the real world, with the number of different incidents growing with each week. For example, only this past week, three new attacks came to light.

The reason is simple and is the same one given by all security experts who paid close attention to the cryptocurrency market in the past year.

The number of malware campaigns spreading Monero-mining threats grew exponentially with Monero's trading price. As the price rose, the number of new Monero-mining malware reports increased as well.

Excluding cryptojacking incidents —which also mine Monero— some of the Monero-mining malware families we've seen in 2017 include:

⌖ Digmine
⌖ Hexmen
⌖ Loapi
⌖ Zealot
⌖ WaterMiner
⌖ CodeFork
⌖ Bondnet
⌖ Adylkuzz
⌖ CoinMiner
⌖ Linux.BTCMine.26
⌖ Zminer
⌖ DevilRobber
⌖ An unnamed botnet targeting WordPress sites
⌖ An unnamed botnet targeting IIS 6.0 servers
⌖ A Monero miner advertised via Telegram
⌖ Several instances of exploit kits dropping Monero miners [1, 2]

To these, we can add the incidents reported in the first three weeks of 2018, which include the likes of:

⌖ PyCryptoMiner
⌖ RubyMiner
⌖ A group targeting Oracle WebLogic servers

But the year has barely started, and 2018 is primed to be the year of crypto-mining malware. Since our last report on Monero-mining malware (the RubyMiner campaign), things have become worse. Below we'll detail three more campaigns spotted by security researchers in the last week.
Click to expand...

https://www.bleepingcomputer.com/ne...mining-campaigns-are-becoming-a-real-problem/

Minimalist · Feb 2, 2018

DDG, the second largest mining botnet targets Redis and OrientDB servers

A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.

According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.
Click to expand...

https://securityaffairs.co/wordpress/68555/malware/ddg-botnet.html

JoWazzoo · Feb 3, 2018

And it just keeps getting worse.

Reverse mining - free Monero. Heh
SpriteCoin: Another New CryptoCurrency…or NOT!

https://blog.fortinet.com/tag/cryptocurrency

Minimalist · Feb 5, 2018

New Monero Crypto Mining Botnet Leverages Android Debugging Tool

A new botnet that distributes malware for mining Monero cryptocurrency has emerged, infecting Android devices through a port linked with a debugging tool for the OS, according to researchers at Qihoo 360 Netlab.

Dubbed ADB.Miner by 360 Netlab, the botnet is gaining entry to Android devices–mostly smartphones and TV boxes–through port 5555, which is associated with Android Debug Bridge, a command-line tool that is used for debugging, installing apps and other purposes.
Click to expand...

https://threatpost.com/new-monero-crypto-mining-botnet-leverages-android-debugging-tool

Minimalist · Sep 17, 2018

Two New Monero Malware Attacks Target Windows and Android Users

Researchers spotted two new Monero malware attacks targeting Windows and Android devices that hide in plain sight and masquerade as legitimate application updates.
Click to expand...

https://securityintelligence.com/ne...are-attacks-target-windows-and-android-users/

guest · Sep 17, 2018

New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer
September 17, 2018
https://www.bleepingcomputer.com/ne...-blockchain-dns-mist-and-removes-cryptominer/

A new botnet captured the attention of security researchers through its harmless behavior and the use of an original communication channel with its command and control server.

Fbot is a peculiar variant of Mirai that preserves the original DDoS module but does not appear to use it. This is not the oddest thing yet because its purpose at the moment is to search for devices infected with a cryptomining malware and clean them.
Fbot pushes out cryptomining malware
Fbot spreads by scanning for devices with an open port 5555, used by the ADB (Android Debug Bridge) service on Android, and then retrieving a script via the ADB interface.

One of the script's functions is to uninstall 'com.ufo.miner' malware. Another is to download the main payload, Fbot, which comes embedded with details on contacting the command and control (C2) server. The third function is to self-destruct.
Hiding behind the blockchain
"The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet [...] " the researchers note.
Click to expand...

guest · Sep 20, 2018

Sustes Malware: CPU for Monero
September 20, 2018
https://securityaffairs.co/wordpress/76394/malware/sustes-malware-cpu-monero.html

Sustes (Mr.sh) is a nice example of Pirate-Mining and even if it’s hard to figure out its magnitude, since the attacker built-up private pool-proxies, I believe it’s interesting to fix wallet address in memories and to share IoC for future Protection. So, let’s have a closer look at it.

Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over the exploitation and brute-force activities with special focus on IoT and Linux servers. [...]

The downloaded payload is named sustes and it is a basic XMRIG, which is a well-known opensource miner. In this scenario, it is used to make money at the expense of computer users by abusing the infected computer to mine Monero, a cryptocurrency.

Many people are currently wondering what is the sustes process which is draining a lot of PC resources (for example: here, here and here ) …. now we have an answer: it’s an unwanted Miner.
Click to expand...

hawki · Oct 11, 2018

"Crypto-mining malware poses as Flash updates...

Cyber criminals are using unusually credible fake Adobe Flash updates to push Monero cryptocurrency mining malware, researchers have found.

While fake Flash updates are typically poorly disguised, a campaign that emerged in August 2018 is using pop-up notifications borrowed from the official Adobe installer, according to Unit 42, the threat intelligence team at Palo Alto Networks.

As well as installing the XMRig cryptocurrency miner, this malware can also update a victim’s Flash Player to the latest version, making it appear to be legitimate..."

https://www.computerweekly.com/news/252450443/Crypto-mining-malware-poses-as-Flash-updates

guest · Nov 29, 2018

KingMiner malware hijacks the full power of Windows Server CPUs
November 29, 2018
https://www.zdnet.com/article/kingminer-cryptojacker-returns-now-new-and-improved/

On Thursday, researchers from Check Point said in a blog post that one such form of cryptomining malware, known as KingMiner, first appeared in June this year and is now out in the wild as a new-and-improved variant.

The malware generally targets IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server.
It is worth noting that if older versions of the attack files are found on the victim machine, these files will be deleted by the new infection.

Once extracted, the malware payload creates a set of new registry keys and executes an XMRig miner file, designed for mining Monero.
To make it more difficult to track or issue attribution to the threat actor, the KingMiner's mining pool has been made private and the API has been turned off.
Click to expand...

guest · Jan 3, 2019

Revamped cryptominer strikes Asia through EternalBlue exploit
January 3, 2019
https://www.zdnet.com/article/revamped-cryptominer-is-striking-asia-through-eternal-blue-exploit/

According to cybersecurity researchers from F-Secure, unpatched machines in Asia -- centered in Vietnam -- are being infected with the latest version of NRSMiner, malware designed to steal computing resources in order to mine for cryptocurrency.

Starting mid-November last year, the latest wave of attacks is also actively spreading across countries including China, Japan, and Ecuador.
The new version of the malware relies on the EternalBlue exploit to spread through local networks.

NRSMiner makes use of the XMRig Monero miner to hijack an infected system's CPU to mine for the Monero (XMR) cryptocurrency.
Click to expand...

guest · Feb 4, 2019

New SpeakUp Backdoor Infects Linux and macOS with Miners
February 4, 2019
https://www.bleepingcomputer.com/ne...backdoor-infects-linux-and-macos-with-miners/

A malware campaign distributing a new Backdoor Trojan named SpeakUp is currently targeting servers running six different Linux distributions and macOS by exploiting a number of known security vulnerabilities, while also managing to evade all anti-malware solutions in the process.

In most cases, this type of malware allows bad actors to run campaigns designed to operate covertly while giving the attackers as much control over the infected machines as possible, in most cases leading to a complete takeover.
At this moment in time, the SpeakUp malware uses the devices it compromises to run XMRig miners, with the wallets used by the campaign currently holding approximately 107 Monero (XMR) coins which translate to roughly $4515 at today's XMR to USD exchange rate.
Scans and infects other hosts on the same network
Also, the actor behind the SpeakUp campaign currently infecting Linux and macOS devices all over the map can use the backdoor planted on compromised machines to deploy more payloads besides the XMRig coinminer, which could make a lot more dangerous and conceivably more intrusive.
Click to expand...

Check Point Report: SpeakUp: A New Undetected Backdoor Linux Trojan

Minimalist · Feb 4, 2019

Cybercriminals Generated $56 Million Over 12 Years From Monero Crypto-Mining Malware

An analysis of more than 4.4 million malware samples showed botnets were responsible for crypto-mining at least 4.3 percent of Monero over a 12-year period.

These illicit efforts generated an estimated $56 million for cybercriminals behind the campaigns. The study from academics in the U.K. and Spain used a combination of both dynamic and static analysis techniques to pull details from the malware campaigns, including an exploration of the mining pools where payments were made as well as cryptocurrency addresses. Over the 12 years, Monero (XMR) was the most popular cryptocurrency targeted by botnets, the study concluded.
Click to expand...

https://securityintelligence.com/ne...r-12-years-from-monero-crypto-mining-malware/

guest · Feb 20, 2019

Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability
February 20, 2019
https://blog.trendmicro.com/trendla...mikatz-to-infect-propagate-via-vulnerability/

Between the last week of January to February, we noticed an increase in hack tool installation attempts that dropped seemingly random files into the Windows directory.
[...] it scans for open port 445 and exploit a Windows SMB Server Vulnerability MS17-010 (patched in 2017) for its infection and propagation routines, targeting companies in China, Taiwan, Italy, and Hong Kong.

However, this combination of RADMIN and MIMIKATZ becomes a concern for data exfiltration of enterprise assets and information because of the randomly named and seemingly-valid Windows functions that may go undetected.

Nonetheless, the technique shows some level of sophistication. Using MIMIKATZ and RADMIN for propagation while exploiting critical vulnerabilities enables malicious actors to spread malware with worm-like behavior to target specific systems in industries without being immediately detected.
Click to expand...

itman · Feb 20, 2019

it scans for open port 445 and exploit a Windows SMB Server Vulnerability MS17-010 (patched in 2017) for its infection and propagation routines, targeting companies in China, Taiwan, Italy, and Hong Kong.
Click to expand...

Recently came across this in the Eset forum where someone in Italy had not patched their server against this. Unbelievable ……………..

JRViejo · Mar 12, 2019

A modular malware with worm capabilities exploits known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from one server to another and mine for Monero cryptocurrency.
Click to expand...

Malware Spreads As a Worm, Uses Cryptojacking Module to Mine for Monero by Sergiu Gatlan

guest · Mar 14, 2019

“CryptoSink” Campaign Deploys a New Miner Malware
March 13, 2019
https://www.f5.com/labs/articles/th...ptosink--campaign-deploys-a-new-miner-malware

Recently, threat researchers from F5 Networks spotted a new campaign targeting Elasticsearch systems. It leverages an exploit from 2014 to spread several new malwares designed to deploy an XMR (Monero) mining operation.

While analyzing the campaign we’ve named CryptoSink, we encountered a previously unseen method used by attackers to eliminate competitors on the infected machine and to persist on the server in a stealthier way by replacing the Linux remove (rm) command.

The Windows payload directly downloads a malicious executable file from the attacker’s server using a technique that became popular among similar threat actors. This technique involves calling the certutil utility, which ships with Windows, and is used to manipulate SSL certificates.
[...] writing the target pools’ domains to the “/etc/hosts” file. In doing so, the competitors’ miners are not able to connect to those cryptocurrency pools and fail to start the mining process
Click to expand...

guest · Mar 20, 2019

More persistent Monero mining campaign detected
March 19, 2019
https://www.scmagazineuk.com/persistent-monero-mining-campaign-detected/article/1579617

A new Monero cryptomining campaign detected in the wild is being spread & operating in a manner more consistent with ransomware and other attacks that retain a level of persistence than has been seen before.

"The highlight of this variant is the use of legitimate IT administration tools, Windows system tools and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs," wrote Check Point’s Richard Clayton, Check Point’s adding, "The actors behind this campaign possess enough skills and experience to make this a potentially severe attack on any organisation with no so easy steps for remediation."

"Mining has always been about scale. The more machines mining, the more the income. Once a single machine is breached in an enterprise, lateral movement allows for large scale compromise which means more machines mining," Clayton said.
Click to expand...

Check Point Forensic Files: A New Monero CryptoMiner Campaign

guest · Apr 12, 2019

Malware Creates Cryptominer Botnet Using EternalBlue and Mimikatz
April 12, 2019
https://www.bleepingcomputer.com/ne...ominer-botnet-using-eternalblue-and-mimikatz/

A malware campaign is actively attacking Asian targets using the EternalBlue exploit and taking advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to drop Trojans and a Monero coinminer on compromised machines.

This cryptojacking campaign was previously detected by Qihoo 360's research team attacking Chinese targets during January 2019, and it was observed while using the Invoke-SMBClient and the PowerDump open source tools "to complete password hashing and pass the hash attacks."
As Trend Micro now discovered, the malware has also added the NSA-developed EternalBlue exploit, famously used as part of the WannaCry (see here and here) and NotPetya ransomware attacks of 2017.

[...] Last but not least, the final malicious payload, an XMRig Monero cryptominer, is deployed using PowerShell and injected straight into its own process using the open source Invoke-ReflectivePEInjection tool.
Click to expand...

Trend Micro:
Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse

guest · Jun 3, 2019

BlackSquid Slithers Into Servers and Drives With 8 Notorious Exploits to Drop XMRig Miner
June 3, 2019
https://blog.trendmicro.com/trendla...ith-8-notorious-exploits-to-drop-xmrig-miner/

An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another.
We found a new malware family that targets web servers, network drives, and removable drives using multiple web server exploits and brute-force attacks.

The sample we acquired downloads and installs an XMRig Monero cryptocurrency miner as the final payload.
Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects.
All of the exploited vulnerabilities have patches that have been available for years, so organizations following updated and proper patching procedures are unlikely to be affected.
Click to expand...

guest · Jun 5, 2019

Monero-Mining Malware PCASTLE Zeroes Back In on China, Now Uses Multilayered Fileless Arrival Techniques
June 5, 2019
https://blog.trendmicro.com/trendla...ses-multilayered-fileless-arrival-techniques/

This latest campaign has added a few new tricks. For one, it uses multiple propagation methods — using a variety of components doing different tasks — to deliver their cryptocurrency-mining malware.

It now also uses a multilayered fileless approach, allowing the malicious PowerShell scripts to download payloads (with its arrival via a scheduled task) and execute them in memory only. The final PowerShell script, which is also executed in memory, packs all the malicious routines: using an SMB exploit (EternalBlue), brute-forcing the system, employing the pass-the-hash method, and downloading payloads.

Their use of XMRig as their payload’s miner module is also not surprising. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues.
The attackers’ motivations for concentrating their activities back on China-based systems are unclear. Nonetheless, this campaign showed that fileless threats aren’t going away.
Click to expand...

guest · Jun 10, 2019

CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner
June 10, 2019
https://blog.trendmicro.com/trendla...used-for-obfuscation-to-deliver-monero-miner/

[...] an interesting twist — the malware hides its malicious codes in certificate files as an obfuscation tactic.
First, PowerShell (PS) is used to download a certificate file from the command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer
It then employs the component CertUtil, which is used to manage certificates in Windows, to decode the file.

One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once.
The PS command from the certificate file downloads and executes another PS script in memory.
Certificate files as an obfuscation technique
By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.
Click to expand...

guest · Jun 13, 2019

Hackers Infect Businesses with CryptoMiners Using NSA Leaked Tools
June 13, 2019
https://www.bleepingcomputer.com/ne...ses-with-cryptominers-using-nsa-leaked-tools/

The cybercriminals behind this cryptomining campaign use the NSA-developed EternalBlue and EternalChampion SMB exploits to compromise vulnerable Windows computers, exploits which were leaked by the Shadow Brokers hacker group in April 2017.
The campaign's targets
"The campaign seems to be widespread, with targets located in all regions of the world. Countries with large populations such as China and India also had the most number of organizations being targeted," say Trend Micro's researchers, the ones who unearthed this ongoing cryptojacking campaign targeting companies from all over the world.
Attacking vulnerable hosts and dropping the miners
An auto-spreading EternalBlue-based backdoor and a variant of the Vools Trojan is used as the main tool to deploy roughly 80 variants of the XMRig cryptocurrency miners on infected computers, using five different mining configurations with similar usernames and identical passwords.
All compromised machines by this campaign are part of various companies' internal network segments as unearthed by Trend Micro's research team.
Click to expand...

Trend Micro: Advanced Targeted Attack Tools Found Being Used to Distribute Cryptocurrency Miners

guest · Jul 4, 2019

New Golang malware plays the Linux field in quest for cryptocurrency
The malware strain is on the hunt for Monero by exploiting Linux servers
July 4, 2019
https://www.zdnet.com/article/new-golang-malware-plays-the-field-in-quest-for-cryptocurrency/

Over the past week, various cybersecurity outfits have published reports on the new malware, dubbed Golang, which has already proven itself capable of compromising Linux servers through a variety of propagation methods.
The spreader malware is based on the open-source Go programming language.

An analysis posted by Palo Alto Networks Unit 42 cybersecurity researcher Josh Grunzweig suggests that there has been a steady uptick in the amount of malware being developed in this language for months, but the majority are targeting the Microsoft Windows operating system.
F5 researchers say that Golang spreads through a total of seven methods; four exploits targeting ThinkPHP, Drupal, and Confluence; the use of SSH and Redis database misconfigurations or credentials, and the subsequent spread to other machines using any SSH keys the malware stumbles across.

While fraudulent cryptocurrency mining based on stolen computing power remains lucrative, it is unlikely that Golang will be the last new form of mining payload spreader we will come across.
Click to expand...

Palo Alto Networks - Unit42: The Gopher in the Room: Analysis of GoLang Malware in the Wild
Trend Micro: Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign
F5 Labs: New Golang Malware is Spreading via Multiple Exploits to Mine Monero

guest · Aug 14, 2019

New Norman Cryptominer Uses Dynamic DNS for C2 Communication
August 14, 2019
https://www.bleepingcomputer.com/ne...ominer-uses-dynamic-dns-for-c2-communication/

A new cryptominer malware that infected almost all the computers on a company's network within a year uses DuckDNS for command and control (C2) communications with its masters.
DuckDNS used for C2 communication
The new miner malware strain dubbed Norman by the Varonis Security Research team was discovered while actively mining for Monero using the computing resources of the infected workstations and servers as directed by its operators.
All infected hosts on the network were very easily detected by the use of DuckDNS which is a dynamic DNS service designed to help users create custom domain names easier.
Multi-stage infection process
The Norman cryptominer is dropped on the targets' systems using a malware dropper compiled using the Nullsoft Scriptable Install System (NSIS) and designed to execute the payload according to instructions served via a bundled script.
The payload is "triple obfuscated with Agile obfuscator, a known commercial .NET obfuscator" and it was renamed from Norman.dll to 5zmjbxUIOVQ58qPR.dll as the dll file's metadata shows.

To hide the explorer.exe injection, the malware overwrites "the injected payload with wuapp.exe’s path and nulls," the Varonis researchers further found.
Click to expand...

guest · Aug 30, 2019

Coin-mining malware jumps from ARM IoT gear to Intel servers
August 30, 2019
https://www.theregister.co.uk/2019/08/30/coinmining_malware_intel/

A coin-mining malware infection previously only seen on ARM IoT devices has made the jump to Intel systems.
Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux.

"I suspect it’s probably a derivate of other IoT crypto mining botnets," Cashdollar told The Register. "This one seems to target enterprise systems."

In addition to being fine-tuned for Intel x86 and 686 processors, the malware looks to establish an SSH Port 22 connection and deliver itself as a gzip archive. From there, the malware checks to see if the machine has already been infected (at which point the installation stops) or if an earlier version is running and needs to be terminated. From there, three different directories are created with different versions of the same files.

"Criminals will continue to monetize unsecured resources in any way they can. System administrators need to employ security best practices with the systems they manage," Cashdollar said.
Click to expand...

Akamai: XMR Cryptomining Targeting x86/i686 Systems

Log in or Sign up

Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem

itman Registered Member

Minimalist Registered Member

JoWazzoo Registered Member

Minimalist Registered Member

Minimalist Registered Member

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

itman Registered Member

JRViejo Super Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem

itman Registered Member

Minimalist Registered Member

JoWazzoo Registered Member

Minimalist Registered Member

Minimalist Registered Member

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

itman Registered Member

JRViejo Super Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches