Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem

guest · Dec 12, 2019

Cryptominers and fileless PowerShell techniques make for a dangerous combo
This new dual-payload cryptojacking malware can disable Windows Antimalware Scan Interface and inject itself directly into memory of legitimate processes
December 10, 2019
https://www.csoonline.com/article/3...ll-techniques-make-for-a-dangerous-combo.html

Researchers from security firm Deep Instinct have recently come across a cryptominer infection on the systems of a large Asia-based company in the aviation industry. The attack, which deployed a new Monero cryptocurrency miner, used PowerShell, reflective PE injection, run-time code compilation and Tor for anonymity.

“While run-time compilation is not new, it is becoming more and more prevalent with the rising popularity of file-less attacks, and can bear certain advantages for an attacker such as the avoidance of some of PowerShell’s protection mechanisms,” the Deep Instinct researchers said in a new report.
Storing malicious code inside the registry instead of a file on disk, and then injecting it directly into the memory of legitimate processes is a technique that was first used in APT attacks to evade antivirus detection.

“While analysis and research of this malware are still ongoing, in light of the above-mentioned findings, we are reasonably convinced that this a new, sophisticated cryptominer variant, fairly distinguishable from other previously documented malware of this type.”
Click to expand...

Deep Instinct: Who's Mining in My Enterprise? New Crypto-Miner Discovered

guest · Dec 19, 2019

Taylor Swift Photo Hides Malicious Crypto-Mining Code
December 19, 2019
https://bitcoinist.com/taylor-swift-photo-hides-malicious-crypto-mining-code/

SOPHOS LABS DISCOVERS BOTNET IN TAYLOR SWIFT JPEG
Analysis by Sophos Labs, a digital security firm, shows hackers are now trying to infect computers by hiding a malicious EXE file inside what looks like an innocent JPEG image. Usually, a popular, much-searched celebrity does the trick, and this time they chose American pop singer, Taylor Swift.
The activity comes from a hacker group identified as MyKings, which works to attack Windows machines. Their approach also includes infecting a WAV file, using a similar technique.

The current threat affects Windows-based servers, and Sophos Labs has discovered different attempts to inject malicious code disguised as open-source software. The Sophos team explained,

"Attacks by the MyKings botnet operators follow a predictable pattern: The botnet attempts a stable of different attacks against a server. Unpatched, or underpatched, Windows servers may be vulnerable to a wide range of attacks, the goal of which is to deliver a malware executable, more often than not, a Trojan named Forshare"
Click to expand...

Sophos: MyKings botnet spreads headaches, cryptominers, and Forshare malware

Unbelievably, all this effort was made in order to deliver one of various different Monero cryptominers. Forshare gets used to ensure the miners are running.
The criminals who run the botnet have reportedly earned about 9,000 XMR over its lifetime, estimated to be valued at about $3 million. The current MyKings income is about $300 per day, mainly due to a lower Monero exchange rate.
Click to expand...

guest · Jan 7, 2020

Go-Based LiquorBot Adapts Cryptomining Payload to Infected Host
January 7, 2020
https://www.bleepingcomputer.com/ne...adapts-cryptomining-payload-to-infected-host/

A cryptomining botnet has been attacking unpatched routers since at least May 2019. It exploits a small set of critical vulnerabilities and targets multiple CPU architectures.
Named LiquorBot, the malware is written in Golang (Go) a programming language that has a syntax similar to C but presents some advantages, such as memory safety and garbage collection.
12+ versions in less than a year
Researchers at Bitdefender first saw LiquorBot on May 31, 2019, and tracked its evolution to a version discovered on October 10.

At its core, LiquorBot is a re-implementation of the infamous Mirai but with a cryptocurrency mining feature instead of a distributed denial-of-service (DDoS) component.
Each of the above servers is used interchangeably as a C2 server, for Monero cryptocurrency mining, and for hosting the binaries.

LiquorBot is under active development and the authors are likely to further refine it in 2020. Updating your router, if possible, is the easiest way to defend against this sort of threat.
Click to expand...

Bitdefender: Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining

guest · Jan 15, 2020

Windows BSOD Betrays Cryptominer Hidden in WAV File
January 16, 2020
https://www.bleepingcomputer.com/news/security/windows-bsod-betrays-cryptominer-hidden-in-wav-file/

The infamous blue screen of death (BSOD) on computers belonging to a company in the medical tech sector was the tell for a malware infection that spread across more than half the network.
EternalBlue and cryptojacking
Security researchers providing incident response services found that more than 800 computers had been compromised starting October 14, 2019. The discovery was possible by investigating systems that experienced a BSOD crash since that date.

The payload was a module that mines for Monero cryptocurrency using the CryptonightR algorithm. To evade detection, the authors resorted to steganography to embedded it in WAV‌ audio files. As a result, the files seem harmless but carry an extra load that is later extracted and executed on an infected host.
Weak spots
While this attack is not sophisticated, it shows that some mid-size organizations are ill-prepared to defend against a cybersecurity incident and set up the environment to support post-infection analysis efforts.
Click to expand...

Guardicore: Threats Making WAVs - Incident Response to a Cryptomining Attack

guest · Jan 22, 2020

Vivin Nets Thousands of Dollars Using Cryptomining Malware
...this type of attack isn’t going away anytime soon.
January 22, 2020
https://threatpost.com/vivin-nets-thousands-cryptomining-malware/152110/

A recently uncovered threat actor, dubbed Vivin, has made thousands of U.S. dollars through a large-scale cryptomining campaign.

Vivin is unique due to its longevity — the threat actor has been active since at least 2017 — and researchers with Cisco Talos point to Vivin as a good example of why cryptomining malware isn’t going anywhere, despite a loss in the value of Monero over the past few years.

“[...] money’s the name of the game in a lot of these instances, and even though it’s not generating a huge amount of revenue, it’s guaranteed money. And for a lot of these actors, that’s really all their goal is, is to make money. So this remains a very viable way to do that.”
Click to expand...

Cisco Talos: Breaking down a two-year run of Vivin’s cryptominers

Vivin has shown to rotate the use of multiple cryptocurrency wallet addresses, in addition to altering the delivery chain of their payloads, over different time periods of activity. An interesting aspect of the actor's delivery method is their use of modified pirated software as their initial attack vector before the samples move on to common "living-off-the-land" methods at later stages of the attack.
Click to expand...

guest · Apr 9, 2020

Unique P2P Architecture Gives DDG Botnet ‘Unstoppable’ Status
DDG might be the world’s first P2P-based cryptomining botnet
April 9, 2020
https://threatpost.com/p2p-ddg-botnet-unstoppable/154650/

The coin-mining botnet known as DDG has seen a flurry of activity since the beginning of the year, releasing 16 different updates over the course of the past three months. Most notably, its operators have adopted a proprietary peer-to-peer (P2P) mechanism that has turned the DDG into a highly sophisticated, “seemingly unstoppable” threat, according to researchers.

DDG was first flagged in January of 2018 by Netlab 360, which went on to sinkhole the malicious operations.
At that point, DDG had only infected 4,391 public-facing servers to mine the Monero cryptocurrency, according to the firm, and didn’t seem like a particularly notable threat.

A year later however, DDG had come roaring back, with a total of 5,695 devices enslaved as bots in January 2019.
Since then, the botnet has been under active and constant development, Netlab 360 explained, with most iterations representing only incremental changes.
Click to expand...

Proprietary P2P
In its latest version, the DDG botnet still uses IP or DNS for static C2 communications, but its new P2P network acts as “a fall-back [failsafe] that even if the C2 is taken down, the infected devices are still going to keep going and perform the mining tasks,” analysts said in a blog on Wednesday (translated for Threatpost from Chinese via Google Translate).

Interestingly, DDG has a niche attack vector, choosing to exclusively target servers on corporate intranets –specifically, it targets servers that have weak SSH passwords for one single user name root. It has a hardcoded list of 17,907 passwords that it tries against its targets, Netlab 360 researchers said.

“[We’re hoping] more security researchers can take a good look at it and hopefully slow down the seemingly unstoppable DDG botnet,” they added.
Click to expand...

guest · Apr 23, 2020

ESET takes down VictoryGate cryptomining botnet
April 23, 2020
https://www.zdnet.com/article/eset-takes-down-victorygate-cryptomining-botnet/

Slovak cyber-security firm ESET announced today that it took down a malware botnet that infected more than 35,000 computers.

According to an ESET press release published today, the botnet has been active since May 2019, and most of its victims were located in Latin America, with Peru accounting for more than 90% of the total victim count.
Named VictoryGate, ESET said the botnet's primary purpose was to infect victims with malware that mined the Monero cryptocurrency behind their backs.

The company is now working with members of the Shadowserver Foundation to notify and disinfect all computers who connect to the sinkhole. Based on sinkhole data, between 2,000 and 3,500 computers are still pinging the malware's C&C server for new commands on a daily basis.
Click to expand...

ESET: Following ESET’s discovery, a Monero mining botnet is disrupted

ESET researchers discover, and play a key role in the disruption of, a 35,000-strong botnet spreading in Latin America via infected USB drives
Click to expand...

guest · May 8, 2020

Blue Mockingbird Monero-Mining Campaign Exploits Web Apps
May 7, 2020
https://threatpost.com/blue-mockingbird-monero-mining/155581/

A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework.

The campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, CVE-2019-18935, which can allow remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.
The vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database.

“Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,” explained researchers at Red Canary, in a Thursday writeup. “So far, we’ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.”
Click to expand...

Although Blue Mockingbird has been making noticeable waves, the toolkit is a work in progress.

“In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,” said the researchers.
In terms of preventing the threat, patching web servers, web applications and dependencies of the applications to inhibit initial access is the best bet, according to Red Canary.
Click to expand...

Introducing Blue Mockingbird

Red Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining payloads on Windows machines at multiple organizations
Click to expand...

guest · Jun 9, 2020

KingMiner botnet brute-forces MSSQL databases to install cryptocurrency miner
June 9, 2020
https://www.zdnet.com/article/kingm...ql-databases-to-install-cryptocurrency-miner/

Owners of MSSQL databases are advised to secure their servers, UK cyber-security firm Sophos said in a report today.

The company says it detected a botnet operation that targets MSSQL databases with brute-force attacks that attempt to guess the password for the "sa" (server administrator) account.
Once hackers break into a vulnerable MSSQL system, they create another database user named "dbhelp," and they install a cryptocurrency miner that abuses the server's resources to generate profits for the gang.
KINGMINER HAS BEEN ACTIVE SINCE LATE 2018
Sophos says this botnet operation goes by the name of KingMiner, and is the same gang that was previously documented in a report from cyber-security form Check Point in late 2018, and then again by Qihoo 360 Total Security in July 2019.
Furthermore, the botnet's code has also evolved as time went by, showing that hackers invested in sharpening their attack tools and routines.
Click to expand...

KINGMINER EXPERIMENTING WITH EXPANDING ACCESS
KingMiner's focus on expanding access to the internal networks is not something new or strange, as this very same behavior has also been spotted in multiple other cryptocurrency-mining botnets. However, currently, KingMiner is in the incipient stages of implementing such a feature.

All in all, KingMiner shows that malware botnets have continued to make a profit despite the up and down price of the Monero cryptocurrency.
Click to expand...

guest · Jun 11, 2020

Microsoft discovers cryptomining gang hijacking ML-focused Kubernetes clusters
June 11, 2020
https://www.zdnet.com/article/micro...ang-hijacking-ml-focused-kubernetes-clusters/

Microsoft has published a report today detailing a never-before-seen series of attacks against Kubeflow, a toolkit for running machine learning (ML) operations on top of Kubernetes clusters.

But while the number of hijacked clusters is small in comparison to previous Kubernetes attacks, the profits for crooks and the financial losses to server owners are most likely much higher than other attacks seen before.

"Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs," Weizman explained.
"This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack."
Click to expand...

ATTACKS BEGAN IN APRIL THIS YEAR
In a report today, Microsoft said that Kubeflow admins most likely changed the Kubeflow default settings and exposed the toolkit's admin panel on the internet. By default, the Kubeflow management panel is exposed only internally and accessible from inside the Kubernetes cluster.
As it learned more from its investigation into the early attacks, Microsoft now says it believes the most likely point of entry for the attacks are misconfigured Kubeflow instances.

Weizman said that since April, a cryptomining gang has been scanning for these dashboards, accessing the internet-exposed admin panels, and deploying new server images to Kubeflow clusters, with these images focused on running XMRig, a Monero cryptocurrency mining application.
Click to expand...

Microsoft: Misconfigured Kubeflow workloads are a security risk

In this blog, we’ll reveal a new campaign that was observed recently by ASC that targets Kubeflow, a machine learning toolkit for Kubernetes. We observed that this attack effected on tens of Kubernetes clusters.
Click to expand...

guest · Jun 25, 2020

mood said: ↑

New Golang malware plays the Linux field in quest for cryptocurrency
The malware strain is on the hunt for Monero by exploiting Linux servers
July 4, 2019
https://www.zdnet.com/article/new-golang-malware-plays-the-field-in-quest-for-cryptocurrency/

Palo Alto Networks - Unit42: The Gopher in the Room: Analysis of GoLang Malware in the Wild
Trend Micro: Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign
F5 Labs: New Golang Malware is Spreading via Multiple Exploits to Mine Monero
Click to expand...

Golang Worm Widens Scope to Windows, Adds Payload Capacity
June 25, 2020
https://threatpost.com/worm-golang-malware-windows-payloads/156924/

A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.

The malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.
According to an analysis from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls “Golang,” originally targeted only Linux machines, but now has spread to Windows and other servers.

“This new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,” explained the researchers.
Click to expand...

He added, “The cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.”
Click to expand...

Barracuda: Threat Spotlight: New cryptominer malware variant

guest · Jun 27, 2020

Tor2Mine is Back, Controls Mining Programs
June 26, 2020
https://cyware.com/news/tor2mine-is-back-controls-mining-programs-9cfcd257

With an aim to control Monero mining activities by spreading trojans and other means, Tor2Mine, a cryptocurrency mining threat actor, makes a comeback after 2018.
What’s going on?

According to 360 Security Center, Tor2Mine is reducing the users to mining “black labor,” and so far has targeted Turkey, Spain, Russia, and Egypt.

Since March, the Tor2Mine mining program has grown dramatically by controlling a large number of devices and attaining viral transmission via lateral penetration.

Tor2Mine hides its mother program containing the trojan in download sites. The mining trojan quickly infects and occupies the users’ computers by creating scheduled tasks. It also spreads horizontally.

Click to expand...

guest · Jul 22, 2020

Prometei botnet exploits Windows SMB to mine for cryptocurrency
The new botnet has been quietly operating since March
July 22, 2020
https://www.zdnet.com/article/prometei-botnet-is-infecting-machines-to-mine-for-cryptocurrency/

A new botnet has been spotted in the wild which exploits the Microsoft Windows SMB protocol to move laterally across systems while covertly mining for cryptocurrency.
In a report shared with ZDNet, on Wednesday, Cisco Talos explained that the Prometei malware has been making the rounds since March 2020.

The new botnet is considered noteworthy as it uses an extensive modular system and a variety of techniques to compromise systems and hide its presence from end users in order to mine for Monero (XMR).
Prometei's infection chain begins with the attempted compromise of a machine's Windows Server Message Block (SMB) protocol via SMB vulnerabilities including Eternal Blue.
Click to expand...

In total, the botnet has over 15 executable modules that are controlled by one main module. The botnet is organized into two main function branches: one C++ branch dedicated to cryptocurrency mining operations, and one -- based on .NET -- which focuses on credential theft, the abuse of SMB, and obfuscation.

"Although earnings of $1,250 per month doesn't sound like a significant amount compared to some other cybercriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary for many countries," Talos says.
Click to expand...

guest · Sep 17, 2020

New MrbMiner malware has infected thousands of MSSQL databases
A hacker group is brute-forcing MSSQL servers with weak passwords and installing crypto-mining malware
September 16, 2020
https://www.zdnet.com/article/new-mrbminer-malware-has-infected-thousands-of-mssql-databases/

A new malware gang has made a name for itself over the past few months by hacking into Microsoft SQL Servers (MSSQL) and installing a crypto-miner.

Thousands of MSSQL databases have been infected so far, according to the cybersecurity arm of Chinese tech giant Tencent.
In a report published earlier this month, Tencent Security has named this new malware gang MrbMiner, after one of the domains used by the group to host their malware.

The Chinese company says the botnet has exclusively spread by scanning the internet for MSSQL servers and then performing brute-force attacks by repeatedly trying the admin account with various weak passwords.
Click to expand...

LINUX AND ARM VARIANTS ALSO DISCOVERED
Tencent Security says that while they saw only infections on MSSQL servers, the MrbMiner C&C server also contained versions of the group's malware written to target Linux servers and ARM-based systems.
After analyzing the Linux version of the MrbMiner malware, Tencent experts said they identified a Monero wallet where the malware generated funds.

The address contained 3.38 XMR (~$300), suggesting that the Linux versions were also being actively distributed, although details about these attacks remain unknown for now.
Click to expand...

guest · Oct 16, 2020

'Lemon Duck' Cryptominer Activity Spikes
Cisco Talos: Botnet Targets Windows, Linux Devices to Mine for Monero
October 16, 2020
https://www.inforisktoday.com/lemon-duck-cryptominer-activity-spikes-a-15186

Researchers at Cisco Talos are warning about a sudden spike in activity from the "Lemon Duck" cryptomining botnet.

The botnet, which can infect Windows and Linux devices, is designed to mine for monero cryptocurrency by using the XMR cryptomining malware, according to a Cisco Talos report.
Although the botnet has been around since at least December 2018, the researchers have been tracking a spike in activity since August, with the botnet infecting more devices to expand its malicious network.

A report from security firm Sophos in August noted that operators behind the cryptomining botnet had started using COVID-19-themed emails to entice victims to open attachments that contain malware (see: 'Lemon Duck' Cryptominer Aims for Linux Systems).
Click to expand...

Since August, Cisco Talos researchers have seen an increase in DNS requests from compromised devices that are looking to connect to Lemon Duck's command-and-control servers.
How Lemon Duck Works
The Cisco Talos report sheds some additional light on how Lemon Duck targets and infects various devices.
Click to expand...

Cisco Talos: Lemon Duck brings cryptocurrency miners back into the spotlight

Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread.
This threat, known as "Lemon Duck," has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency.

The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines
Click to expand...

guest · Jan 1, 2021

Golang malware infecting Windows, Linux servers with XMRig miner
December 31, 2020
https://www.hackread.com/golang-malware-infects-windows-linux-xmrig-miner/

Multi-platform malware is a bit more dangerous than others since it could infect various operating systems at the same time. An example of one such in the latest is of a Golang based malware.

The malware has been actively involved in installing the XMRig miner on both Windows and Linux servers since the start of December 2020 in order to mine cryptocurrencies.
These servers are targeted based on the fact that they are public-facing in the form of MySQL databases or Tomcat admin panels for example combined with poor security practices.
Click to expand...

Since the first 2 (Linux version ones) have been found to be undetected on virus analysis platforms like VirusTotal, it shows us that it has managed to successfully evade security filters.

Explaining further on how the malware operates, the researchers state in a blog post that,

[...] …The malware will scan the network using TCP SYN in order to find services it can brute force and spread over the network. It will scan for IPs that have open ports related to these services: 8080 for Tomcat and Jenkins, 3306 for MySQL and 7001 for WebLogic on older versions of the worm. Each of these exploits has a package under the src “exp” (exploit) code.
Click to expand...

Intezer: Early Bird Catches the Worm: New Golang Worm Drops XMRig Miner on Servers

The fact that the worm’s code is nearly identical for both its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms.
Click to expand...

guest · Jan 23, 2021

mood said: ↑

New MrbMiner malware has infected thousands of MSSQL databases
A hacker group is brute-forcing MSSQL servers with weak passwords and installing crypto-mining malware
September 16, 2020
https://www.zdnet.com/article/new-mrbminer-malware-has-infected-thousands-of-mssql-databases/
Click to expand...

MrbMiner crypto-mining operation linked to Iranian software firm
Despite the Sophos report ousting the MrbMiner group today, the botnet is expected to continue to operate with impunity
January 21, 2021
https://www.zdnet.com/article/mrbminer-crypto-mining-operation-linked-to-iranian-software-firm/

Cyber-security firm Sophos said it found evidence connecting the operators of the MrbMiner crypto-mining botnet to a small boutique software development company operating from the city of Shiraz, Iran.

The MrbMiner botnet has been operational since the summer of 2020. It was first detailed in a Tencent Security report in September last year.
Click to expand...

In a report today, Sophos researchers said they analyzed this botnet's modus operandi in more depth. They looked at the malware payloads, domain data, and server information and found several clues that led them back to a legitimate Iranian business.

"When we see web domains that belong to a legitimate business implicated in an attack, it's much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a 'dead drop' where they can host the malware payload," said Sophos researchers Andrew Brandt and Gabor Szappanos.
"But in this case, the domain's owner is implicated in spreading the malware."
Click to expand...

Sophos: MrbMiner: Cryptojacking to bypass international sanctions

Iran-based “garage startup” cryptojacking operation targets SQL servers
Click to expand...

guest · Apr 24, 2021

New cryptomining malware builds an army of Windows, Linux bots
April 24, 2021
https://www.bleepingcomputer.com/ne...malware-builds-an-army-of-windows-linux-bots/

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.

First spotted by Alibaba Cloud (Aliyun) security researchers in February (who dubbed it Sysrv-hello) and active since December 2020, the botnet has also landed on the radars of researchers at Lacework Labs and Juniper Threat Labs after a surge of activity during March.

After hacking into a server and killing competing cryptocurrency miners, the malware will also spread over the network in brute force attacks using SSH private keys collected from various locations on infected servers

"Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files," Lacework added.
Click to expand...

Slowly but steadily filling cryptocurrency wallets
The Lacework Labs team successfully recovered a Sysrv-hello XMrig mining configuration file which helped them find one of the Monero wallets used by the botnet to collect Monero mined on the F2Pool mining pool.

Even though this wallet contains just over 12 XMR (roughly $4,000), cryptomining botnets regularly use more than one wallet linked to multiple mining pools to collect illegally earned cryptocurrency, and this can quickly add up to a small fortune.
Click to expand...

guest · Jun 25, 2021

Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency
The malware is thought to have generated millions of dollars in just a few short years
June 25, 2021
https://www.zdnet.com/article/crack...safe-mode-to-quietly-mine-for-cryptocurrency/

Researchers have discovered a strain of cryptocurrency-mining malware that abuses Windows Safe mode during attacks.

The malware, dubbed Crackonosh by researchers at Avast, spreads through pirated and cracked software, often found through torrents, forums, and "warez" websites.
After finding reports on Reddit of Avast antivirus users querying the sudden loss of the antivirus software from their system files, the team conducted an investigation into the situation, realizing it was due to a malware infection.

"While the Windows system is in safe mode antivirus software doesn't work," the researchers say. "This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct."
Click to expand...

In addition, Crackonosh will attempt to stop Windows Update and will replace Windows Security with a fake green tick tray icon.

The final step of the journey is the deployment of XMRig, a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency.
Overall, Avast says that Crackonosh has generated at least $2 million for its operators in Monero at today's prices, with over 9000 XMR coins having been mined.

Approximately 1,000 devices are being hit each day and over 222,000 machines have been infected worldwide.
Click to expand...

guest · Jul 23, 2021

Lemon Duck malware isn't done harassing Windows and Linux, it's evolving
July 23, 2021
https://www.windowscentral.com/lemon-duck-isnt-done-harassing-windows-and-linux

What you need to know

Lemon Duck has been causing headaches for PCs for years.

It's evolving to be even more malicious.

Microsoft is tracking its activities and has issued a report on the latest Lemon Duck developments.

Click to expand...

Lemon Duck is causing more trouble than ever. Originally, it was primarily a cryptocurrency botnet that enabled mining on machines. It then began a transition into being a malware loader, which brings us to the latest update from Microsoft on the state of the malicious, citrus-infused digital duck.

"Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity," Microsoft's security report reads, detailing the many ways Lemon Duck (now referred to as LemonDuck by Microsoft) can harm someone. Worse yet, it's not exclusive to one platform. It'll go after Windows as well as Linux, and is documented as spreading itself via phishing emails, USB devices, exploits, and more.
Click to expand...

There's also LemonCat, which is an entirely different infrastructure named after its usage of two domains that contain the word "cat." This lemony variant infrastructure is used for backdoor installations, malware delivery, and data and credential theft. It also tends to deliver the Ramnit malware.
Click to expand...

Microsoft: When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure

In-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.

In Part 2 of this blog series, we’ll share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.
Click to expand...

guest · Aug 5, 2021

Cryptominer ELFs Using MSR to Boost Mining Process
August 5, 2021
https://securityaffairs.co/wordpress/120848/cyber-crime/cryptominer-elfs-msr-mining-performance.html

The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver to disable hardware prefetchers and increase the speed of the mining process by 15%.

The Golang-based worm which targets vulnerable *nix servers exploit known vulnerabilities in the popular web servers in order to spread itself and the embedded miner. The new variants of the worm were identified in June 2021 by our threat intelligence systems. Though some of the functionalities were similar to the malware discussed by the security firm Intezer last year, the newer variants of this malware had a bunch of activities up its sleeve.
Click to expand...

With the rise and sky-high valuation of Bitcoin and several other cryptocurrencies, cryptomining-based attacks have continued to dominate the threat landscape. Wormed cyptominer attacks have a greater threshold as they write multiple copies and also spread across endpoints in a corporate network.

The Indicators of Compromise (IOCs) associated with wormed cryptomier are reported in the original report at https://www.uptycs.com/blog/cryptominer-elfs-using-msr-to-boost-mining-process.
Click to expand...

guest · Aug 10, 2021

Splunk spots malware targeting Windows Server on AWS to mine Monero
August 10, 2021
https://www.theregister.com/2021/08/10/crypto_botnet_targets_windows_on_aws/

Data analysis firm Splunk says it's found a resurgence of the Crypto botnet – malware that attacks virtual servers running Windows Server inside Amazon Web Services.

Splunk's Threat Research Team (STRT) posted its analysis of the attack on Monday, suggesting it starts with a probe for Windows Server instances running on AWS, and seeks out those with remote desktop protocol (RDP) enabled.
Splunk's security team noticed that one of the Monero wallets used in this campaign was also involved in a 2018 wave of attacks using the same Crypto botnet.
Click to expand...

The vendor has published a guide to the attack here.
Click to expand...

guest · Aug 17, 2021

New HolesWarm botnet targets Windows and Linux servers
August 16, 2021
https://therecord.media/new-holeswarm-botnet-targets-windows-and-linux-servers/

A new botnet named HolesWarm has been slowly growing in the shadows since June this year, exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware.

While attacks have primarily been spotted across China, with reports from security firm Tencent and various IT bloggers, the botnet is expected to expand its reach, and target systems across the globe as its infrastructure and attack capabilities expand in the coming months.
Click to expand...

While the entry vectors may vary per victim, Tencent Security says that once the malware gets a foothold on an infected system, HolesWarm dumps local passwords, expands to the local network, and then deploys an XMRig-based cryptocurrency mining tool.

While other botnet operators try to hide their presence on infected systems by tethering the crypto-mining process, HolesWarm doesn’t appear to employ this safety mechanism, and per several reports, the botnet often maxs out server CPUs, leading to its discovery.
Click to expand...

Right now, the botnet is just the latest in a long line of crypto-mining botnets that are popping up online on a regular basis. Nothing in its make-up screams technical sophistication, and the HolesWarm operators are just the latest malware coders taking advantage of the large number of servers running out-of-date software.
Click to expand...

guest · Dec 6, 2021

mood said: ↑

Tor2Mine is Back, Controls Mining Programs
June 26, 2020
https://cyware.com/news/tor2mine-is-back-controls-mining-programs-9cfcd257
Click to expand...

Tor2Mine cryptominer has evolved: Just patching and cleaning the system won’t help
December 3, 2021

Sophos released new findings on the Tor2Mine cryptominer, that show how the miner evades detection, spreads automatically through a target network and is increasingly harder to remove from an infected system. Tor2Mine is a Monero-miner that has been active for at least two years.

In the research, Sophos describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials. What happens next depends on whether the attackers successfully gain administrative privileges with the stolen credentials. This process is the same for all the variants analyzed.
Click to expand...

The variants all attempt to shut down anti-malware protection and install the same miner code. Similarly, in all cases, the miner will continue to re-infect systems on the network unless it encounters malware protection or is completely eradicated from the network.

“The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. However, Tor2Mine is much more aggressive than other miners,” said Sean Gallagher, senior threat researcher at Sophos.
Click to expand...

Sophos: Two flavors of Tor2Mine miner dig deep into networks with PowerShell, VBScript

Using remote scripts and code, one variant can even execute filelessly until it gains administrative credentials.
Click to expand...

Log in or Sign up

Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches