Cisco Talos cybersecurity experts are tracking down a 2-year old malware that has been conducting an active crypto mining campaign of Monero coins.
Cybersecurity methods of preventing data breaches have evolved tremendously and so have cyber criminal mechanisms. Researchers at Cisco identified the cryptojacking malware as Vivin and indicated it had been active as early as 2017. A 2018 report from the Cyber Threat Alliance (CTA) revealed a 459% increase on the rate of illicit cryptojacking that year. This trend continued to grow for the better part of 2018 with McAfee Labs reporting a 659% increase by the end of Q1.
Meanwhile, McAfee Labs research found out that increasing cryptocurrency prices fueled the rise of cryptojacking malware. However during a Threatpost podcast, Cisco Talos cybersecurity researcher Nick Biasini pointed out that hackers did not require huge amounts of money so as to drive these operations. As long as the illegal ventures generate any amount of revenue, as long as money is the guarantee; cyber attacks are here to stay. His suggestion was to drive the point that Monero crypto mining malware was still on the rise, despite the coin’s diminishing price.
For a malware campaign that has been in existence since November 2017, they must have mined thousands of dollars of Monero coins from unsuspecting host computers.
Note that cryptojacking involves hijacking user computers and exploiting their computing power to mine digital currencies. The activities usually take place without the owner’s knowledge. Eventually, the malware sends the mined funds to the criminals controlling the software.
Talos discovered that the Vivin malware was rotating multiple amounts of wallet addresses and corrupting payload delivery chains. Activities which took place across different timelines. However, the first actor to infecting computers with Vivin involved installation of pirated software. The software opened up the infected computer to a backdoor as the initial attack vector; upon which the code executed an XMrig mining software installation.
Nevertheless, the perpetrators of the attack did little to nothing in hiding their activity. A host of poor security decisions like posting similar Monero wallet addresses revealed their track. However, as Talon came to establish – the poor operation decision were a well thought generalization pattern for massive targeting of general user behavior.
Vivin Cryptojacking Malware Prevention
Vivin attack point of attacks however offers computer users numerous tactics, techniques and procedures (TTP) for mitigating risks. To prevent the threat of cryptojacking malware and especially in this case Vivin attacks, observe the following:
- Avoid pirated software usage on endpoints
- Ensure perfect event logging and monitoring
- Observe proper system resource monitoring
- Block mining pools URLs
- Implement detection signatures
Biasini noted that he wasn’t surprised that cryptojacking malware were still currently present. The researcher said that cybersecurity and TTP attack prevention might have mitigated the first phase of cryptojacking. However, there was a second wave of cyber criminal behavior occasioned by sketchy data phishing and brute force. The initial wave, he noted, characterized spam campaigns and infected mail documents.
During press time, Vivin attacks are active and still mining hundreds of thousands of dollars from unsuspecting computer users. It is therefore essential that people observe good cybersecurity hygiene before they have their computer resources milked dry.