TronWeekly

Crypto World News

You are here: Home / Archives for cryptojacking malware

cryptojacking malware

Microsoft Detects Malware, Steals Bitcoin and Cryptocurrency Wallet Details

by

Security breaches are on the rise as hackers are constantly looking for loopholes. With every passing day, their malicious attempts are becoming more and more sophisticated. As bitcoin and other cryptocurrencies became popular, this space has become one of the most highly exploited industries.

Due to this, time and again, cybersecurity experts have warned that malware could be stealing Bitcoin and cryptocurrency wallet information.

In yet another alarming development, Microsoft Security Intelligence notified about the distribution of new information-stealing malware. Tweeting about the same, it stated,

According to Microsoft Security Intelligence, this new malware shares a name with an unrelated family of Android banking malware and also asserted that Anubis is deployed in what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers.

It further tweeted,

“Microsoft Defender ATP detects the new malware as PWS:MSIL/Anubis.G!MTB. We will continue to monitor this threat for the possible expansion of these campaigns.”

Anubis is found in several applications on the Google Play Store and is known for stealing confidential banking credentials and “allowing its master to spy on the smartphone’s user”.

The reason it remains undetected by Google, according to the security services provide Orange Cyber Defense, is because the first stage of the malware in the app is a downloader that does not contain any harmful code.

In another similar event in September 2019, cybersecurity researchers at Zscaler’s ThreatLabZ had notified that a malware called ‘InnfiRAT’ had the ability to perform specific tasks from an infected machine. This piece of malware is designed to access and steal personal information on a user’s computer.

Among other things, InnfiRAT can look for crypto wallet information and grab browser cookies to steal stored usernames and passwords, as well as session data using its “screenshot” functionality.

New Monero Mining Malware is Targeting Government Agencies and Education

by

According to a new study conducted by cybersecurity and intelligence firm, Guardicore Labs, a monero mining malware by the name XMRig, has been send to tens of millions of IP addresses. The malware has mainly attacked healthcare centers, the education sector, government agencies, banks, telecommunication firms, and many others.

The malware’s success rate has been abundant so far: the study by Guardicore shows that the monero mining malware has inflicted more than 500 SSH servers, including servers owned by major educational institutions across Europe, the United States, and a railway firm.

Furthermore, the report claims that a botnet triggers the XMRig monero mining malware by the name FritzFrog, which uses a kind of brute-force to attack millions of servers across the world to gain access. Once FritFrog penetrates the servers, it triggers a different procedure called “libexec,” which launches the monero mining malware, XMRig.

Highly effective monero mining malware

Although crypto-jacking incidents are nothing new, the cybersecurity firm reports that FritzFrog is a special type of malware. First of all, the botnet’s network was masked in a P2P system, making it very tough to trace. Guardicore also discovered that the botnet’s P2P execution was coded from the ground up, signaling that it was developed by “highly professional software developers.”

The botnet’s protocol is coded in a language referred to as Golang. The style is extremely volatile and does not leave any tracks on the disk. Furthermore, Golang forms an SSH public key that operates as a rear way that permits access to the infringed computer systems.

Cryptojacking malware targeting learning institutions

Earlier this year, a different crypto-jacking malware was targeting supercomputers owned by significant educational institutions. FritzFrog also seems to be targeting large supercomputers similar to those reported earlier. The cryptojacking malware at the time forced most of the supercomputers used for COVID-19 research to be shut down, obstructing the progress.

Hackers Steal $3.1 Million in Bitcoin From Crypto Exchange Cashaa

by

The U.K.-based crypto exchange, Cashaa, claims that hackers stole 336 bitcoins worth about $3.1 million from the exchange. The exchange firm has now halted all cryptocurrency transactions, such as withdrawals and deposits, in order to pave the way for security breach investigations.

Cashaa revealed through a tweet that the attacker hacked one of their wallets on Blockchain.com. The wallet is used to maintain the BTC and to make transfers to the crypto exchange platform. It is believed that the hacker has embedded malware into one of Casha’s computer systems.

Crypto exchange Cashaa attack took 3 minutes

Moreover, as one of the employees accessed the computer on July 10 to validate two separate transactions, the attacker swooped in, getting away with 336 Bitcoins worth approximately $3.1 million under the current market price. The incident took place within three minutes, between 1:23 pm and 1:26 pm. The CEO of Cashaa, Kumar Gaurav, reportedly told media outlets that:

“We are still investigating the damage caused by the incident and suspend all withdrawals for 24 hours. We have called the board meeting to decide whether the company will bear all the losses.”

Cashaa CEO wants exchanges that allow transfer of stolen funds to be shut down

According to Cashaa crypto exchange, the funds were transferred to this bitcoin address: 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek. There are some suggestions that the crypto mixing software is being used to transfer the stolen BTC; to confine the digital trails. Cashaa also suspects that the perpetrator is from East Delhi , India, and has therefore filed a report with the Delhi Police Cyber Crime Department.

In addition, Cashaa has reported the address involved to all crypto exchange platforms in an attempt to prevent the hacker from spending the stolen crypto. Through a statement directed at exchanges that permit stolen funds transactions; Guarav said attackers are assured of hacking cryptocurrency addresses and moving the funds via these exchanges.  Gaurav also noted the need to shut down these platforms and charge owners for money laundering.

Beware of Fake Decryption Tool Exploiting Desperate Ransomware  Victims

by

Cyber criminals can be really annoying. This time round hackers have created malware in the shape of a decryption software that helps ransomware attack victims by encryption. The fake decryption tool will actually double encrypt your compromised files, not knowing you ‘re jumping from the frying pan to the actual fire.

A recent report by information security and technology news publication, Bleeping Computers, fake ransomware decryption software by STOP Djvu Ransomware, double-encrypts files that create a much bigger victim problem. According to the report, it lures already desperate victims with the guarantee of a free malware decryption tool, infecting them with another ransomware instead.

The malware dubbed “Zorab” was uncovered by the creator of ID Ransomware, Michael Gillespie. There are existing decryption tools that don’t charge huge amounts of money to decrypt files, exactly what the fake decryption tool is trying to do. The malware promises to decrypt files at no cost, but it eventually encrypts them multiple times.

 

Ransomware operatives such as REvil, Netwalker, DoppelPaymer and Maze are popular due to their high profile victims and attracting huge ransoms. Now there is another ransomware, STOP Djvu, which is already infecting more victims than the aforementioned popular operatives combined together on a daily basis.

How the fake decryption tool works

When a victim downloads the fake decryption tool and starts scanning his computer system by clicking the ‘start scan’ button, the ransomware draws out an executable file dubbed crab.exe; this is the zorab malware itself. Once this file is deployed, the fake decryption software double encrypts the entire files in the system with a .ZRB extension.

Fake Decryption Tool

Additionally, the ransomware creates ransom notes in every encrypted folder labeled ‘–DECRYPT–ZORAB.txt.ZRB.’ Inside the notes, there are details on how to reach the ransomware attackers to pay the ransom. The creation of a fake decryption tool was a clever idea to easily and quickly spread malware. Indeed, the Bleep Computer’s report described STOP Djvu Ransomware as “the most actively distributed ransomware over the past year.

Monero Mining Malware has Infected 1000 Corporate Computers 

by

Since December 2019, more than 1,000 corporate computer systems have been infected with Blue Mockingbird malware by cyber criminals. The global spread of Monero mining malware was reported by Red Canary Cloud Security Company on May 26.

According to the report, monero mining malware attacks servers running ASP.NET applications and is most vulnerable to installing a web shell on the attack system. This inturn gives the administrator level of malware access to change the server settings.

Furthermore, the attackers are installing the XMRRig application to exploit the resources of the hacked system. According to Red Canary, the majority of the computer systems used are owned by big corporations, but the cloud security firm did not reveal names.

Remote Desktop Protocol’s weaknesses exploited by Monero mining malware

The cybercriminals utilized the weaknesses in the Remote Desktop Protocol in Windows operating system to access the computer systems. The report notes that although the attacks happened within a short period of time, it is hard to evaluate the total number of attacks. Indeed, this approach has been used before in the recent Trojan ransomware attacks.

Additionally, Red Canary has cautioned the firms that have not yet been infected to be at a higher risk of their system being breached by the Monero mining malware. According to the threat analyst at Emsisoft malware lab:

“Cybercriminals specifically seek out weaknesses in the internet-facing systems and, when found, exploit them. Companies can significantly reduce their risk factor by following well-established best practices such as timely patching, using MFA, disabling PowerShell when not needed, etc.”

Rise in ransomware attacks

The use of  XMRRig app for illegal mining of cryptocurrencies has been a common practice by various groups of hackers. Back in 2019, cybersecurity companies Symantec and BlackBerry Cylance cautioned on the penetration of the XMRRig app through music files.

Furthermore, in November of the same year, malware attacked weak Docker occasions to install the crypto-jacking software.

COVID-19 Research Supercomputers Infected With Crypto-Jacking Malware

by

European COVID-19 research supercomputers were hacked and infected with crypto-mining malware by an anonymous cyber-crime gang over the past one week. More than ten supercomputers in Germany, the United Kingdom, Spain, and Switzerland were attacked by a group of hackers to illegally mine cryptocurrencies.

Moreover, following the crypto-jacking of COVID-19 research supercomputers, some of them have had to be shut down to curb the damage. Among the supercomputers shut down is the University of Edinburgh’s “Archer” supercomputer. Archer was performing COVID-19 research analysis before being taken offline.

According to reports, the hacking group stole COVID-19 research supercomputer’s login credentials to gain access. The unknown group stole credentials from compromised networks of universities in Poland and the People’s Republic of China. 

A cybersecurity firm, Cado Security noted that it is normal practice for users from various high-performance computing facilities to have credentials of other institutions. This makes it easy for hackers to sieve their login credentials. 

COVID-19 research supercomputers installed with Monero mining software

In two of the events, the attackers linked with the supercomputers through a compromised SSH account. The account then took advantage of a weakness on the Linux kernel to get access and afterward installed a Monero mining software. Interestingly, the crypto-jacking malware has been set to operate during the night only, to avoid detection.

Furthermore, the majority of targets were COVID-19 research supercomputers. These computers were being used in conducting the coronavirus pandemic research. As per a publication by the Swiss Center of Scientific Computations in Zurich, the illegal crypto-mining activity led in the external access to the center taken offline to fix security issues.

The attackers’ intention of installing crypto-jacking malware is believed to make some cash. Regardless, the attack is contemplated as to cause a major disruption in the ongoing coronavirus pandemic research due to the intrusion and the resulting downtime.

This incident is yet another example that hackers are not satisfied with making money merely from their data hacks where they later sell compromised information online. On the contrary, they keep flowing with the air to take advantage of users’ weaknesses (whether it’s emotional or machine/software hole) to fill their pockets at the fullest.

North Korea President Kim Jong-un Allegedly Urges Hackers to Adopt Phishing in Stealing Crypto

by

According to a recent report by U.K-based media outlet Mirror, North Korea President Kim Jong-un has released a “new wave of global cyber crime” by allegedly instructing the notorious hacking group, Lazarus, to adopt phishing scams to steal Bitcoin and other digital currencies.

The North Korea leader is feared to have  started a new wave of worldwide cyber crime, to help navigate the tough financial tides; brought about by coronavirus in the country. The hacking group, Lazarus, is believed to be behind the attack on Sony Pictures; after the release of the Hollywood movie The Interview.

Hackers steal $571 million from crypto exchanges

Between January 2017 and the end of 2018, Lazarus hackers and two other hacking groups stole digital currencies worth $571 million from five different crypto exchanges situated in Asia as per a report by the US government. 

In addition, the report claims that the economy of North Korea has substantially dipped; due to the spread of COVID-19 and international sanctions. As a result, the popular hacking group has adopted a different spate of APT (advanced persistent threat) attacks. According to EST Security firm, situated in Seoul, Lazarus hackers sponsored by a certain government, have engaged in elevated cyber crimes in and out of North Korea.

North Korea President Kim Jong-un allegedly funded nuclear program using stolen crypto

Furthermore, North Korea has been previously accused of using stolen cryptocurrencies to sponsor its ballistic missiles project. EST Security additionally claimed that the Lazarus Groups are not only master-minding APT attacks in North Korea; but also in foreign countries such as the United States.

The security firm also confirmed that the hackers consistently sent out emails in the disguise of employment offerings; to spread the malware to different computers in order to steal crypto. As crypto-related scams escalate since the start of the COVID-19 pandemic; and the security company has also cautioned of a malicious document; being used as bait to target employees of major companies, organizations and institutions.

New Cryptojacking Malware Vivin Mining Hundreds of Thousands of Monero Coins

by

Cisco Talos cybersecurity experts are tracking down a 2-year old malware that has been conducting an active crypto mining campaign of Monero coins. 

Cybersecurity methods of preventing data breaches have evolved tremendously and so have cyber criminal mechanisms. Researchers at Cisco identified the cryptojacking malware as Vivin and indicated it had been active as early as 2017. A 2018 report from the Cyber Threat Alliance (CTA) revealed a 459% increase on the rate of illicit cryptojacking that year. This trend continued to grow for the better part of 2018 with McAfee Labs reporting a 659% increase by the end of Q1. 

Meanwhile, McAfee Labs research found out that increasing cryptocurrency prices fueled the rise of cryptojacking malware. However during a Threatpost podcast,  Cisco Talos cybersecurity researcher Nick Biasini pointed out that hackers did not require huge amounts of money so as to drive these operations. As long as the illegal ventures generate any amount of revenue, as long as money is the guarantee; cyber attacks are here to stay. His suggestion was to drive the point that Monero crypto mining malware was still on the rise, despite the coin’s diminishing price. 

For a malware campaign that has been in existence since November 2017, they must have mined thousands of dollars of Monero coins from unsuspecting host computers. 

Note that cryptojacking involves hijacking user computers and exploiting their computing power to mine digital currencies. The activities usually take place without the owner’s knowledge. Eventually, the malware sends the mined funds to the criminals controlling the software.

Talos discovered that the Vivin malware was rotating multiple amounts of wallet addresses and corrupting payload delivery chains. Activities which took place across different timelines. However, the first actor to infecting computers with Vivin involved installation of pirated software. The software opened up the infected computer to a backdoor as the initial attack vector; upon which the code executed an XMrig mining software installation. 

Nevertheless, the perpetrators of the attack did little to nothing in hiding their activity. A host of poor security decisions like posting similar Monero wallet addresses revealed their track. However, as Talon came to establish – the poor operation decision were a well thought generalization pattern for massive targeting of general user behavior. 

Vivin Cryptojacking Malware Prevention

Vivin attack point of attacks however offers computer users numerous tactics, techniques and procedures (TTP) for mitigating risks. To prevent the threat of cryptojacking malware and especially in this case Vivin attacks, observe the following: 

  1. Avoid pirated software usage on endpoints
  2. Ensure perfect event logging and monitoring
  3. Observe proper system resource monitoring
  4. Block mining pools URLs
  5. Implement detection signatures

Biasini noted that he wasn’t surprised that cryptojacking malware were still currently present. The researcher said that cybersecurity and TTP attack prevention might have mitigated the first phase of cryptojacking. However, there was a second wave of cyber criminal behavior occasioned by sketchy data phishing and brute force. The initial wave, he noted, characterized spam campaigns and infected mail documents. 

During press time, Vivin attacks are active and still mining hundreds of thousands of dollars from unsuspecting computer users. It is therefore essential that people observe good cybersecurity hygiene before they have their computer resources milked dry.