The Monero crypto-currency mining activity affects more than 30 million users worldwide
PaloAlto Networks security experts recently discovered a massive cryptocurrency mining operation aimed at mining Monero using the open source XMRig tool. At present, the attack has lasted for more than 4 months and the number of global systems involved is about 30 million. The most affected countries are Thailand (3,545,437), Vietnam (1,830,065) and Turkey (665,058).
According to security experts, attackers deploy mining tools using VBS files and URL shortening services. For example, when an attacker uses the Adf.ly short URL service, the user is redirected whenever the user clicks on the link, and then download the cryptocurrency mining software.
Security experts believe Monero’s mining operation is huge because at present researchers have detected more than 250 unique Microsoft Windows PE files, most of which were downloaded from 4sync, an online cloud storage provider. These files have a common name, probably because they originated from the file sharing service.
Attackers execute XMRig mining software via VBS files and use the XMRig proxy service to hide the final sink destination. In addition, the researchers also noted that attackers used the Nicehash market to trade hash processing capabilities.
According to PaloAlto experts, last October 20 was a milestone for the currency mining operation, after attackers downloaded XMRig from a remote location using the Windows built-in BITSAdmin tool. (Note: In general, the final payload is mainly installed by “msvc.exe”.)
After October 20, security experts observed that attackers started using HTTP redirect services.
As of November 16, attackers have changed the malware attack strategy:
Instead of using SFX files, they re-use an executable compiled in the Microsoft .NET Framework that writes VBS files to disk and modifies the running registry entries for the victim’s user to ensure durability.
At the moment security officials have observed the last change in attack strategy in late December 2017 when attackers changed the dropper used to deploy malware:
After giving up NET, they used the Borland Delphi compiled dropper to create the necessary VBS files. Unlike .NET droppers, this particular dropper places VBS files in the victim’s startup folder for the purpose of persistence.
Curiously enough, so much of a Monero mining activity did not attract the attention of such a long time, the relevant security experts believe that this is very unusual.
Source: SecurityAffairs
