For the past few years, ran­somware has been a bane of com­put­er users. These soft­ware nas­ties infect PCs, scram­ble files, and demand pay­ment in cryp­tocur­ren­cy to restore the doc­u­ments.

Those cryp­tocur­ren­cies are a right faff to get hold of and trans­fer to mis­cre­ants at short notice. And there’s no guar­an­tee crooks will hand over the decryp­tion key. And antivirus and oper­at­ing sys­tems are get­ting much, much bet­ter at block­ing ran­somware infec­tions. As such, peo­ple either don’t pay up, or don’t need to.

Oracle WebLogic hole primed to pump Monero


It’s there­fore no won­der that crim­i­nals are cut­ting out the mid­dle per­son – the human vic­tim – and infect­ing machines with remote-con­trolled mal­ware that qui­et­ly mines alt-coins and slips the dig­i­tal dosh back to its mas­ters.

A sin­gle hijacked box can typ­i­cal­ly mine about 25 cents of Mon­ero a day. Mul­ti­ply that over tens of thou­sands of machines, and it adds up to a nice lit­tle earn­er. Accord­ing to secu­ri­ty researchers, crim­i­nals are shift­ing from coin­ing it with ran­somware to rak­ing it in direct­ly with stealthy min­ers.

A Mon­ero min­er that’s inject­ed by hack­ers into Win­dows-pow­ered com­put­ers using the NSA’s stolen and leaked Eter­nal­Blue exploit has net­ted its over­lords $2.8m to $3.6m, accord­ing to infos­ec biz Proof­point today.

This remote-con­trolled net­work of min­ing bots, dubbed Smom­in­ru, is churn­ing out rough­ly 24 XMR ($8,500) a day, we’re told. The bot­net has press-ganged some­thing like 526,000 Win­dows box­es, which are most­ly servers and most­ly in Rus­sia, India, and Tai­wan. Two dozen or so com­put­ers crawl the inter­net for vul­ner­a­ble devices and hijacks them using Eter­nal­Blue, which attacks Win­dows net­work file-shar­ing ser­vices.

At the end of last yer, Pan­da Secu­ri­ty also found a sim­i­lar Eter­nal­Blue-wield­ing Mon­ero min­ing net­work, dubbed Wan­naMine after the Wan­naCry ran­somware that famous­ly used the NSA’s exploit.

You’re havin’ a bubble, mate

Cis­co’s Talos secu­ri­ty team has also seen a marked increase in covert cryp­tocur­ren­cy min­er instal­la­tions. The top five dig­i­tal-coin-craft­ing oper­a­tions found by Talos have been sim­i­lar­ly mak­ing seri­ous bank – up to $330,000 a year in just one case. The rewards are poten­tial­ly even greater con­sid­er­ing the bub­ble online cur­ren­cy prices are still in.

“The num­ber of ways adver­saries are deliv­er­ing min­ers to end users is stag­ger­ing. It is rem­i­nis­cent of the explo­sion of ran­somware we saw sev­er­al years ago,” the Talos team said on Wednes­day. “This is indica­tive of a major shift in the types of pay­loads adver­saries are try­ing to deliv­er. It helps show that the effec­tive­ness of ran­somware as a pay­load is lim­it­ed.”

The thing about ran­somware is that it’s easy for secu­ri­ty tools to detect and block: just look out for pro­grams that start work­ing their way through filesys­tems to encrypt the con­tents of doc­u­ments. No nor­mal every­day appli­ca­tion behaves like that.

Cur­ren­cy craft­ing soft­ware, on the oth­er hand, does­n’t do any­thing obvi­ous­ly weird apart from con­sum­ing some proces­sor time. Mon­ero min­ing is ide­al for covert crooks because it does­n’t require a lot of pro­cess­ing oomph, mean­ing it can be done in the back­ground with the vic­tim none the wis­er.

The min­er has to con­tact an out­side serv­er to trans­fer out its coins, though, which a net­work admin can detect. Some min­ing code – par­tic­u­lar­ly Coin­hive’s wide­spread JavaScript – is stopped by antivirus pack­ages and ad-block­ing tools, so mineware will have to dis­guise or use fresh cryp­to­graph­ic soft­ware rou­tines to avoid detec­tion.

To get a min­er onto a com­put­er, a vic­tim is typ­i­cal­ly tricked into open­ing that old chest­nut of a boo­by-trapped Word or some oth­er Office doc­u­ment. When opened, the mali­cious file down­loads the min­ing soft­ware from online stor­age, and gets to work.

Exploit toolk­its are also get­ting min­ing code to inject into infil­trat­ed sys­tems. The Talos team report­ed that the RIG exploit kit now has a min­er on offer, and one mis­cre­ant was pulling in $85 a day using the sys­tem, which may not sound like much but adds up to $31,000 a year, tax free.

The only sign that a min­er is installed is an increased CPU load on the infect­ed machine, and the occa­sion­al trans­fer of coinage out of the sys­tem. Mis­cre­ants can con­fig­ure their mal­ware to send back mined coins dai­ly, but that increas­es the chance of detec­tion. Leave it too long between deposits, how­ev­er, and all that sneaky coinage could be lost if the infec­tion is spot­ted.

Not all min­ers are as smart as oth­ers. The Talos team found one inept CPU-cycle thief who was installing open-source min­ing code called Nice­Hash Min­er, which is on GitHub. The crook for­got to change the default set­tings in the app, mean­ing that any coinage mined when to the soft­ware’s devel­op­er, not the idiot stick­ing it on oth­er peo­ple’s sys­tems.

Talos rec­om­mends enter­pris­es scan their sys­tems for under­cov­er min­ers and strip them out as soon as pos­si­ble. ®

Spon­sored: Minds Mas­ter­ing Machines — Call for papers now open

Source link