Researchers Find Monero Mining Malware That Hides From Task Manager (#GotBitcoin?)
Cybersecurity company Varonis has discovered a new cryptojacking virus, dubbed “Norman,” that aims to mine the cryptocurrency Monero (XMR) and evade detection. Researchers Find Monero Mining Malware That Hides From Task Manager (#GotBitcoin?)
Varonis published a report about Norman on Aug.14. According to the report, Varonis found Norman as one of many cryptojacking viruses deployed in an attack that infected machines at a mid-size company.
Hackers and cybercriminals deploy cryptojacking hardware to use the computing power of unsuspecting users’ machines to mine cryptocurrencies like the privacy oriented coin Monero.
Norman in particular is a crypto miner based on XMRig, which is described in the report as a high-performance miner for Monero cryptocurrency. One of the key features of Norman is that it will close the crypto mining process in response to a user opening up Task Manager. Then, after Task Manager closes, Norman uses a process to relaunch the miner.
The researchers at Varonis concluded that Norman is based on the PHP programming language and is obfuscated by Zend Guard. The researchers also conjectured that Norman comes from a French-speaking country, due to the presence of French variables and functions within the virus’ code.
Additionally, there are French comments within the self-extracting archive (SFX) file. This indicates, according to the report, that Norman’s creator used a French version of WinRAR to create the SFX file.
Another cybersecurity company uncovered an unsettling update to a strain of XMR mining malware last week. Carbon Black discovered that a type of malware called Smominru is now stealing user data alongside its mining operations.
The firm believes that the stolen data may be sold by hackers on the dark web. In its report, Carbon Black wrote:
“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”
New Malware Swaps Out Crypto Wallet Addresses As You Type Them
A new bit of malware called Masad Stealer can replace wallet addresses as you type them thanks to malicious code injected into your browser. According to Juniper Networks, it also steals:
- PC And System Information
- Credit Card Browser Data
- Browser Passwords
- Installed Software And Processes
- Desktop Files
- Screenshot Of Desktop
- Browser Cookies
- Steam Files
- Autofill Browser Fields
- Discord And Telegram Data
- Filezilla Files
The program dumps this information to the malware controller’s Telegram account, ensuring relative security for the data it steals. It can also clip and change monero, litecoin, zcash, dash and ethereum addresses automatically and uses special search functions to pinpoint these addresses on your clipboard. Once it swaps the addresses it can intercept crypto as its being sent to legitimate wallets.
The particular version of the malware Juniper studied sent crypto to this wallet which currently contains almost a one full bitcoin.
“Based on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools,” wrote the research organization.
“Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites.”
The software masquerades as useful-looking software like Tradebot_binance.exe, Galaxy Software Update.exe, and Fortniteaimbot 2019.exe. Once infected, the computer then begins communicating with the command and control Telegram channel and sends back private data.
The malware allegedly costs $40 on the dark web and is completely configurable and very dangerous, said Juniper.
“Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat.
Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market,” wrote the researchers.
New Bitcoin Wallet-Focused Trojan Uncovered By Security Researchers
A new Remote Access Trojan (RAT) malware that steals Bitcoin (BTC) wallet data has been discovered by security researchers, according to a Sept. 12 report from Zscaler ThreatLabZ.
The RAT, dubbed InnfiRAT, is designed to perform a wide range of tasks on the infected machines, including specifically seeking out Bitcoin and Litecoin (LTC) wallet data.
A Multi-Pronged Attack On Infected Systems
As the researchers note, InnfiRAT is written in .NET, a software framework developed by Microsoft and used to develop a wide range of applications.
The malware is designed to access and steals personal data stored on victims’ computers — grabbing browser cookies to steal stored usernames and passwords, as well as session data. It can also take screenshots to steal information from open windows and scour the system for other running applications to target.
Once collected, the data is sent to a command-and-control (C&C) server, requesting further instructions, which can include downloading additional payloads onto the infected system.
Zscaler ThreatLabZ Details How The Rat Is Designed To Retrieve Bitcoin Wallet Data As Follows:
“The Malware Creates An Empty List Of The Bitcoinwallet Type Where Bitcoinwallet Has Two Keys, Namely:
A Check Is Performed To See If A File For A Litecoin Or Bitcoin Wallet Is Present In The System At The Following Location:
If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.
Finally, the created list is sent in response to the C&C server.”
Caution Against Untrusted Sources
In conclusion, the security researchers warn of the prevalence of RATs such as InnfiRAT, which can be designed to not only to access and steal confidential data but also to log keystrokes, activate a system’s webcam, format drives and spread to other systems on a given network.
They note that systems are usually infected by a RAT by downloading infected applications or email attachments, warning users not to download programs or open attachments from unknown sources.
As reported this summer, Zscaler ThreatLabZ had previously published its discovery of another RAT called Saefko, also written in .NET and designed to retrieve browser history and look for activities including cryptocurrency transactions.
Zcash Bug Could Reveal Shielded Full Nodes’ IP Addresses
A bug in all Zcash (ZEC) implementations and most of its forks could leak metadata containing the full nodes’ with shielded addresses (zaddr) IPs.
Komodo (KMD) core developer Duke Leto disclosed the bug in a blog post published on his personal website. A Common Vulnerabilities and Exposures (CVE) code has already been assigned to track the issue on Sept. 27. Leto explained:
“A bug has existed for all shielded addresses since the inception of Zcash and Zcash Protocol. It is present in all Zcash source code forks. It is possible to find the IP address of full nodes who own a shielded address (zaddr). That is, Alice giving Bob a zaddr to be paid, could actually allow Bob to discover Alice’s IP address. This is drastically against the design of Zcash Protocol.”
Per the announcement, everyone who published their zaddr or provided it to a third party could be affected by the vulnerability. Leto claims that users should consider their “IP address and geo-location information associated with it as tied to […] zaddr.”
Multiple Cryptocurrencies Affected
According to Leto, users who never used a zaddr, only used it over the Tor Onion Routing network or only to send funds, are not affected. Furthermore, Leto also claims that Zcash is not the only cryptocurrency affected and provides a non-exhaustive list.
The cryptocurrencies included in the list are Zcash, Hush, Pirate, Komodo smart chains with zaddr enabled by default, Safecoin, Horizen, Zero, VoteCoin, Snowgem, BitcoinZ, LitecoinZ, Zelcash, Ycash, Arrow, Verus, Bitcoin Private, ZClassic and Anon. Leto also points out that Komodo has already disabled the shielded addresses feature and transitioned it to the Pirate chain, which means that KMD no longer contains the bug.
As Cointelegraph recently reported, Electric Coin Company, which launched and supports the development of privacy-coin Zcash, recently published a paper describing a trustless cryptographic system called Halo.
$160 Malware Botnet Tries To Steal Crypto From 72,000 Devices
Around 72,000 devices in 2019 alone were infected during a suspiciously cheap yet successful malware campaign to steal cryptocurrency, new data warns.
Mastermana Continues To Spread
According to the research report published by cyberintelligence company Prevailion on Oct. 2, the MasterMana botnet uses budget Russian malware that is delivered as a Trojan via a phishing email scam.
The malware itself likely costs just $100, though the hackers also required a virtual public server at a cost of $60.
Despite costing just around $160 in total, MasterMana achieved considerable success, Prevailion warned, concluding that the bad actors behind it reached 2,000 devices each week since December 2018. The researchers noted:
“This campaign’s threat actors saw an opportunity and appear to have carved out a nice niche for themselves. We suspect that this particular threat actor is likely to continue operations, as previous public reporting has not deterred them, therefore we wanted to highlight their new modus operandi, so that network defenders may more easily identify their operations.”
Threats Abound For Crypto Users
The malware works by arriving as an infected document in a phishing email. If a user opens the document, it would trigger a series of events which would create backdoors to steal any cryptocurrency holdings in associated hot wallets.
The resurgence in the price of cryptocurrencies this year has led to new threats being detected on an almost weekly basis.
Just last week, cybersecurity experts warned about a new spyware which used encrypted messenger Telegram to replace user wallet addresses with its own.
Recently, major Slovakia-based antivirus software provider ESET has discovered a banking trojan that can steal cryptocurrencies and is especially widespread in Latin America.
As Cointelegraph reported, estimates put the total amount raised by cybercriminals this year at $4.3 billion.
HackerOne User Reveals Critical Bug Through MakerDAO Bounty Program
MakerDAO, the decentralized organization that runs on Ethereum, has fixed a critical bug that could have resulted in a complete loss of funds for all Dai users.
On Oct. 1 HackerOne user lucash-dev disclosed a report that revealed a critical bug in MakerDAO’s planned Multi-Collateral Dai (MCD) upgrade. The bug could have allowed an attacker to steal all of the collateral stored in the MCD system – possibly within a single transaction, Lucash-dev said.
The bug was caught during the testing phase of the MCD upgrade and before any users had access to the system.
The report reveals that the attack was possible due to a complete lack of access control in a MakerDAO smart contract. The report reads:
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value. Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”
Lucash-dev reported the security flaw via the HackerOne forum and received a $50,000 bounty from MakerDAO’s bounty program which was the first critical finding in the program.
MakerDAO Gives Grant To Freelance Employment Platform
Cointelegraph reported in September that blockchain-based employment platform Opolis received a developer grant from MakerDAO, which will allow them to bring MakerDao’s stablecoin DAI to Opolis’ blockchain-based employment platform for freelancers.
Richard Brown, head of community development at MakerDAO, explained that while the freelance and gig economy offers freedom to many, it does not come without its downsides, and added:
“Maker is looking forward to seeing how Dai can help de-risk this emerging workforce.”
N. Korean Hackers’ New MacOS Malware Hides Behind Fake Crypto Firm
The notorious North Korean hackers known as the Lazarus APT Group have created another malware targeting Apple Macs that masquerades behind a fake cryptocurrency firm.
Apple Mac security specialist and principal security researcher at Jamf Patrick Wardle published a blog post on Oct. 12 outlining the nature of the malware, revealed by MalwareHunterTeam (MHT) researchers the previous day.
Closely Related To Earlier Macos Crypto-Malware
MHT and Wardle have warned that at the time of their warning, the malware was undetected by any engines on VirusTotal and that the sample appears to be closely related to a strain of Mac malware created by the Lazarus Group and identified by Kaspersky Labs back in summer 2018.
Like the previous strain, the hackers have set up a fake cryptocurrency firm — this time dubbed “JMT Trading” — through which to perpetrate their attack. Having written an open-source cryptocurrency trading app, they uploaded its code on GitHub, concealing the malware within it.
Wardle analyzed the installation process for the app, identifying the suspicious package and launch daemon concealed within it and analyzing the malicious functionality of the hackers’ backdoor script.
While the backdoor affords a remote attacker complete command and control over infected macOS systems, Wardle notes that open-source security tools and manual detection processes by alerted users should have no issue detecting the malware. However, he reiterated his warning that VirusTotal engines were not picking it up at the time of writing.
He also considers that the most likely targets of the malware are crypto exchange employees, rather than everyday retail investors.
As reported, the allegedly North Korean state-sponsored Lazarus Group has achieved infamy for its malign activities. As of fall 2018, the group was estimated to have stolen a staggering $571 million in cryptocurrencies since early 2017 and was accused of involvement in the industry record-breaking $532 million NEM hack of Japanese exchange Coincheck.
This September, Anne Neuberger — director of the United States’ National Security Agency (NSA) Cybersecurity Directorate — singled out North Korea as being particularly creative in its cyber warfare strategy, pointing to the rogue state’s alleged use of cryptocurrency to compile funds for President Kim Jong-Un’s regime.
Hackers Use Malicious Code in WAV Audio Files To Mine Cryptocurrencies
Threat researchers have discovered malicious code in WAV audio files, code that hackers use to mine cryptocurrencies.
Hackers Earn Thousand Of Dollars Per Month
On Oct. 16, researchers at BlackBerry Cylance, a software company that develops anti-virus programs, reported the discovery of malicious code hidden within WAV audio files. This type of malware campaign, where hackers conceal malware codes in ordinary-looking files, is known as steganography.
The analysis showed that some of the WAV files contained code to deploy malware for financial gain and establish remote access within the victim machine. The report reads:
“When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).”
The malicious WAV files allow hackers to deploy CPU miners onto the victim’s device, which steals processing resources and generates thousands of dollars per month from mining cryptocurrency. For that reason, crypto miners are a popular malware payload amongst hackers as they provide financial benefit while operating in the background without the user’s knowledge — an attack commonly called crypto-jacking.
North Korean Hackers Target Apple Macs
Cointelegraph previously reported that the notorious North Korean hackers known as the Lazarus APT Group have created another malware that targets Apple Macs and hides behind a fake cryptocurrency firm. Researchers said that at the time of their warning, the malware was undetected by any engines on VirusTotal. The sample appeared to be closely related to a strain of Mac malware identified by Kaspersky Labs back in summer 2018.
Fake Tor Browser Steals Bitcoin From Darknet Users, Warns ESET
Major antivirus software supplier ESET has discovered a trojanized Tor Browser designed to steal Bitcoin (BTC) from buyers in the darknet.
Fake Browser Distributed Via 2 Websites
Targeting users in Russia, the fake Tor Browser was distributed via two websites and has been stealing crypto from darknet shoppers by swapping the original crypto addresses since 2017, ESET’s editorial division WeLiveSecurity reported Oct. 18.
Created back in 2014, the two fake Tor Browser websites — tor-browser[.]org and torproect[.]org — are mimicking the real website of the anonymous browser, torproject.org.
According to the Slovakian software security firm, these websites display a message that users have an outdated version of Tor Browser even if they have the most up-to-date Tor Browser version, offering to download the fake version containing malware.
Over $40,000 Stolen In Bitcoin
According to the firm, the newly discovered malware has been distributed for Windows, while there are no signs that the same websites have distributed Linux, macOS or mobile versions.
After being installed, the malicious Tor Browser automatically swaps users’ crypto addresses to the addresses controlled by criminals.
According to ESET, the total amount of received funds for all three wallets allegedly involved in the campaign accounted for 4.8 Bitcoin so far. One of the reported wallets contains 2.66 BTC at press time with the latest transaction in September 2019.
In addition to Bitcoin, the campaign has also been stealing money by altering QIWI wallets, the firm said.
In early October, ESET flagged another form of malware stealing crypto from users. Called “Casbaneiro” or “Metamorfo,” the banking trojan targets banks and crypto services located in Brazil and Mexico and has allegedly stolen 1.2 BTC to date.
Meanwhile, Tor Browser users have already been warned about potential money losses due to security breaches. In mid-September, Finnish peer-to-peer crypto exchange LocalBitcoins warned Tor users about the risks of using Tor Browser, claiming that Tor Browser exposes them to the risks of having their Bitcoin stolen.
Zcash Community Discovers Likely Malicious Fake Version of ZecWallet
Members of the Zcash (ZEC) community have discovered a suspicious and potentially malicious counterfeit version of Zcash Foundation’s native ZecWallet.
According to a Twitter post published on Oct. 20 and retweeted by Zcash developer Electric Coin Company, the fake ZecWallet likely contains malware. The tweet reads:
“PSA to all Zcash users! There is a fake version of ZecWallet that likely contains malware (size and checksum is different) double check you are downloading from official @zecwallet repo on GitHub: https://github.com/ZcashFoundation/zecwallet”
As Cointelegraph reported on Sept. 29, a bug was found in all Zcash implementations and most of its forks that could leak metadata containing the full nodes’ with shielded addresses IPs.
On Oct. 18, major antivirus software supplier ESET has discovered a “trojanized” version of Tor Browser designed to steal Bitcoin (BTC) from buyers in the darknet.
Targeting users in Russia, the fake Tor Browser was distributed via two websites and has been stealing crypto from darknet shoppers by swapping the original crypto addresses since 2017.
Earlier in October, ESET also flagged another form of malware stealing crypto from users. Called “Casbaneiro” or “Metamorfo,” the banking trojan targeted banks and crypto services located in Brazil and Mexico and has allegedly stolen 1.2 BTC at the time.
Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining