Researchers Find Monero Mining Malware That Hides From Task Manager (#GotBitcoin?)
Cybersecurity company Varonis has discovered a new cryptojacking virus, dubbed “Norman,” that aims to mine the cryptocurrency Monero (XMR) and evade detection. Researchers Find Monero Mining Malware That Hides From Task Manager (#GotBitcoin?)
Varonis published a report about Norman on Aug.14. According to the report, Varonis found Norman as one of many cryptojacking viruses deployed in an attack that infected machines at a mid-size company.
Hackers and cybercriminals deploy cryptojacking hardware to use the computing power of unsuspecting users’ machines to mine cryptocurrencies like the privacy oriented coin Monero.
Norman in particular is a crypto miner based on XMRig, which is described in the report as a high-performance miner for Monero cryptocurrency. One of the key features of Norman is that it will close the crypto mining process in response to a user opening up Task Manager. Then, after Task Manager closes, Norman uses a process to relaunch the miner.
The researchers at Varonis concluded that Norman is based on the PHP programming language and is obfuscated by Zend Guard. The researchers also conjectured that Norman comes from a French-speaking country, due to the presence of French variables and functions within the virus’ code.
Additionally, there are French comments within the self-extracting archive (SFX) file. This indicates, according to the report, that Norman’s creator used a French version of WinRAR to create the SFX file.
Another cybersecurity company uncovered an unsettling update to a strain of XMR mining malware last week. Carbon Black discovered that a type of malware called Smominru is now stealing user data alongside its mining operations.
The firm believes that the stolen data may be sold by hackers on the dark web. In its report, Carbon Black wrote:
“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”
New Malware Swaps Out Crypto Wallet Addresses As You Type Them
A new bit of malware called Masad Stealer can replace wallet addresses as you type them thanks to malicious code injected into your browser. According to Juniper Networks, it also steals:
- PC And System Information
- Credit Card Browser Data
- Browser Passwords
- Installed Software And Processes
- Desktop Files
- Screenshot Of Desktop
- Browser Cookies
- Steam Files
- Autofill Browser Fields
- Discord And Telegram Data
- Filezilla Files
The program dumps this information to the malware controller’s Telegram account, ensuring relative security for the data it steals. It can also clip and change monero, litecoin, zcash, dash and ethereum addresses automatically and uses special search functions to pinpoint these addresses on your clipboard. Once it swaps the addresses it can intercept crypto as its being sent to legitimate wallets.
The particular version of the malware Juniper studied sent crypto to this wallet which currently contains almost a one full bitcoin.
“Based on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools,” wrote the research organization.
“Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites.”
The software masquerades as useful-looking software like Tradebot_binance.exe, Galaxy Software Update.exe, and Fortniteaimbot 2019.exe. Once infected, the computer then begins communicating with the command and control Telegram channel and sends back private data.
The malware allegedly costs $40 on the dark web and is completely configurable and very dangerous, said Juniper.
“Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat.
Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market,” wrote the researchers.
New Bitcoin Wallet-Focused Trojan Uncovered By Security Researchers
A new Remote Access Trojan (RAT) malware that steals Bitcoin (BTC) wallet data has been discovered by security researchers, according to a Sept. 12 report from Zscaler ThreatLabZ.
The RAT, dubbed InnfiRAT, is designed to perform a wide range of tasks on the infected machines, including specifically seeking out Bitcoin and Litecoin (LTC) wallet data.
A Multi-Pronged Attack On Infected Systems
As the researchers note, InnfiRAT is written in .NET, a software framework developed by Microsoft and used to develop a wide range of applications.
The malware is designed to access and steals personal data stored on victims’ computers — grabbing browser cookies to steal stored usernames and passwords, as well as session data. It can also take screenshots to steal information from open windows and scour the system for other running applications to target.
Once collected, the data is sent to a command-and-control (C&C) server, requesting further instructions, which can include downloading additional payloads onto the infected system.
Zscaler ThreatLabZ Details How The Rat Is Designed To Retrieve Bitcoin Wallet Data As Follows:
“The Malware Creates An Empty List Of The Bitcoinwallet Type Where Bitcoinwallet Has Two Keys, Namely:
A Check Is Performed To See If A File For A Litecoin Or Bitcoin Wallet Is Present In The System At The Following Location:
If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.
Finally, the created list is sent in response to the C&C server.”
Caution Against Untrusted Sources
In conclusion, the security researchers warn of the prevalence of RATs such as InnfiRAT, which can be designed to not only to access and steal confidential data but also to log keystrokes, activate a system’s webcam, format drives and spread to other systems on a given network.
They note that systems are usually infected by a RAT by downloading infected applications or email attachments, warning users not to download programs or open attachments from unknown sources.
As reported this summer, Zscaler ThreatLabZ had previously published its discovery of another RAT called Saefko, also written in .NET and designed to retrieve browser history and look for activities including cryptocurrency transactions.
Zcash Bug Could Reveal Shielded Full Nodes’ IP Addresses
A bug in all Zcash (ZEC) implementations and most of its forks could leak metadata containing the full nodes’ with shielded addresses (zaddr) IPs.
Komodo (KMD) core developer Duke Leto disclosed the bug in a blog post published on his personal website. A Common Vulnerabilities and Exposures (CVE) code has already been assigned to track the issue on Sept. 27. Leto explained:
“A bug has existed for all shielded addresses since the inception of Zcash and Zcash Protocol. It is present in all Zcash source code forks. It is possible to find the IP address of full nodes who own a shielded address (zaddr). That is, Alice giving Bob a zaddr to be paid, could actually allow Bob to discover Alice’s IP address. This is drastically against the design of Zcash Protocol.”
Per the announcement, everyone who published their zaddr or provided it to a third party could be affected by the vulnerability. Leto claims that users should consider their “IP address and geo-location information associated with it as tied to […] zaddr.”
Multiple Cryptocurrencies Affected
According to Leto, users who never used a zaddr, only used it over the Tor Onion Routing network or only to send funds, are not affected. Furthermore, Leto also claims that Zcash is not the only cryptocurrency affected and provides a non-exhaustive list.
The cryptocurrencies included in the list are Zcash, Hush, Pirate, Komodo smart chains with zaddr enabled by default, Safecoin, Horizen, Zero, VoteCoin, Snowgem, BitcoinZ, LitecoinZ, Zelcash, Ycash, Arrow, Verus, Bitcoin Private, ZClassic and Anon. Leto also points out that Komodo has already disabled the shielded addresses feature and transitioned it to the Pirate chain, which means that KMD no longer contains the bug.
As Cointelegraph recently reported, Electric Coin Company, which launched and supports the development of privacy-coin Zcash, recently published a paper describing a trustless cryptographic system called Halo.
$160 Malware Botnet Tries To Steal Crypto From 72,000 Devices
Around 72,000 devices in 2019 alone were infected during a suspiciously cheap yet successful malware campaign to steal cryptocurrency, new data warns.
Mastermana Continues To Spread
According to the research report published by cyberintelligence company Prevailion on Oct. 2, the MasterMana botnet uses budget Russian malware that is delivered as a Trojan via a phishing email scam.
The malware itself likely costs just $100, though the hackers also required a virtual public server at a cost of $60.
Despite costing just around $160 in total, MasterMana achieved considerable success, Prevailion warned, concluding that the bad actors behind it reached 2,000 devices each week since December 2018. The researchers noted:
“This campaign’s threat actors saw an opportunity and appear to have carved out a nice niche for themselves. We suspect that this particular threat actor is likely to continue operations, as previous public reporting has not deterred them, therefore we wanted to highlight their new modus operandi, so that network defenders may more easily identify their operations.”
Threats Abound For Crypto Users
The malware works by arriving as an infected document in a phishing email. If a user opens the document, it would trigger a series of events which would create backdoors to steal any cryptocurrency holdings in associated hot wallets.
The resurgence in the price of cryptocurrencies this year has led to new threats being detected on an almost weekly basis.
Just last week, cybersecurity experts warned about a new spyware which used encrypted messenger Telegram to replace user wallet addresses with its own.
Recently, major Slovakia-based antivirus software provider ESET has discovered a banking trojan that can steal cryptocurrencies and is especially widespread in Latin America.
As Cointelegraph reported, estimates put the total amount raised by cybercriminals this year at $4.3 billion.
HackerOne User Reveals Critical Bug Through MakerDAO Bounty Program
MakerDAO, the decentralized organization that runs on Ethereum, has fixed a critical bug that could have resulted in a complete loss of funds for all Dai users.
On Oct. 1 HackerOne user lucash-dev disclosed a report that revealed a critical bug in MakerDAO’s planned Multi-Collateral Dai (MCD) upgrade. The bug could have allowed an attacker to steal all of the collateral stored in the MCD system – possibly within a single transaction, Lucash-dev said.
The bug was caught during the testing phase of the MCD upgrade and before any users had access to the system.
The report reveals that the attack was possible due to a complete lack of access control in a MakerDAO smart contract. The report reads:
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value. Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”
Lucash-dev reported the security flaw via the HackerOne forum and received a $50,000 bounty from MakerDAO’s bounty program which was the first critical finding in the program.
MakerDAO Gives Grant To Freelance Employment Platform
Cointelegraph reported in September that blockchain-based employment platform Opolis received a developer grant from MakerDAO, which will allow them to bring MakerDao’s stablecoin DAI to Opolis’ blockchain-based employment platform for freelancers.
Richard Brown, head of community development at MakerDAO, explained that while the freelance and gig economy offers freedom to many, it does not come without its downsides, and added:
“Maker is looking forward to seeing how Dai can help de-risk this emerging workforce.”
N. Korean Hackers’ New MacOS Malware Hides Behind Fake Crypto Firm
The notorious North Korean hackers known as the Lazarus APT Group have created another malware targeting Apple Macs that masquerades behind a fake cryptocurrency firm.
Apple Mac security specialist and principal security researcher at Jamf Patrick Wardle published a blog post on Oct. 12 outlining the nature of the malware, revealed by MalwareHunterTeam (MHT) researchers the previous day.
Closely Related To Earlier Macos Crypto-Malware
MHT and Wardle have warned that at the time of their warning, the malware was undetected by any engines on VirusTotal and that the sample appears to be closely related to a strain of Mac malware created by the Lazarus Group and identified by Kaspersky Labs back in summer 2018.
Like the previous strain, the hackers have set up a fake cryptocurrency firm — this time dubbed “JMT Trading” — through which to perpetrate their attack. Having written an open-source cryptocurrency trading app, they uploaded its code on GitHub, concealing the malware within it.
Wardle analyzed the installation process for the app, identifying the suspicious package and launch daemon concealed within it and analyzing the malicious functionality of the hackers’ backdoor script.
While the backdoor affords a remote attacker complete command and control over infected macOS systems, Wardle notes that open-source security tools and manual detection processes by alerted users should have no issue detecting the malware. However, he reiterated his warning that VirusTotal engines were not picking it up at the time of writing.
He also considers that the most likely targets of the malware are crypto exchange employees, rather than everyday retail investors.
As reported, the allegedly North Korean state-sponsored Lazarus Group has achieved infamy for its malign activities. As of fall 2018, the group was estimated to have stolen a staggering $571 million in cryptocurrencies since early 2017 and was accused of involvement in the industry record-breaking $532 million NEM hack of Japanese exchange Coincheck.
This September, Anne Neuberger — director of the United States’ National Security Agency (NSA) Cybersecurity Directorate — singled out North Korea as being particularly creative in its cyber warfare strategy, pointing to the rogue state’s alleged use of cryptocurrency to compile funds for President Kim Jong-Un’s regime.
Hackers Use Malicious Code in WAV Audio Files To Mine Cryptocurrencies
Threat researchers have discovered malicious code in WAV audio files, code that hackers use to mine cryptocurrencies.
Hackers Earn Thousand Of Dollars Per Month
On Oct. 16, researchers at BlackBerry Cylance, a software company that develops anti-virus programs, reported the discovery of malicious code hidden within WAV audio files. This type of malware campaign, where hackers conceal malware codes in ordinary-looking files, is known as steganography.
The analysis showed that some of the WAV files contained code to deploy malware for financial gain and establish remote access within the victim machine. The report reads:
“When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).”
The malicious WAV files allow hackers to deploy CPU miners onto the victim’s device, which steals processing resources and generates thousands of dollars per month from mining cryptocurrency. For that reason, crypto miners are a popular malware payload amongst hackers as they provide financial benefit while operating in the background without the user’s knowledge — an attack commonly called crypto-jacking.
North Korean Hackers Target Apple Macs
Cointelegraph previously reported that the notorious North Korean hackers known as the Lazarus APT Group have created another malware that targets Apple Macs and hides behind a fake cryptocurrency firm. Researchers said that at the time of their warning, the malware was undetected by any engines on VirusTotal. The sample appeared to be closely related to a strain of Mac malware identified by Kaspersky Labs back in summer 2018.
Fake Tor Browser Steals Bitcoin From Darknet Users, Warns ESET
Major antivirus software supplier ESET has discovered a trojanized Tor Browser designed to steal Bitcoin (BTC) from buyers in the darknet.
Fake Browser Distributed Via 2 Websites
Targeting users in Russia, the fake Tor Browser was distributed via two websites and has been stealing crypto from darknet shoppers by swapping the original crypto addresses since 2017, ESET’s editorial division WeLiveSecurity reported Oct. 18.
Created back in 2014, the two fake Tor Browser websites — tor-browser[.]org and torproect[.]org — are mimicking the real website of the anonymous browser, torproject.org.
According to the Slovakian software security firm, these websites display a message that users have an outdated version of Tor Browser even if they have the most up-to-date Tor Browser version, offering to download the fake version containing malware.
Over $40,000 Stolen In Bitcoin
According to the firm, the newly discovered malware has been distributed for Windows, while there are no signs that the same websites have distributed Linux, macOS or mobile versions.
After being installed, the malicious Tor Browser automatically swaps users’ crypto addresses to the addresses controlled by criminals.
According to ESET, the total amount of received funds for all three wallets allegedly involved in the campaign accounted for 4.8 Bitcoin so far. One of the reported wallets contains 2.66 BTC at press time with the latest transaction in September 2019.
In addition to Bitcoin, the campaign has also been stealing money by altering QIWI wallets, the firm said.
In early October, ESET flagged another form of malware stealing crypto from users. Called “Casbaneiro” or “Metamorfo,” the banking trojan targets banks and crypto services located in Brazil and Mexico and has allegedly stolen 1.2 BTC to date.
Meanwhile, Tor Browser users have already been warned about potential money losses due to security breaches. In mid-September, Finnish peer-to-peer crypto exchange LocalBitcoins warned Tor users about the risks of using Tor Browser, claiming that Tor Browser exposes them to the risks of having their Bitcoin stolen.
Zcash Community Discovers Likely Malicious Fake Version of ZecWallet
Members of the Zcash (ZEC) community have discovered a suspicious and potentially malicious counterfeit version of Zcash Foundation’s native ZecWallet.
According to a Twitter post published on Oct. 20 and retweeted by Zcash developer Electric Coin Company, the fake ZecWallet likely contains malware. The tweet reads:
“PSA to all Zcash users! There is a fake version of ZecWallet that likely contains malware (size and checksum is different) double check you are downloading from official @zecwallet repo on GitHub: https://github.com/ZcashFoundation/zecwallet”
As Cointelegraph reported on Sept. 29, a bug was found in all Zcash implementations and most of its forks that could leak metadata containing the full nodes’ with shielded addresses IPs.
On Oct. 18, major antivirus software supplier ESET has discovered a “trojanized” version of Tor Browser designed to steal Bitcoin (BTC) from buyers in the darknet.
Targeting users in Russia, the fake Tor Browser was distributed via two websites and has been stealing crypto from darknet shoppers by swapping the original crypto addresses since 2017.
Earlier in October, ESET also flagged another form of malware stealing crypto from users. Called “Casbaneiro” or “Metamorfo,” the banking trojan targeted banks and crypto services located in Brazil and Mexico and has allegedly stolen 1.2 BTC at the time.
Malware on Official Monero Website Can Steal Crypto: Investigator
The software available for download on Monero’s (XMR) official website was compromised to steal cryptocurrency, according to a Nov. 19 Reddit post published by the coin’s core development team.
The command-line interface (CLI) tools available at getmonero.org may have been compromised over the last 24 hours. In the announcement, the team notes that the hash of the binaries available for download did not match the expected hashes.
The Software Was Malicious
On GitHub, a professional investigator going by the name of Serhack said that the software distributed after the server was compromised is indeed malicious, stating:
“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained the wallet. I downloaded the build yesterday around 6pm Pacific time.”
An Important Security Practice
Hashes are non-reversible mathematical functions which, in this case, are used to generate an alphanumeric string from a file that would have been different if someone was to make changes to the file.
It is a popular practice in the open-source community to save the hash generated from software available for download and keep it on a separate server. Thanks to this measure, users are able to generate a hash from the file they downloaded and check it against the expected one.
If the hash generated from the downloaded file is different, then it is likely that the version distributed by the server has been replaced — possibly with a malicious variant. The Reddit announcement reads:
“It appears the box has been indeed compromised and different CLI binaries served for 35 minutes. Downloads are now served from a safe fallback source. […] If you downloaded binaries in the last 24h, and did not check the integrity of the files, do it immediately. If the hashes do not match, do NOT run what you downloaded.”
In general, blockchain development communities are vigilant in tracking possible vulnerabilities and maintaining network integrity.
In mid-September, the developer of Ethereum decentralized exchange protocol AirSwap’s developers announced a different important development for their project’s security. More precisely, they revealed the discovery of a critical vulnerability in the system’s new smart contract.
In order to incentivize network integrity, some organizations have founded bounty programs that reward so-called white-hack hackers for exposing vulnerabilities.
Cyber Criminals Are Using YouTube To Install Cryptojacking Malware
Slovakian software security firm Eset has uncovered that cyber criminals behind the Stantinko botnet have been distributing a Monero (XMR) cryptocurrency mining module via Youtube.
On Nov. 26, the major antivirus software supplier Eset reported that the Stantinko botnet operators have expanded their criminal reach from click fraud, ad injection, social network fraud and password stealing attacks, into installing crypto malware on victims’ devices using Youtube.
Stantinko Botnet Has Been Active Since At Least 2012
The Stantinko botnet, which has been active since at least 2012 and predominantly targets users in Russia, Ukraine, Belarus and Kazakhstan, reportedly uses YouTube channels to distribute its cryptojacking module, which mines the privacy-focused crypto coin Monero on the CPUs of unsuspecting victims.
This cryptocurrency-stealing malware has reportedly infected around 500,000 devices, and is similar to the recently discovered malicious malware, Dexphot, malware discovered by Microsoft that has already infected more than 80,000 computers.
These crypto-hijacking codes steal processing resources, take over legitimate system processes and disguise the nefarious activity with the ultimate goal of running a crypto miner on the infected devices.
Eset informed YouTube, which reportedly responded by removing all the channels that contained traces of Stantinko’s code.
Malware On Monero’s Official Website Was Stealing Crypto
In November, Monero’s core development team said that the software available for download on Monero’s official website might have been compromised to steal cryptocurrency. A professional investigator going by the name of Serhack confirmed that the software distributed after the server was compromised was indeed malicious:
“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained the wallet. I downloaded the build yesterday around 6pm Pacific time.”
Researchers Detect New North Korea-Linked MacOS Malware on Crypto Trading Site
Security researchers have discovered a new cryptocurrency-related macOS malware believed to be the product of North Korean hackers at the Lazarus Group.
As tech-focused publication Bleeping Computer reported on Dec. 4, malware researcher Dinesh Devadoss encountered a malicious software on a website called “unioncrypto.vip,” that advertised a “smart cryptocurrency arbitrage trading platform.” The website did not cite any download links, but hosted a malware package under the name “UnionCryptoTrader.”
Linkage To North Korean Hackers
According to the researchers, the malware can retrieve a payload from a remote location and run it in memory, which is not common for macOS, but more typical for Windows. This feature makes it difficult to detect the malware and carry out forensic analysis. Per VirusTotal, an online service for analyzing and detecting viruses and malware, only 10 antivirus engines flagged it as malicious at press time.
After conducting an analysis of the newly detected malware, security researcher Patrick Wardle determined “clear overlaps” with malware found by MalwareHunterTeam in mid-October, which purportedly led to the Lazarus group. At the time, the researchers detected that Lazarus had created another malware targeting Apple Macs that masquerades behind a fake cryptocurrency firm.
Recent North Korea-related Developments
In recent months, there has been plenty of news about North Korea-related developments. In late November, United States prosecutors announced the arrest of Virgil Griffith, who allegedly traveled to North Korea to deliver a presentation on how to use crypto and blockchain technology to circumvent sanctions.
Following the arrest, Ethereum (ETH) co-founder Vitalik Buterin declared his solidarity with Virgil Griffith, having supported a petition to free the blockchain developer.
The United Nations Security Council’s Sanctions Committee on North Korea accused the country of using a Hong Kong-based blockchain firm as a front to launder money.
Texas-Based Data Center CyrusOne Hit by Ransomware Attack
Texas-based data center provider CyrusOne has reportedly fallen victim to an attack from REvil (Sodinokibi) ransomware, business tech-focused publication ZDNet reported on Dec. 5.
One of the largest data centers in the United States, CyrusOne has reportedly been exposed to an attack by a variant of the REvil (Sodinokibi) ransomware, which previously hit a number of service providers, local governments and businesses in the country.
The Scope Of The Attack
In An Email To Cointelegraph, CyrusOne Confirmed:
“Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network.”
The firm went on to assure viewers that law enforcement was working on the matter and that their “data center colocation services, including IX and IP Network Services, are not involved in this incident.”
Per the ransom note obtained by ZDNet, the attackers targeted CyrusOne’s network, with the sole objective of receiving a ransom. Those behind the attack claimed in the note that they consider the attack nothing more than a business transaction, aimed exclusively at profiting.
In the event the company does not cooperate with the attackers, it will purportedly lose the affected data as the cybercriminals claim to have the private key.
To Pay Or Not To Pay?
This spring, Riviera Beach, Florida, was hit by a hacker attack, in which the hackers allegedly encrypted government records, blocking access to critical information and leaving the city without an ability to accept utility payments other than in person or by regular mail. The city council eventually agreed to pay nearly $600,000 worth of Bitcoin (BTC) to regain access to data encrypted in the attack.
In late October, hackers compromised the website of the city of Johannesburg, South Africa, and demanded ransom in Bitcoin. The breach affected several customer-facing systems — hardware or software customers interact with directly, such as user interfaces and help desks. The city authorities refused to pay the ransom.
Meanwhile, a number of Finnish cities and organizations are rehearsing how to respond when a group of hackers demands the participants pay ransomware during a series of simulated cyberattacks.
Monero Malware Botnet Lurks Behind Taylor Swift JPEGs
Researchers have published a new report on what they deem to be a “relentless” crypto mining botnet that lurks behind seemingly innocuous content such as JPEG images of Taylor Swift.
The botnet — best known as MyKings (alternatively as DarkCloud or Smominru) — has been active since 2016, according to a Dec. 18 news release from Gabor Szappanos at SophosLabs.
While all “underpatched, low-hanging fruit” on the internet — to use Sophos’ phrasing — has long been vulnerable to its attacks, recently the actors behind MyKings have allegedly added bootkit functionality, which makes it all the more resistant to detection and effective removal.
$3M In Monero Illicitly Mined Via MyKings To Date
SophosLabs’ report provides a full overview of the botnet’s operations, which Szappanos characterizes as a “relentlessly redundant [i.e. repetitive] attacker” that attacks mostly Windows-based services that hosts database management systems such as MqSQL and MS-SQL, network protocols such as Telnet, and even servers running CCTV camera storage.
The report notes that the botnet’s creators appear to prefer to use open source or other public domain software and are highly skilled at customizing and enhancing source code to insert custom components that can execute attacks and perform automated update processes.
The botnet launches a series of attacks against a server with the aim of delivering a malware executable, frequently a Trojan dubbed “Forshare,” which was found to be the most common payload on infected servers.
Forshare is used to ensure that various different Monero (XMR) cryptominers run on the targeted hardware, with SophosLabs’ estimating that the botnet operators have earned roughly $3 million in Monero to date. This translates into a current income of around $300 per day, due to the cryptocurrency’s recently lower relative valuation.
Not What She Seems
In the studied example — an imperceptibly modified image of the pop star Taylor Swift — SophosLabs explains that the .jpg photo had been uploaded to a public repository, concealing within it an executable that would automatically update the botnet when downloaded.
SophosLabs’ research reveals the sophisticated nature of MyKings’ persistence mechanism, which perpetuates itself through aggressive repetition and self-updating procedures using multiple command combinations.
“Even if most of the components of the botnet are removed from the computer, the remaining ones have the capability to restore it to full strength simply by updating themselves. All of this is orchestrated using self-extracting RAR archives and Windows batch files.”
The report indicates that the countries with the highest number of infected hosts are currently China, Taiwan, Russia, Brazil, the United States, India and Japan.
Recent Monero Crimes
In November, Cointelegraph reported that the software available for download on Monero’s official website, getmonero.org, had been briefly compromised to steal cryptocurrency and drain users’ wallets.
That same month, Slovakian software security firm Eset revealed that cybercriminals operating a botnet known as Stantinko had been distributing a Monero cryptocurrency mining module via Youtube.
According to Denley’s tweet, Chrome browser crypto wallet software Shitcoin Wallet is targeting Binance, MyEtherWallet and other well-known websites containing users’ passwords and private keys to cryptocurrency.
The code attempts to scrape data input into those windows. Once it does, the information is sent to a remote server identified as “erc20wallet.tk,” which is a top-level domain address belonging to Tokelau, a group of South Pacific Islands that are part of New Zealand’s territory.
Google Chrome removed MetaMask, but for different reasons
Shitcoin Wallet stealing user data may sound similar to recent incidents including Apple threatening to unlist Coinbase’s mobile DApp browser from its app store and Google removing Ethereum wallet app MetaMask from its Google Play App Store last week. Both of those instances, however, have been subject to considerable controversy due to lack of evidence of malicious conduct on the part of those apps.
A number of cryptojacking extensions were found on the Google Chrome web store last year. According to a recent report from McAfee Labs, cryptojacking, which occurs when a user’s computing device is secretly used to mine cryptocurrency, has been on the rise, up 29% in Q1 2019.
Shitcoin Wallet was built for trouble online
While the name should be a dead giveaway that it’s better to stay away from this particular Ethereum wallet software, Shitcoin Wallet contains some suspicious added features.
According to a company blog post, the Ethereum wallet, which launched on Dec. 9 and claims to have over 2,000 users, is a web-based wallet that has several extensions for different browsers. The blog post notes;
“It is a web wallet which has several extensions for different browsers, which I will discuss further in the article.”
However, this doesn’t square with what the company mentions at the end of that very blog post, which says/reads that Shitcoin Wallet is currently only supported by Chrome.
While those users may have received a bit of free ETH, they are now left vulnerable to having their data scraped and personal information compromised.
Ledger Wallet User Allegedly Lost $16K to Malicious Browser Extension
Twitter user and software architect WizardofAus (@BTCSchellingPt) has warned cryptocurrency holders against a Chrome extension for Ledger crypto wallets that allegedly contains malware.
In A Tweet Posted On Jan 2., WizardofAus Claimed That:
“Malware Chrome extension alert. If you have “Ledger Secure” installed – REMOVE IT. The @ChromeExtension “Ledger Secure” contains malware that passes your seed phrase back to the extension’s author. This is *not* a @Ledger product. Successfully used against @hackedzec.”
“@hackedzec”’s Twitter handle was notably created in Jan. 2020; both the handle’s novelty and the chosen name suggest that he created the account specifically to spread awareness following his experience of the malware.
The official Ledger Support Twitter handle confirmed the detection of the extension malware on Jan. 2, using the header “PHISHING ALERT.”
Former Trezor executive and contributor to the “Little Bitcoin Book” Alena Vranova retweeted WizardofAus’ tweet with the comment: “another proof that the word ‘secure’ does not imply security.”
Learning From Others’ Expensive Mistakes
In WizardofAus’ account, 600 in Zcash (ZEC) — worth roughly $16,000 by press time — was stolen from @hackedzec’s holdings in his Ledger Nano by the Chrome extension’s creator.
Referring to Casa founder Jeremy Welch’s warnings last year against browser extension malware at the Bitcoin (BTC) event Baltic HoneyBadger in Riga, WizardofAus outlined the risks posed by these products — and what users can do to protect themselves:
“Firstly, be very careful what extensions you install. If you’re using the same computer for your crypto as you use generally, be extra diligent. Better to have a separate minimal machine – or use a Virtual Machine that is the only place you do crypto activity.”
Other due diligence includes using only the wallet vendor’s proprietary software — in this case, Ledger’s — and double-checking that it really comes from the vendor’s website via a secure link.
Users can also verify the checksum of the downloaded file before running the software. A checksum, also known as a hash, is a hexadecimal number that is unique to the installer .exe file created by the author. The downloaded file, assuming it has not been tampered with by a third party, should match the checksum on the vendor’s site.
North Korean Hacker Group Modifies Crypto-Stealing Malware
The Lazarus hacker group, which is allegedly sponsored by the North Korean government, has deployed new viruses to steal cryptocurrency.
Major cybersecurity firm Kaspersky reported on Jan. 8 that Lazarus has doubled down its efforts to infect both Mac and Windows users’ computers.
The group had been using a modified open-source cryptocurrency trading interface called QtBitcoinTrader to deliver and execute malicious code in what has been called “Operation AppleJeus,” as Kaspersky reported in late August 2018. Now, the firm reports that Lazarus has started making changes to the malware.
Kaspersky identified a new macOS and Windows virus named UnionCryptoTrader, which is based on previously detected versions. Another new malware, targeting Mac users, is named MarkMakingBot. The cybersecurity firm noted that Lazarus has been tweaking MarkMakingBot, and speculates that it is “an intermediate stage in significant changes to their macOS malware.”
Researchers also found Windows machines that were infected through a malicious file called WFCUpdater but were unable to identify the initial installer. Kaspersky said that the infection started from .NET malware that was disguised as a WFC wallet updater and distributed through a fake website.
The malware infected the PCs in several stages before executing the group’s commands and permanently installing the payload.
Attackers may have used Telegram to spread malware
Windows versions of UnionCryptoTrader were found to be executed from Telegram’s download folder, leading researchers to believe “with high confidence that the actor delivered the manipulated installer using the Telegram messenger.”
A further reason to believe that Telegram was used to spread malware is the presence of a Telegram group on the fake website. The interface of the program featured a graphical interface showing the price of Bitcoin (BTC) on several cryptocurrency exchanges.
The windows version of UnionCryptoTrader initiates a tainted Internet Explorer process, which is then employed to carry out the attacker’s commands. Kaspersky detected instances of the malware described above in the United Kingdom, Poland, Russia and China. The report reads:
“We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon. […] We assume this kind of attack on cryptocurrency businesses will continue and become more sophisticated.”
Lazarus has been known to target crypto users for a long time. In October 2018, Cointelegraph reported that the group had stolen a staggering $571 million in cryptocurrencies since early 2017.
In March 2019, reports by Kaspersky suggested that the group’s efforts in targeting cryptocurrency users were still ongoing and its tactics were evolving. Furthermore, the group’s macOS virus was also enhanced in October last year.
Cybercriminals Hide Crypto Mining Script Behind Kobe Bryant Wallpaper
Opportunistic cybercriminals are capitalizing on the death of basketball legend Kobe Bryant earlier this week by setting booby-traps for those searching for mementos of the star. According to a tweet by Microsoft Security Intelligence on Jan. 31, hackers are hiding malicious html code containing a cryptojacking script in desktop wallpaper of the NBA all-time great.
Cryptojacking is a practice whereby cybercriminals hijack processing power from other computers to mine cryptocurrencies remotely.
Following the tragic helicopter crash which claimed the lives of Byrant, his 13-year old daughter, and seven other occupants, there has been increased interest in the star from both fans and the general public.
Perhaps unsurprisingly, it did not take long for cybercriminals to take advantage of this. An increasing number of people searching for information and images of the star is just a fresh crop of potential victims.
The Microsoft team found the malicious html file, Trojan:HTML/Brocoiner.N!lib with its Defender Virus Protection software. The coin mining script was disguised as a desktop wallpaper featuring an image of Bryant. The website hosting the coin miner was blocked by the software.
Reminiscing Or Cashing In?
As Cointelegraph reported, Bryant’s death brought an outpouring of grief from across social media, including a personal account from Tron founder Justin Sun. Bryant was an avid supporter of crypto, and Tron in particular, having discussed the future of blockchain with Sun on stage at the niTROn conference in 2019.
As a gesture of respect, Sun announced that this year’s niTROn conference would be dedicated to the star. However, given Sun’s prior history of dubious promotional methods, some on social media were quick to criticize this move as a shameless cash-in.
North Korean Hackers Created Realistic Trading Bot To Steal Money
The North Korean hacking team Lazarus Group targeted several crypto exchanges last year, Chainalysis reports. One of the attacks involved the creation of a fake, but realistic trading bot website that was offered to employees of DragonEx exchange.
In March 2019 the hackers stole approximately $7 million in various cryptocurrencies from Singapore-based DragonEx exchange. Though a relatively small sum, the hackers went to great lengths to obtain it.
The group used a sophisticated phishing attack where they created a realistic website and social media presence for a fake company named WFC Proof. The supposed company had created Worldbit-bot, a trading bot that was then offered to DragonEx employees.
Though the software allegedly resembled an actual trading bot, it contained malware that could hijack the computer it infected. Eventually the software was installed on a machine that contained the private keys to DragonEx’s hot wallet, allowing the hackers to steal the funds.
The attack is notable for its highly specific target and execution. The hackers appear to be very well versed in cryptocurrencies, even placing an ironic warning on its website to not let anyone access personal private keys.
Quick Cash Out
The group was previously known for parking the stolen money for up to 18 months and cashing it out once the coast seemed clear.
In 2019 they changed their behavior, choosing to exchange the money as soon as possible. In order to do this, Lazarus began using CoinJoin-enabled wallets to mix their coins.
The hackers cashed out the majority of the money in the 60 days following the attack, as opposed to almost a full year for 2018 attacks.
Cryptojacking Protection An Area Of Focus For Microsoft’s Edge Browser
Edge, the web browser of information technology giant Microsoft, now blocks cryptojacking malware.
A Microsoft Edge spokesperson told Cointelegraph on Feb. 10 that the latest version of the web browser features a new PUA (Potentially Unwanted Apps) blocking feature that may block some illicit cryptocurrency mining malware.
When asked about whether Microsoft plans to protect Edge users from illicit cryptocurrency miners, the spokesperson said that “this will be a particular area of focus.” As cryptojacking is increasingly becoming a cybersecurity threat, efforts to tackle the issue are also scaling up.
A New Cybersecurity Feature
Cryptojacking is the practice of illicitly mining cryptocurrencies on the hardware of unknowing hosts. Devices that fall victim to cryptojacking often show lower battery life and become less responsive.
Microsoft’s principal product manager Amitai Rottem pointed out the new feature in a tweet on Jan. 30. The tech giant’s program manager for the web platform Eric Lawrence explained that the feature blocks downloads that contain PUAs.
Microsoft noted that the long-implemented Microsoft Edge Tracking Protection feature also blocks known cryptocurrency mining software by default. A blog post published by Microsoft in early December 2019 reads:
“It’s worth noting that tracking prevention, when enabled, will always block storage access and resource loads for sites that fall into the Fingerprinting or Cryptomining categories on Disconnect’s tracking protection lists.”
Authorities worldwide are taking action against cryptojacking as the practice becomes more widespread. In early January, Interpol collaborated with cybersecurity firm Trend Micro to reduce cryptojacking affecting MikroTik routers across South-East Asia, while in August 2019, French police shut down a massive botnet that has been used for Monero mining on the machines of unsuspecting users.
Hacking Group Outlaw Upgrades Malware For Illicit Income Sources: Report
Cybersecurity firm Trend Micro has detected that hacking group Outlaw has been updating its toolkit for stealing enterprises’ data for nearly half a year at this point.
Outlaw — who had ostensibly been silent since last June — became active again in December, with upgrades on their kits’ capabilities, which now target more systems, according to an analysis from Trend Micro published on Feb. 10. The kits in question are designed to steal data from the automotive and finance industries.
The New Capabilities Of The Kits
The group’s new developments include scanner parameters and targets, advanced breaching techniques used for scanning activities, improved mining profits by killing off both competition and their own earlier miners, among others.
Per the analysis, the new kits attacked Linux- and Unix-based operating systems, vulnerable servers and Internet of Things devices. The hackers also used simple PHP-based web shells — malicious scripts uploaded on a server, with the objective to provide the attacker with a remote access and administration of the device. The analysis further explained:
“While no phishing- or social engineering-initiated routines were observed in this campaign, we found multiple attacks over the network that are considered ‘loud.’ These involved large-scale scanning operations of IP ranges intentionally launched from the command and control (C&C) server. The honeynet graphs, which show activity peaks associated with specific actions, also suggest that the scans were timed.”
Where Attacks Started
Attacks ostensibly started from one virtual private server (VPS) that looked for a vulnerable device to compromise. “Once infected, the C&C commands for the infected system launches a loud scanning activity and spreads the botnet by sending a “whole kit” of binary files at once with naming conventions same as the ones already in the targeted host, likely banking on breaking through via ‘security through obscurity’,” the post read.
Along with the new tools, Outlaw ostensibly exploits previously developed codes, scripts and commands. The group also uses a vast amount of IP addresses as input for scanning activities grouped by country. This ostensibly enables them to attack specific regions or areas within particular periods of the year.
Hackers’ Tools Advancement
Back in June, Trend Micro claimed to have detected a web address spreading a botnet featuring a Monero (XMR) mining component alongside a backdoor. The firm attributed the malware to Outlaw, as the techniques employed were almost the same used in previous operations.
The software in question also came equipped with Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.”
In January, the Lazarus hacker group, which is allegedly sponsored by the North Korean government, deployed new viruses to steal cryptocurrency. The group had been using a modified open-source cryptocurrency trading interface called QtBitcoinTrader to deliver and execute malicious code in what has been called “Operation AppleJeus.”
Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining,Researchers Find Monero Mining