Ransomware outbreaks have been on the rise for quite some time now but suddenly we are observing a change in this trend. Seems like the rise observed in cryptocurrency valuations especially for Bitcoins is making attackers to go after cryptocurrency mining. Cryptocurrency miner malware have become hot attack vectors for cybercriminals. By looking at the current complexities of mining, a mining pool of computers is needed for effective mining of cryptocurrencies. To achieve this, cybercriminals are attacking end users’ machines with miner malware with the aim of creating mining pools. This type of mining attacks can be termed as distributed mining.
In this blog post, we will be talking about an ongoing distributed mining campaign targeted towards mining of cryptocurrency called Monero. Monero (XMR) is an open source cryptocurrency which was launched in April 2014. Cryptocurrency mining requires massive computation power. Cybercriminals are misusing the processing power of end user devices to mine targeted cryptocurrency. In order to achieve this, hackers are compromising several websites mostly hosted on WordPress to deliver the Monero miner.
As per the telemetry received at Quick Heal Security Labs, the compromised websites include those of Government, Pharmaceuticals, and Educational institutions.
This infographic depicts the attack chain of this campaign.
Let’s deep dive into the various phases of this attack. The below fiddler session capture shows the attack sequence. The attack sequence is that of a compromised website of a Pharmaceutical company.
When the update button is clicked on, it pops up an instruction page on the screen. It also downloads a malicious ZIP file to Google Chrome’s default download directory. The instructions displayed on the pop-up window asks the user to execute the file.
The downloaded ZIP file i.e., ‘ttf.zip’ consists of a malicious ‘ttf.js’ file. When the user clicks on ‘ttf.js’ it gets executed by ‘cscript.exe’ and downloads the malicious executable i.e., Monero miner.
As spotted in above Fig 6, it redirects the user to below malicious URL.
Monero miner post-infection activity
On successful execution, the Monero miner generates the below post-infection traffic.
At the time of analysis, the CnC server did not respond as expected.
Using the old trick of compromising websites with known vulnerabilities turns out to be an effective way of mass infection. This campaign also makes use of compromised websites in order to infect mass users with Monero miner. This forms distributed network of Monero miners. To solve the complex job of mining digital currency, such distributed networks of miner pools turns out to be an effective tool. We advise our users to stay protected by keeping their antivirus up to date with the latest security updates.
Indicators of compromise
Subject Matter Experts
Pradeep Kulkarni | Prashant Tilekar, Quick Heal Security Labs