Threat actors use new techniques to distribute malware, which is evolving constantly. In a recent attack, they used malicious e-mail auto-replies to deliver crypto-mining malware. Russian cybersecurity firm F.A.C.C.T. said that threat actors breached e-mail accounts and set up automatic replies containing links to cryptocurrency mining malware.
Auto-replies for Malware Distribution
In traditional malware distribution attacks, hackers used malicious downloads, compromised websites, and phishing emails. But the new attack method uses auto-replies, experts from F.A.C.C.T explained that the new technique was employed in delivering the Xmrig crypto-miner to workers at Russian tech companies, insurance firms, financial businesses, and retail marketplaces. Experts found 150 emails that contained Xmrig earlier this year.
Cybercriminals Using New Methods
Dmitry Eremenko, senior analyst at F.A.C.C.T said “This method of malware delivery is dangerous because the potential victim initiates communication first. This is the main difference from traditional mass mailings, where the recipient often receives an irrelevant email and ignores it.”
Despite not looking convincing, E-mails sent through auto-replies didn't raise suspicions. To avoid detection, the hackers used a scan of a real invoice for equipment payment, different than subject mail. It means the companies as well as users who are in contact with the breached mail can become targets.
Use of cryptocurrency mining software
Xmrig is an open-source cryptocurrency mining software mainly used for mining Monero (XMR). Cybercriminals have been using new techniques to deliver Xmrig to target devices. For instance, in one campaign, the hackers used a pirated version of Final Cut Pro (a video editing software) to deploy the crypto-miner on Apple computers.
F.A.C.C.T doesn't have any information regarding the main culprit behind the attack and their success. Experts do believe that the breached email accounts had a history of their credentials leaked on darknet, including their data. Breached accounts include construction companies, a furniture factory, a farm, and small trading firms.
To stay safe, the report suggests “do not save passwords in browsers, install unlicensed software, because it may contain stealers, do not follow dubious links in the mail and do not enter your data on dubious sites (phishing)
