Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crypto-Mining. Show all posts

Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.

Scammers in Russia Offer Free Bitcoin on a Hacked Government Website

 

The website of the Russian government was recently hacked. The fraudsters started a phoney Bitcoin (BTC) scheme, which they then re-published after being taken down several times. An unnamed gang of hackers began promoting the Free BTC Giveaway scam on the Ryazan administration's website, according to the local Russian news source Izvestia. 

Hackers had disputed the distribution of 0.025 BTC to everyone who installed the specified programme on their device in the aforementioned scam. In addition, the hackers added in the re-post that five lucky winners will each receive an extra $1,000. As of late, all messages, including the second post, have been removed. 

The Russian government has tightened its grip on all crypto-crime in the country. Last month, Russia's Federal Financial Monitoring Service in Moscow, known as Rosfinmonitoring, launched the latest cryptocurrency tracing system. This will deanonymize traders' identities by further analysing their actions and movements. The tracing system in Russia, according to Rosfinmonitoring, is focused on combating money laundering and terrorist funding rackets.

In 2021, the global volume of cryptocurrency-related fraud grew substantially. According to specialists from the IT security firm Zecurion, losses in the first half of this year were an estimated $1.5 billion, which is two to three times more than the sum recorded in the same period last year. According to a study released, the Russian Federation is responsible for 2% of the total — some $30 million, or over 2.2 billion rubles.

The Central Bank of Russia (CBR) said in July that in the first six months of the year, it had discovered 146 financial pyramid schemes. In comparison to the same period in 2020, the number is 1.5 times greater. According to the regulators, consumers with poor financial literacy are frequently duped into investment schemes involving cryptocurrency or crypto mining. According to the CBR, the increase is due to increased activity by "unfair market participants" and increased investment demand in Russia. 

The primary reasons for the increase, according to analysts, are consumers' increasing exposure to digital assets as well as a desire to earn rapid profits in a burgeoning industry with few rules amid instability in traditional financial markets. They also predict crypto fraud to continue to climb this year, with an annual increase of 15% expected.

Google Play is Infested with Fake Crypto Mining Apps

 

Google has deleted eight bogus mobile apps from the Play Store that pretend to be bitcoin cloud-mining apps but are actually designed to trick users into paying for pricey subscription services and engaging in other unlawful acts. Although they may have been removed, Trend Micro researchers discovered that when searching Google Play for the keywords "cloud mining," several problematic applications of the same sort remain. 

“Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto mining service that is really a scam,” said Ioannis Gasparis, a mobile application security researcher at Lookout, in a report released in July. 

These phoney Android apps target those who want to make money online by persuading them to invest in a cloud-mining company. All eight recently removed apps were found to be infected with one of two malwares: FakeMinerPay and FakeMinerAd. 

“These apps were able to fly under the radar because they don’t actually do anything malicious,” said Ioannis Gasparis. “They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.”

According to Cifer Fang, a researcher at Trend Micro, these malicious apps merely fool victims into watching adverts, make them pay for subscription services with an average monthly charge of $15, and also encourage them to pay for greater mining capabilities without getting anything in return. 

According to Trend Micro's findings, the apps don't actually mine anything; instead, "fake mining activity on the apps' user interface (UI) is carried out via a local mining simulation module that comprises a counter and certain random operations."

“The app called Daily Bitcoin Rewards – Cloud Based Mining System prompts its users to upgrade their crypto-mining capacity by ‘buying’ their favorite mining machines to earn more coins at a faster rate,” Fang noted. 

Two of the phoney crypto mining apps (Bitcoin [BTC] – Pool Mining Cloud Wallet and Bitcoin 2021), according to Trend Micro's analysis, bombarded their users with adverts with the primary purpose of enticing victims to click.

Ukraine Seized Gaming Consoles used for Illegal Crypto Mining

 

The Security Service of Ukraine (SBU), Ukraine's top law enforcement agency, reported last week that it had discovered a large-scale electricity theft in Vinnytsia, in west-central Ukraine. The stolen power was used to mint digital currency in the country's largest illegal crypto farm discovered to date, according to officials. Residents of Vinnytsia and Kyiv established the mining facility in a former warehouse of JSC Vinnytsiaoblenerho, according to a press release on the agency's website. Using electrical metres that did not indicate the true energy consumption, they were able to hide the theft from the distribution firm. 

Law enforcement seized around 5,000 items of mining hardware, including 3,800 gaming consoles, over 500 video cards, and 50 processors, during searches at the crypto farm and its owners' homes. Agents seized electricity consumption records, as well as notebooks, phones, and flash drives, according to the announcement.

Under the direction of Ukraine's Prosecutor General's Office, the SBU Department for Counterintelligence Protection of State Economic Interests, in collaboration with the regional SBU Office in Vinnytsia and the Main National Police Investigation Department, conducted the operation. 

According to preliminary estimates published by Ukrainian officials, the illegal mining activity is responsible for electrical losses in the range of 5 to 7 million hryvnia, or $183,000 to $256,000 at the time of writing. Officials added that the heavy usage could have caused power surges and disruptions in the neighboring communities. For unauthorized usage of electricity, the SBU has filed a criminal complaint. Investigators are now seeking to figure out who is behind the illegal crypto mining and if any JSC Vinnytsiaoblenerho employees are involved as well. 

The report from Vinnytsia follows the closure of an illegal mining farm in Chernihiv Oblast by Ukrainian law enforcement last week. The facility was run off of stolen electricity from the local power grid. Authorities confiscated 150 mining equipment that had burned electricity worth $110,000 during a raid on rented facilities. In early June, the SBU discovered a crypto farm in Dnipropetrovsk Oblast with 350 mining rigs that were illegally linked to the power system and had consumed over $70,000 in electricity. 

Last year, Ukraine was ranked first in the world in Chainalysis' Global Crypto Adoption Index. The Eastern European country is attempting to lead the region with crypto-friendly efforts such as the introduction of a bill to determine the legal status of crypto assets in the country, as well as guidelines for their circulation and issuance.

DirtyMoe Botnet has Infected over 100,000 Windows Systems

 

More than 100,000 Windows systems have been infected with the DirtyMoe malware. According to cyber-security firm Avast, a Windows malware botnet thought to be managed out of China has surged this year, increasing from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. The malware, which goes by the names DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, has been circulating since late 2017. 

Its main goal has been to infect Windows systems and mine cryptocurrency behind the users' backs, although the functionality to execute DDoS assaults was discovered in 2018. The botnet was a small-scale operation for the majority of its existence. Its authors mostly used email spam to get people to malicious websites that hosted the PurpleFox exploit kit. 

This web-based attack tool took use of browser vulnerabilities, most commonly in Internet Explorer, to install a rootkit component on unpatched Windows computers, giving the malware complete control over the affected host, which is then used for crypto-mining. This rootkit, also known as DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, was well-known in the cyber-security field, but it was only considered a minor threat. 

According to Avast, the DirtyMoe botnet had an annual average of a few hundred to a few thousand infected systems for the majority of its life from 2017 to 2020. Things changed dramatically near the end of 2021 when the DirtyMoe gang released an update to their operation that included a worm module that allowed the malware to spread across the internet to other Windows systems. “Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise” reads the analysis published by Avast. This module scoured the internet for distant Windows machines that had left their SMB port exposed online and launched password brute-force attacks against them. 

The malware's SMB propagation module allowed it to explode in terms of infections on a logarithmic scale, with over 100,000 systems affected this year alone, according to Avast. However, this figure is based solely on Avast's visibility—that is, PCs with the antivirus software installed. The true magnitude of the DirtyMoe botnet is thought to be far larger. 

A report from Tencent, a Chinese security firm, detected an increase in DirtyMoe/PurpleFox infections in China over the course of 2021, reflecting the comparable explosion in infection numbers reported by Avast in Europe, Asia, and America at the start of the month.

Kubeflow: The Target of Cryptomining Attacks

 

Microsoft has discovered a new, widespread, ongoing threat that aims to infect Kubernetes clusters running Kubeflow instances with malicious TensorFlow pods that mine cryptocurrencies. Kubeflow is a popular open-source framework for conducting machine learning (ML) tasks in Kubernetes, while TensorFlow is an end-to-end, open-source ML platform. 

Microsoft security experts cautioned on Tuesday that they noticed a rise in TensorFlow pod deployments on Kubernetes clusters at the end of May — pods that were running legal TensorFlow images from the official Docker Hub account. However, a closer examination of the pods' entry point revealed that they are used to mine cryptocurrency. 

In a post on Tuesday, Yossi Weizman, a senior security research software engineer at Microsoft's Azure Security Center, said that the "burst" of malicious TensorFlow deployments was "simultaneous," implying that the attackers scanned the clusters first, kept a list of potential targets, and then fired on all of them at the same time. The attackers used two distinct images, according to Weizman. The first is the most recent version of TensorFlow (tensorflow/tensorflow:latest), and the second is the most recent version with GPU support (tensorflow/tensorflow:latest-gpu). 

According to Weizman, using TensorFlow images in the network "makes a lot of sense," because “if the images in the cluster are monitored, usage of a legitimate image can prevent attackers from being discovered.” Another rationale for the attackers' decision is that the TensorFlow image they chose is an easy way to conduct GPU activities using CUDA, which "allows the attacker to optimize the mining gains from the host," according to him. 

The newly found vulnerability is comparable to a cryptocurrency mining attack revealed by Microsoft in June. That previous campaign also targeted Kubeflow workloads, launching a broad XMRIG Monero-mining campaign by exploiting misconfigured dashboards. The most recent campaign includes the following changes: According to Weizman, the attackers abused their access to the Kubeflow centralized dashboard to establish a new pipeline this time.

Kubeflow Pipelines is a framework for creating machine learning pipelines based on Argo Workflow, an open-source, container-native workflow engine for coordinating parallel jobs. A pipeline is a collection of steps, each of which functions as its own container, that together creates an ML workflow. 

Users of Kubeflow should ensure that the centralized dashboard is not insecurely exposed to the internet, according to Microsoft.

'Sysrv' - New Crypto-Mining Botnet is Silently Expanding it's Reach

 

It appears that the developers of the ‘Sysrv’ botnet have been working hard in putting out a more sophisticated version of their malware, as the latest surge in the associated activity is accompanied by expanded capabilities and persistence. The actors’ goal is to install Monero crypto miners and make a profit by burdening the machines of others.

Researchers at Juniper Threat Labs have been following the activity and sampled several iterations of the Sysrv since the start of the year and noticed several changes along the way. First of all, during the surge of the attacks, the exploits that were modified into Sysrv concerned the following six vulnerabilities:

• Mongo Express RCE (CVE-2019-10758)
• XXL-JOB Unauth RCE 
• XML-RPC (CVE-2017-11610) 
• CVE-2020-16846 (Saltstack RCE)
• ThinkPHP RCE 
• CVE-2018-7600 (Drupal Ajax RCE) 

By using these flaws, the actors infect a vulnerable system and use it as a Monero miner as well as a point to help the menace spread further. The worming function relies on random public IP scans using the same list of exploits while the payload is fetched from a hardcoded IP or domain via wget, curl, or PowerShell. The researchers noticed the use of two loader scripts, namely ldr.sh or ldr.sp1. 

Sysrv has two binary payloads, one for Linux and one for Windows systems. The miner component is merged with the worm into a single binary in the most recent versions of the malware, whereas previously, it was in the form of a separate binary. The campaign’s effectiveness seems to be moderate, as the researchers were able to confirm that the actors have made at least a couple of thousand USD on each mining pool since December 2020. By looking into the Shodan search engine’s exploits, it becomes clear that Sysrv was tuned to target systems that have been “abandoned.”

However, Sysrv is being actively developed, and its authors are adding more exploits that target recent flaws. The newer versions of the malware include CVE-2021-3129 (Laravel), CVE-2020-14882 (Oracle Weblogic), and CVE-2019-3396 (Widget Connector macro in Atlassian Confluence Server). This alone tells us that Sysrv is here to stay, and it’s going to get nastier with time.