Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label XMRig. Show all posts

Hacked Devices Generated $53 for Every $1 Cryptocurrency Through Crypto Jacking

 


The team of security researchers evaluated the financial impact of crypto miners affecting cloud servers. They stated that this costs cloud server victims about $53 for every $1 of cryptocurrency mined by threat actors through crypto-jacking. 

Cryptojacking refers to the illegal method of extracting cryptocurrency from unauthorized devices, including computers, smartphones, tablets, and even servers with an intent of making a profit. Its structure allows it to stay hidden from the victims. The malicious actors generate income through hijacking hardware, as the mining programs use the CPUs of hijacked devices.  

The mining of cryptocurrency through the hijacked devices was primarily an activity of financially motivated hacking groups, especially Team TNT. It was responsible for most of the large-scale attacks against vulnerable Doctors Hub, AWS, Redis, and Kubernetes deployments.  

The cyber attackers updated the OS image by distributing the network traffic across servers that contained XMRig. It is a CPU miner for a privacy-oriented hard-to-trace cryptocurrency that has recently been considered the most profitable CPU mining.   

As opposed to ransomware, software that blocks access to systems until the money is paid, and includes aggressive law enforcement, rouge crypto mining is less risky for the cyber attackers.  

The Sysdig researchers used "Chimaera", a large campaign of TeamTNT for estimating the financial damage caused by crypto miners. The research revealed that over 10,000 endpoints were disclosed to unauthorized persons. 

In order to hide the wallet address from the hijacked machines and make tracking even harder, the cyber-attackers used XMRig-Proxy but the analysts were still able to discover 10 wallet IDs used in the campaign. 

Later the researchers disclosed that the 10 wallets held a total of 39XMR, valuing $8,120. However, they also mentioned that the estimated cost to victims incurred from mining those 29 XMR is $429,000 or $11,000 per 1 XMR. 

Moreover, they explained that, according to their estimates, the amount does not include amounts that are stored in unknown older wallets, the damage suffered by the server owner as a result of hardware damage, the potential interruptions of online services caused by hogging processing power, or the strategic changes firms had to make to sustain excessive cloud bills as a result of hogging processing power.

Cryptominer Malware Posing as Desktop Version of Google Translate

 

While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod." 

Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software. The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.

Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.

Malware operation 

Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.

The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
  • Nearly a month after the Nitrokod software was set up, the malware is first executed.
  • After six earlier phases of infected programs, the malware is deployed.
  • A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.

Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.

Detection &prevention  

The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.

Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.

Mac Coinminer Employs a Novel Approach to Mask Its Traffic

 

A Mac coinminer has been discovered exploiting customizable open-source software to enhance its malicious activity. This sample incorporates a variety of altered open-source elements which the malicious actor customized to fulfill the agenda. The sample was indeed discovered concealing its network traffic with i2pd (called I2P Daemon). The Invisible Internet Protocol, or I2P client, is constructed in C++ by I2pd. I2P is a worldwide anonymous network layer which enables anonymous end-to-end encrypted communication without revealing the participants' real IP addresses. 

Coinminer is the major malware sample which has been found. MacOS. MALXMR.H is a Mach-O file which was also identified by numerous vendors because it includes XMRig-related strings as sourcing tools like Yara. Its accessibility makes, XMRig to be often utilized by other viruses to execute crypto mining. 

The primary Mach-O sample was discovered to be ad hoc-signed. This indicates the Mach-O binary is difficult to run on Mac systems, and Gatekeeper, a built-in security mechanism for macOS which enforces code signing, may prohibit it. 

The Mach-O sample is suspected to have arrived in a DMG (an Apple image format for compressing installations) of Adobe Photoshop CC 2019 v20.0.6. Apparently, the parent file could not be located. The piece of code was identified in one of its discarded files, which led to the conclusion. The sample attempts to create a non-existent file in the /Volumes path in this code. It's worth noting when double-tapping DMG files on macOS, they get automatically mounted in the /Volumes directory. 

Several embedded Mach-O files were discovered in the core Mach-O sample (detected as Coinminer.MacOS.MALXMR.H). It uses the API to elevate rights by enabling the user for authentication when it is performed. The following files have been deposited into the system by the sample:
  •  /tmp/lauth /usr/local/bin/com.adobe.acc.localhost
  •  /usr/local/bin/com.adobe.acc.network
  •  /usr/local/bin/com.adobe.acc.installer.v1 

As per Trend Micro, the sample used the auth file for persistence. The Mach-O file is in charge of creating the persistence files for the malware:
LaunchDaemons/com.adobe.acc.installer.v1.plist. 

"The file is an XMRig command-line app which has been modified. When launching the app, enter help or version in the variables to see what it's about. The help argument displays a list and overview of the parameters which can be utilized, whereas the version parameter reveals the version of the XMRig binary," according to the experts.

It is suggested to update the products and keep up with the latest patterns. Users should avoid downloading apps from shady websites and exercise excellent digital hygiene.

Nagios XI Servers: Seems to be Turning Into Cryptocurrency Miners for Attackers

 

Nagios XI is a popular enterprise server and network monitoring solutions. The feature “Configuration Wizard: Windows Management Instrumentation (WMI)” is being exploited in Nagios XI. 

On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296, a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coin miner on victims’ devices.

The XMRig coin miner is an open-source cross-platform cryptocurrency miner. If the attack is successful, the XMRig coin miner will be installed on the compromised devices. The vulnerability can be lessened by updating Nagios XI to the most recent update. 

In order to understand if a device is compromised and running XMRig miner, users can either:
1.Execute commands ps -ef | grep 'systemd-py-run.sh\|systemd-run.py\|systemd-udevd-run.sh\|systemd-udevd.sh\|systemd-udevd.sh\|workrun.sh\|systemd-dev' and check the result. If the processes of the mentioned scripts are running, the device might be compromised. 

2.Check the files in the folder /usr/lib/dev and /tmp/usr/lib to see if the mentioned scripts exist or not. If they exist, the devices might be compromised. If the system is discovered to be hacked, simply terminating the operation and deleting the scripts will remove the XMRig used in the attack. 

The attacks try to execute a malicious bash script fetched from the malicious server 118[.]107[.]43[.]174. The bash script dropped by the attacker downloads the XMRig miner from the same server where the script is hosted and releases a series of scripts to run the XMRig miner in the background. Once the attack succeeds, the devices will be compromised for cryptojacking. 

The attack targeting Nagios XI 5.7.5, exploits CVE-2021-25296 and drops a cryptocurrency miner, jeopardizing the security of systems running out-of-date Nagios XI applications. 

Cryptojacking malware-infected devices can experience performance degradation. Furthermore, the attacker could modify the script online, causing the new script to be automatically downloaded and executed on the compromised computers, resulting in additional security risks. 

Security subscriptions protect Palo Alto Networks Next-Generation Firewall customers from the vulnerability: 
1.Threat Prevention can block attacks with Best Practices through Threat Prevention signature 90873. 
2. Static signature detections in WildFire can avoid malware. 
3.Malicious malware domains can be blocked using URL filtering.