Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label coinminer. Show all posts
SourceForge
Clipboard coinminer malware Microsoft Add-in SourceForge

Fake Microsoft Office Add-Ins Targeting Crypto Transactions

 

The attackers are leveraging SourceForge to distribute fraudulent Microsoft add-ins that install malware on victims' PCs to mine and siphon crypto.

SourceForge.net is a legitimate software hosting and distribution platform that also offers version control, issue tracking, and dedicated forums/wikis, making it a popular choice among open-source project communities. 

Although its open project submission methodology allows for lots of abuse, malware is rarely disseminated through it. The novel campaign discovered by Kaspersky has affected approximately 4,604 systems, the majority of which are in Russia. While the malicious project is no longer available on SourceForge, Kaspersky claims it was indexed by search engines, resulting in traffic from visitors searching for "office add-ins" or something similar.

Fraudulent office add-ins

The "officepackage" project poses as a set of development tools for Office Add-ins, and its files and description are a replica of the official Microsoft project "Office-Addin-Scripts," which is accessible on GitHub. 

However, when people search for office add-ins on Google (and other engines), they are directed to "officepackage.sourceforge.io," which is powered by a distinct web hosting service provided by SourceForge to project owners.

That page displays the "Office Add-ins" and "Download" buttons, just like a genuine developer tool page would. The victim receives a ZIP file with a password-protected package (installer.zip) and a text file with the password if any are clicked.

The archive contains an MSI file (installer.msi) that has been inflated to 700MB in size to avoid antivirus scans. When it runs, it deletes 'UnRAR.exe' and '51654.rar' and launches a Visual Basic script that downloads a batch script (confvk.bat) from GitHub. 

The script first checks to see if it is running in a simulated environment and what antivirus products are active, before downloading another batch script (confvz.bat) and unpacking the RAR package. 

The confvz.bat script establishes persistence through Registry changes and the addition of Windows services. The RAR file includes the AutoIT interpreter (Input.exe), the Netcat reverse shell program (ShellExperienceHost.exe), and two payloads (Icon.dll and Kape.dll). 

The DLL files include a cryptocurrency miner and a clipper. The first uses the machine's CPU capacity to mine bitcoin for the attacker's account, while the second scans the clipboard for copied cryptocurrency addresses and replaces them with attacker-controlled ones. 

The attacker also receives information from the infected device via Telegram API calls and can use the same channel to deliver further payloads to the compromised machine. This effort is another example of threat actors using any lawful site to establish bogus legitimacy and circumvent security measures.
Read more »
cryptocurrency
Coin Mining coinminer cryptocurrency

Stantinko botnet's strategy now shifts to crypto-mining


Stantinko botnet that's been involved in various criminal ventures has now added a Monero crypto-mining module to its arsenal. Stantiko has since 2012 carried out a range of criminal activities like fraud, ad injections, social network fraud and brute-force password-stealing attacks to Soviet nations targeting Russia, Ukraine, Belarus, and Kazakhstan. But lately, researchers at ESET, discovered that a major source of Stantinko’s monetization since at least August 2018, comes from Monero crypto-mining module.


ESET describes the module as, "highly modified version of the xmr-stark open-source crypto-miner," Stantinko’s mining module, dubbed CoinMiner. Stantinko is so powerful that it can "exhaust most of the resources of the compromised machine." ESET elaborate, that each sample of the model is unique and compile a different module for every victim. "This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection," said ESET. CoinMiner. Stantinko is divided into four logical parts with distinct capabilities. The main component does the actual mining, and the other three parts perform the following functions-
•suspending other (i.e. competing) crypto-mining applications
•detecting security software
•suspending the crypto-mining function if the PC is on battery power or when a task manager is detected, to prevent being revealed by the user CoinMiner.

Stantinko doesn't communicate with the mining pool directly, rather it uses a proxy with IP address derived from the description texts, of YouTube videos. This module communicates with the proxies by the hashing algorithm that takes place over TCP and encrypted by RC4. It adapts to adjustments of algorithms to mine the most profitable cryptocurrency. YouTube when alerted of the scam by ESET, removed the offending channels.

 Preventing Detection
CoinMiner.Stantinko is very smart in preventing detection, it removes itself in the presence of a competitor. It temporarily suspends mining if there’s no power supply. "Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control," Hrcka concludes. "This remotely configured crypto-mining module, distributed since at least August of 2018 and still active at the time of writing, shows this group continues to innovate and extend its money-making capabilities."
Read more »
Subscribe to: Posts (Atom)