Monero Miner Malware on the Loose Seeking Cryptocurrency Theft

Mining cryptocurrencies seems to be a very popular way of earning some cash among the tech-savvy users. There are honest and therefore legal ways of doing so – you invest in high-end equipment, and you start mining using your own hardware. This involves spending money not only on the very expensive tech you will need but also electricity bills that could make your head spin. Mining is also a process that takes a fair bit of time – months or even years. This legal approach of mining cryptocurrencies is riskier since the cryptocurrency's worth may collapse overnight and you can end up losing a large sum of money. To increase productivity users could form a "mining pool". This is a group if users who come together to mine and then split the resources won in the end. Now, the people whose pockets aren't as deep and moral values aren't as much in check could try a different approach. Instead of throwing all that money for equipment and electricity, they could try the not-so-legal way of mining cryptocurrencies. This is exactly what the cyber crooks behind the malware we'll be talking about today have done.

What is Illegal Cryptocurrencies Mining

Since BitCoin is becoming more and more mainstream, it's getting increasingly difficult to make good profits mining it. So instead, users have been turning to the somewhat less popular cryptocurrencies such as Ethereum, LiteCoin, and Monero. The fellows in question today chose to go after Monero. To create their mining malware, they used a legitimate software used for mining by users who chose to do it legally, called XMRig, and modified it to serve their needs. And these needs would include adding the URL of their mining pool and their own wallet address. It doesn't really sound illegal so far, right? Here's the catch – the mining pool doesn't consist of other users who have agreed to use their hardware for mining, but instead it's formed by a group of hijacked systems whose owners are completely oblivious. Mining greatly decreases the lifespan of one's hardware and increases the usage of electricity. The authors of this malware even go as far as to eliminate processes of legitimate XMRig, so the power of the hardware concentrates on their target.

How Monero Mining Malware Operates

This Monero mining malware would perform a scan online to find servers which would be vulnerable to the exploit it employs – CVE-2017-7269. If a vulnerable server is found, the attackers gain the ability to execute remote code as well as to acquire a local command shell on the targeted machine. With access to these, they can plant all sorts of files and software – but in this case, they are apparently limiting themselves to a modified variant of XMRig. Thanks to a recently released exploit, the threat actors can exploit vulnerabilities in a core Windows service. The same exploit was used in the major WannaCry outbreak of 2017, but it is important to mention that the experts at Microsoft were quick to react and it took them just a few weeks to release a critical fix meant to solve the issue. However, Microsoft can't force all users to apply the pending patch automatically, and this means that there are still thousands of computers that are vulnerable to the aforementioned exploit.

The attacks of this corrupted XMRig have been performed over the course of about five months now. They would come and go in waves. This led experts to believe that the cyber criminals responsible for this Monero miner are scanning for new vulnerable servers on a regular basis. It would seem that the spreading of the threat has been significantly reducing at the start of September. The attacker's IP addresses are believed to be on an Amazon cloud.

While crypto-currencies have certainly been an interesting topic in the past few years, cyber security experts have already unveiled how they are being used by underground hackers to aid them in their fraudulent schemes. Those who follow the PC security news closely know that ransomware developers prefer Bitcoins as their primary payment method, and now we've come to a point where malicious users use modified CPU miners in order to acquire Monero, another crypto-currency, by exploiting the hardware resources of unsuspecting victims. This case once again comes to show us how important it is to keep our software up to date and have a legitimate and trustworthy anti-malware suite. If we fail to keep those in check, we could end up with a pest much worse than this crypto-currency miner. The good news is that users worldwide are becoming more and more aware of the threats preying on them online and are taking the measures necessary to stay safe.