NuggetPhantom Malware

The NuggetPhantom Malware is a cryptocurrency-mining Trojan that hijacks the infected device's resources for generating money for the attacker. Its campaigns tend to focus on Chinese institutions with an emphasis on long-term stealth and persistence. Users suspecting infections should scan their systems with appropriate security solutions for removing the NuggetPhantom Malware and check for unwanted processes, files, programs and settings changes.

Just a Nugget of a Computer Crime

Much like the last chicken nugget lost in the corner of the box, a well-designed, stealthy Trojan can be similar in substance to more-noticeable ones while users' eyes pass right over it. The NuggetPhantom Malware is a cryptocurrency-mining Trojan with well-analyzed attacks and capabilities as of 2018 and is similar in its goals to threats like Lemon_Duck or PCASTLE. However, its threat actor places significant emphasis on remaining undetectable, typical of more-professional, China-oriented hackers.

The NuggetPhantom Malware's threat actor's prominent attacks include multiple excursions against workers and residents in Tianyi College or Campus, with a 'target the least resistant' philosophy. The attackers searched for systems less-professional setups, particularly, that might be at risk for an EternalBlue attack – a well-known, public vulnerability that impacts Microsoft's SMB protocol. This entrance method requires the user's slowness on security patches for their device.

The attacker installs the NuggetPhantom Malware through this backdoor, with multiple precautions for preventing any alarms from security services. For example, the downloaded components are encrypted and remain so until the loader decrypts them in memory dynamically. The configuration of the cryptocurrency-mining routine – generating money for the attacker through the infected device's resources – is also unlikely to ramp up to high levels and alert the user. This philosophy is at odds with mining Trojans elsewhere globally, which may prefer maximizing their output in a limited window, potentially also causing hardware damage or notifying the victim.

Taking the Phantom Out of a PC

The NuggetPhantom Malware is modular and can add or subtract features according to its threat actor's preferences. Since the NuggetPhantom Malware has a strong affiliation with a China-based hacking group, malware experts recommend that members of vulnerable organizations in that region remain alert to all symptoms and vulnerabilities. Applying patches for closing off the EternalBlue vulnerability and countless attacks like it will keep most users sufficiently-protected from current infection vectors.

The NuggetPhantom Malware infections include a backdoor function for contacting the attacker's C&C server. Although malware experts only confirm its use for providing cryptocurrency-mining configurations, this group could expand the NuggetPhantom Malware's purpose and features at will. Disconnecting infected devices from the internet (and all other devices) always is an appropriate first step in countering these attacks.

Besides updating their software, users also can protect themselves by installing security products that detect threats related to illicit mining activities. Most classical anti-malware services should remove the NuggetPhantom Malware, assuming that new Trojan releases aren't custom for evading their current databases.

The NuggetPhantom Malware is an easily-explainable case of criminals wanting money with as little noise or attention as possible. Not every hacker wants to be famous – some, like this Trojan's operators, want to make it to payday.