Monero

Malware that secretly mines Monero is becoming a real problem in the real world, with the number of different incidents growing with each week. For example, only this past week, three new attacks came to light.

The reason is simple and is the same one given by all security experts who paid close attention to the cryptocurrency market in the past year.

The number of malware campaigns spreading Monero-mining threats grew exponentially with Monero's trading price. As the price rose, the number of new Monero-mining malware reports increased as well.

Excluding cryptojacking incidents —which also mine Monero— some of the Monero-mining malware families we've seen in 2017 include:

⌖  Digmine
⌖  Hexmen
⌖  Loapi
⌖  Zealot
⌖  WaterMiner
⌖  CodeFork
⌖  Bondnet
⌖  Adylkuzz
⌖  CoinMiner
⌖  Linux.BTCMine.26
⌖  Zminer
⌖  DevilRobber
⌖  An unnamed botnet targeting WordPress sites
⌖  An unnamed botnet targeting IIS 6.0 servers
⌖ A Monero miner advertised via Telegram
⌖  Several instances of exploit kits dropping Monero miners [1, 2]

To these, we can add the incidents reported in the first three weeks of 2018, which include the likes of:

⌖  PyCryptoMiner
⌖  RubyMiner
⌖  A group targeting Oracle WebLogic servers

But the year has barely started, and 2018 is primed to be the year of crypto-mining malware. Since our last report on Monero-mining malware (the RubyMiner campaign), things have become worse. Below we'll detail three more campaigns spotted by security researchers in the last week.

Crooks targeting Cleverence Mobile SMARTS servers

Probably the most curious of all is the case of a criminal group infecting Windows computers that run a vulnerable version of the Cleverence Mobile SMARTS Server.

This is a Russian software package that can be used for automating various industrial equipment in shops, warehouses, and various production facilities. The client runs on industrial equipment, and the server runs on a central Windows computer.

Dr.Web researchers say they've recently discovered that crooks were using a zero-day in the Cleverence Mobile SMARTS Server to create an admin account on the computers running these servers.

Crooks would later connect to these computers via RDP and install a Monero miner in the form of a malicious DLL file. The malware came to Dr.Web's attention because it was configured to shut off the processes of various antivirus products before starting the mining operations.

The campaign started in July 2017, and crooks also mined the Aeon cryptocurrency, besides Monero.

Hackers targeting Apache Struts and DotNetNuke servers

Another campaign, spotted last week by Trend Micro, is also targeting servers used by enterprises.

This one is using CVE-2017-5638 (a vulnerability in Apache Struts) and CVE-2017-9822 (a vulnerability in DotNetNuke) to install yet another Monero miner on corporate servers running outdated software.

This group has only recently started its mining operation, and according to Trend Micro, only made 30 Monero —or approximately $9,500.

Large-scale campaign targeting regular users

Last but certainly not least is a campaign spotted by Palo Alto Networks, which targets regular users instead of enterprises.

Experts say crooks are uploading EXE files modified to include Monero-mining software to well-known file sharing sites.

The crooks are then spamming regular users with links to these files, hoping that some will be careless enough to download and run the malicious EXEs.

Palo Alto puts the number of users who viewed these links at around 30 million users but is unable to say how many were infected. Most of the users who viewed the links were from Thailand, Vietnam, Egypt, Indonesia, and Turkey.

——
For now, things are going as experts predicted at the end of 2017, with cryptocurrency mining malware taking center stage on the malware scene.

Related Articles:

WinstarNssmMiner Coinminer Campaign Makes 500,000 Victims in Three Days

Malicious Package Found on the Ubuntu Snap Store

New MassMiner Malware Targets Web Servers With an Assortment of Exploits

In-Browser Cryptojacking Is Getting Harder to Detect

Hackers Infect Linux Servers With Monero Miner via 5-Year-Old Vulnerability