The criminal group behind previous campaigns that have spread the VenusLocker ransomware have now switched their focus to delivering a Monero cryptocurrency miner instead.
The switch is not a surprise. Monero price has gone from $132 on November 21 to $457 today, December 21. That's 3.4 times the price from a month ago.
In the past month, we've seen various cybercriminal campaigns switch their focus on delivering Monero miners —Zealot, Hexmen, Loapi, and this week's massive brute-force attack wave that hit WordPress sites— and we expect to see more such attacks as Monero's price continues to rise and gives attackers more reasons to hoard Monero.
The malware distribution campaign originating from the VenusLocker crew only targets South Korean users, for the time being, according to Joie Salvio, security researcher at Fortinet's FortiGuard Labs.
Salvio reported on a spam campaign that targeted users via a fake data breach alert for a South Korean online garment seller. The spam emails contained a file attachment, an archive hiding a malicious EXE file.
Hiding EXE files in archive files is nothing new, but this particular campaign stood out because the archive format was EGG, a proprietary file format popular in South Korea only. Most antivirus engines on VirusTotal are not able to decompress the EGG archive and spot the malware within.
The EXE installed XMRig, a legitimate Monero mining application, but pre-configured to mine funds for the VenusLocker crew.
Under normal circumstances, it's very hard for security firms to identify when cyber-criminal operations switch malware payloads. This time, Salvio says they were able to tie the Monero miner to past VenusLocker ransomware installers because the miner EXE had almost identical metadata and the same target paths as previous VenusLocker binaries.
The group's change of operations is not a surprise for Bleeping Computer. The Venus Locker ransomware was never at the center of mass distribution campaigns, and the ransomware never infected vast amounts of users in order to become profitable.
The ransomware was first spotted in early August 2016, made a short comeback in early December 2016, and then attempted to rebrand twice —as LLTP Ransomware and Trump Locker— before disappearing for good.
Overall, the ransomware was simplistic, being just another run-of-the-mill ransomware strain based on the Hidden Tear open-source ransomware kit.