Monero Cryptojacking Malware Targets Higher Education

Published at: Aug. 20, 2020

According to a study published by Guardicore Labs, a malware botnet known as FritzFrog has been deployed to ten millions of IP addresses. The malware has largely targeted governmental offices, educational institutions, medical centers, banks, and telecommunication companies, installing a Monero (XMR) mining app known as XMRig.

Guardicore Labs explains that FritzFrog uses a brute-force attack on millions of addresses to gain access to servers. That’s where an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.

After it gets in it proceeds to run a separate process named “libexec” to execute XMRig.

“It has successfully breached over 500 SSH servers, including those of known high-education institutions in the U.S. and Europe, and a railway company.”

The cybersecurity firm said that FritzFrog appears to be a one-of-its-kind malware, and that it was a “complicated task” to track it as the connections were hidden within a peer-to-peer (P2P) network.

Ophir Harpaz, a researcher at Guardicore Labs, commented:

“Unlike other P2P botnets, FritzFrog combines a set of properties that makes it unique: it is fileless, as it assembles and executes payloads in-memory. It is more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network.”

Harpaz recommends choosing strong passwords and using public-key authentication, “which is much safer,” to avoid being attacked successfully by a cryptojacking malware like FritzFrog.

Recently, cybersecurity researchers at Cado Security detected what they believe to be the first-ever stealth crypto mining campaign to steal Amazon Web Services (AWS) credentials, named TeamTNT, which also deploys the XMR mining app.

Tags
Related Posts
Researchers are calling this new malware a triple threat for crypto users
Cybersecurity experts at ESET published an in-depth study about a new malware named “KryptoCibule.” This exploit specifically targets Windows users with three methods of attack, including by installing a crypto mining app, directly stealing crypto wallet files, and replacing copy/pasted wallet addresses as a means to hijack individual transactions. According to the cybersecurity firm, KryptoCibule’s developers rely on the Tor network and BitTorrent protocol to coordinate the attacks. The malware’s original incarnation first appeared in December 2018. At that time, it was merely a Monero mining utility that quietly harvested user’s system resources to generate the currency. By February 2019, …
Technology / Sept. 2, 2020
Browser-based cryptojacking is back as attacks spike 163%
The crypto price surge since March has been accompanied by a wave of cryptojacking attacks according to new research published by cybersecurity firm Symantec. According to the company there was a 163% increase in browser-based cryptojacking activity in the second quarter of 2020. Cryptojacking had previously been in a steep decline from March 2019 due to the shutdown of the mining script maker, CoinHive. Symantec points out the increase in the last quarter coincided with a surge in the value of Bitcoin (BTC) and Monero (XMR), two cryptocurrencies often mined by the threat actors that rely on browser-based cryptojacking malware. …
Technology / Aug. 26, 2020
California University Pays Million-Dollar Crypto Ransom
The University of California at San Francisco School of Medicine reportedly paid a $1.14 million ransom in cryptocurrencies to the hackers behind a ransomware attack on June 1. According to CBS San Francisco, the UCSF IT staff first detected the security incident, stating that the attack launched by NetWalker group affected “a limited number of servers in the School of Medicine.” Although the areas were isolated by experts from the internal network, the hackers left the servers inaccessible and managed to deploy the ransomware successfully. A statement published by the University of California said: “The data that was encrypted is …
Technology / June 30, 2020
Celebrities May Have Their Dirty Secrets Exposed if Crypto Ransom Is Unpaid
The REvil ransomware gang says that they will auction over 1TB of data stolen from New York-based entertainment law firm, Grubman Shire Meiselas & Sacks. This data allegedly contains the “dirty” secrets of a number of celebrities. REvil claims that the contents involve sex scandals, drugs, and treachery. Nicki Minaj, LeBron James, and Mariah Carey among the alleged victims In a blog post, the ransomware group says they will begin the auction on July 1, noting that the first round will contain information from Nicki Minaj, Mariah Carey, and LeBron James. The price for each dataset is $600,000. Two days …
Technology / June 24, 2020
Someone Has Been on a $200M Crypto Exchange Hacking Spree
A cybercriminal group has allegedly stolen around $200 million from cryptocurrency exchanges over the past two years. In total, they are believed to have hit 10 - 20 victims across the United States, the Middle East, and Asia. According to research by the cybersecurity firm ClearSky, the gang named “CryptoCore,” known with other pseudonyms like “Dangerous Password” and “Leery Turtle,” has been actively targeting crypto firms since 2018 — specifically exchanges. Source: ClearSky They confirmed that CryptoCore stole $200 million from at least five victims, several of whom were located in Japan. Between 10-20 additional companies could be affected The …
Technology / June 24, 2020