Trend Micro Detects Major Uptick in New Strain of XMR Malware Targeting China-Based Systems

Published at: June 6, 2019

Cybersecurity firm Trend Micro has detected a major uptick in monero (XMR) cryptojacking malware targeting China-based systems this spring. The news was revealed in an official Trend Micro announcement on June 5.

As previously reported, cryptojacking is an industry term for stealth crypto mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

The XMR-focused malware — which wields malicious PowerShell scripts for illicit mining activities on Microsoft-based systems — reportedly surged against Chinese targets in mid-May. Hitting a peak on May 22, the wave of cryptojacking attacks has since ostensibly steadied, according to Trend Micro. China accounted for 92% of the firm’s detections of the new strain.

In an analysis of the attacks, the cybersecurity firm identified that this latest campaign resembles a previous wave of activities that used an obfuscated PowerShell script (dubbed “PCASTLE”) to deliver XMR-mining malware. The earlier campaign, by contrast, targeted a host of different countries — notably Japan, Australia, Taiwan, Vietnam, Hong Kong and India.

Trend Micro’s report describes in detail how the malware’s infection chain functions, and notes that while the campaign is focused on one geographic area, it seems to be indiscriminate in terms of industry. Trend Micro also notes that alongside their cross-industry target field, the attackers’:

“Use of XMRig as their payload’s miner module is [...] not surprising. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues.”

In its conclusion, Trend Micro notes that even while the motivations behind the attackers’ focus on China remain unclear, the campaign demonstrates that fileless malware techniques represent a persistent threat — one of the most prevalent in the current landscape, according to the firm.

As reported earlier this month, Trend Micro also detected a malware dubbed BlackSquid that infects web servers by employing eight different security exploits and installs XMRig monero Central Processing Unit-based mining software.

Tags
Related Posts
Researchers Uncover Threat of ‘Unusual’ Virtual Machine Crypto Mining
Cybersecurity firm ESET has detected what it describes as an unusual and persistent cryocurrency miner distributed for macOS and Windows since August 2018. The news was revealed in a report from ESET Research published on June 20. According to ESET, the new malware, dubbed “LoudMiner,” uses virtualization software — VirtualBox on Windows and QEMU on macOS — to mine crypto on a Tiny Core Linux virtual machine, thus having the potential to infect computers across multiple operating systems. The miner itself reportedly uses XMRig — an open-source software used for mining privacy-focused altcoin monero (XMR) — and a mining pool, …
Altcoin / June 24, 2019
Trend Micro: Outlaw Hacking Group’s Botnet Is Now Spreading a Monero Miner
Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13. Per the report, the firm attributes the malware to Outlaw Hacking Group, as the techniques employed are almost the same used in its previous operations. The software in question also holds Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.” Trend Micro also believes that the creators of the malware in question are …
Altcoin / June 13, 2019
Researchers are calling this new malware a triple threat for crypto users
Cybersecurity experts at ESET published an in-depth study about a new malware named “KryptoCibule.” This exploit specifically targets Windows users with three methods of attack, including by installing a crypto mining app, directly stealing crypto wallet files, and replacing copy/pasted wallet addresses as a means to hijack individual transactions. According to the cybersecurity firm, KryptoCibule’s developers rely on the Tor network and BitTorrent protocol to coordinate the attacks. The malware’s original incarnation first appeared in December 2018. At that time, it was merely a Monero mining utility that quietly harvested user’s system resources to generate the currency. By February 2019, …
Technology / Sept. 2, 2020
Interpol Collaborates With Cybersecurity Firm to Tackle Cryptojacking
Interpol has collaborated with cybersecurity firm Trend Micro to reduce cryptojacking affecting MikroTik routers across South-East Asia, according to a Jan. 8 press release. Though the collaboration reduced the number of affected devices by 78 percent, this is unlikely to have made a significant impact on mining hashrate. Cryptojacking is a malicious practice where attackers infect common devices with crypto mining malware, utilizing the victim’s resources to mine cryptocurrency. Cybersecurity firm Trend Micro collaborated with Interpol’s Global Complex for Innovation, based in Singapore, to sanitize MikroTik routers infected with mining malware. As part of the “Operation Goldfish Alpha,” Trend Micro …
Altcoin / Jan. 9, 2020
Cybercriminals Sneak in Crypto Mining Malware via Confluence Software Exploit
Cybercriminals are now reportedly exploiting known vulnerability CVE-2019-3396 in the software Confluence, a workspace productivity tool made by Atlassian, according to a report by security intelligence firm Trend Micro Inc. on May 7. The exploit that has been developed allows cybercriminals to stealthily install and run a monero (XMR) miner on a vulnerable computer, as well as covering up the mining activity by using a rootkit to hide the malware’s network activity and toll on the host’s central processing unit (CPU). According to an Atlassian security advisory, the vulnerability in question only applies to some older versions of Confluence. The …
Altcoin / May 7, 2019