1,000 Corporate Systems Infected With Monero Mining Malware

Published at: May 27, 2020

The Blue Mockingbird malware gang has infected more than 1,000 business systems with Monero mining malware since December 2019.

The global scale of the hacker group’s operations was revealed by cloud security firm Red Canary on May 26.

The report outlined the group’s methodology. The malware attacks servers running ASP.NET applications and exploits a vulnerability to install a web shell on the attacked computer and obtain administrator-level access to modify the server settings.

Next, the cybercriminals install the XMRRig application to take advantage of the resources of the infected machines. Most of the infected computers belong to large companies, though Red Canary did not reveal any names.

Remote Desktop Protocol’s vulnerabilities 

As with recent ransomware attacks using Trojans, criminals took advantage of the weakness of the Remote Desktop Protocol in Windows to penetrate systems.

The report highlights that although it is difficult to quantify the total number of infections, these attacks occurred in a relatively short amount of time.

Red Canary also warns that companies that believe themselves to be safe from such attacks are actually at high risk of their security being breached by the malware infection.

Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, commented on the current vulnerabilities of systems to such attacks:

“Cybercriminals specifically seek out weaknesses in the internet-facing systems and, when found, exploit them. Companies can significantly reduce their risk factor by following well-established best practices such as timely patching, using MFA, disabling PowerShell when not needed, etc. If those best practices are not adhered to and the internet-facing servers are left vulnerable, it’s significantly more likely that a company will experience a crypto-mining, ransomware, data exfiltration or other security event.”

Recent XMRRig-related attacks

The use of the XMRRig app for unauthorized crypto-mining is a recent phenomenon that has been used by various groups of hackers.

Cointelegraph reported in November 2019 that a malware targeted vulnerable Docker instances to deploy the Monero mining app.

In the same year, reports published by the cybersecurity companies Symantec and BlackBerry Cylance warned about the injection of the XMRRig app into computers through music files.

Tags
Related Posts
Botnet Exploits SQL Servers to Install Crypto Mining App
Recent reports revealed that a group of hackers behind the Kingminer botnet targeted vulnerable Microsoft SQL server databases to mine cryptocurrencies at some point in the second week of June. According to the cybersecurity firm Sophos, the attackers used the botnet, active since 2018, to exploit the BlueKeep and EternalBlue vulnerabilities, by also accessing through a trojan known as Gh0st, which relies on a remote access malware. Once the SQL server database is infected, the botnet installs a well-known crypto miner software called XMRig, which mines Monero (XMR). There are no details as of press time regarding how many systems …
Altcoin / June 10, 2020
Researchers Find Monero Mining Malware That Hides From Task Manager
Cybersecurity company Varonis has discovered a new cryptojacking virus, dubbed “Norman,” that aims to mine the cryptocurrency Monero (XMR) and evade detection. Varonis published a report about Norman on Aug.14. According to the report, Varonis found Norman as one of many cryptojacking viruses deployed in an attack that infected machines at a mid-size company. Hackers and cybercriminals deploy cryptojacking hardware to use the computing power of unsuspecting users’ machines to mine cryptocurrencies like the privacy oriented coin Monero. Norman in particular is a crypto miner based on XMRig, which is described in the report as a high-performance miner for Monero …
Altcoin / Aug. 14, 2019
Trend Micro: Outlaw Hacking Group’s Botnet Is Now Spreading a Monero Miner
Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13. Per the report, the firm attributes the malware to Outlaw Hacking Group, as the techniques employed are almost the same used in its previous operations. The software in question also holds Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.” Trend Micro also believes that the creators of the malware in question are …
Altcoin / June 13, 2019
Despite Bear Market, Crypto Mining Malware Tops Threat Index for 13th Month Running
Three strains of crypto mining malware have topped the latest Global Threat Index from Israeli cybersecurity firm Check Point, according to a press release published on Jan. 14. Check Point Software Technologies Ltd. is a security solution provider for governments and enterprises globally, with over 100,000 organizations reported to be currently using its security management system. As reported, stealth crypto mining attacks — also known as cryptojacking — work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. According to Check Point’s Global Threat Index for December 2018, the top …
Altcoin / Jan. 14, 2019
Cybercriminals Sneak in Crypto Mining Malware via Confluence Software Exploit
Cybercriminals are now reportedly exploiting known vulnerability CVE-2019-3396 in the software Confluence, a workspace productivity tool made by Atlassian, according to a report by security intelligence firm Trend Micro Inc. on May 7. The exploit that has been developed allows cybercriminals to stealthily install and run a monero (XMR) miner on a vulnerable computer, as well as covering up the mining activity by using a rootkit to hide the malware’s network activity and toll on the host’s central processing unit (CPU). According to an Atlassian security advisory, the vulnerability in question only applies to some older versions of Confluence. The …
Altcoin / May 7, 2019