Comments: Gresham's Law thesis is back - Malware bid to oust honest miners in Monero


The Varonis Security Research team recently investigated an ongoing cryptomining infection that had spread to nearly every device at a mid-size company. Analysis of the collected malware samples revealed a new variant, which the team dubbed “Norman” that uses various techniques to hide and avoid discovery. We also discovered an interactive web shell that may be related to the mining operators.

Research Overview

* We found a large-scale infection of cryptominers; almost every server and workstation in the company was infected.

* Since the initial infection, which took place over a year ago, the number of variants and infected devices grew.

* Norman employs evasion techniques to hide from analysis and avoid discovery.

* Most of the malware variants relied on DuckDNS (a free, Dynamic DNS service). Some needed it for command and control (C&C) communications, while others used it to pull configuration settings or to send updates.

* Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency.

* We have no conclusive evidence that connects the cryptominers to the interactive PHP Shell. However, we have strong reason to believe they originate from the same threat actor. We make a case whether they may or may not be connected.

* We provide tips for defending against remote web shells and cryptominers.

The Investigation
The investigation began during an ...

Posted by Varonis Uncovers New Malware Strains and a Mysterious Web Shell During a Monero Cryptojacking Investigation at August 16, 2019 04:00 AM

Ukrainian authorities are investigating a potential security breach at a local nuclear power plant after employees connected parts of its internal network to the internet so they could mine cryptocurrency.

The investigation is being led by the Ukrainian Secret Service (SBU), who is looking at the incident as a potential breach of state secrets due to the classification of nuclear power plants as critical infrastructure.

Investigators are examining if attackers might have used the mining rigs as a pivot point to enter the nuclear power plant's network and retrieve information from its systems, such as data about the plant's physical defenses and protections.

According to authorities, the incident took place in July at the South Ukraine Nuclear Power Plant, located near the city of Yuzhnoukrainsk, in southern Ukraine.

It's unknown how the scheme was discovered, but on July 10 the SBU raided the nuclear power plant, from where it seized computers and equipment specifically built for mining cryptocurrency.

This equipment was found in the power plant's administration offices, and not on its industrial network.

Confiscated equipment included two metal cases containing basic computer parts, but with additional power supplies, coolers, and video cards. According to court documents [1, 2], one case held six Radeon RX 470 GPU video cards, and the second five.

Further, the SBU also found and seized additional equipment[1, 2] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.

Posted by Employees connect nuclear plant to the internet so they can mine cryptocurrency at August 23, 2019 10:35 AM

Employees at the Russian Federation Nuclear Center have been arrested on suspicion of using supercomputers at the facility to mine cryptocurrency. .... The Sarov-based nuclear facility, also known as the All-Russian Research Institute of Experimental Physics (RFNC-VNIIEF), focuses on enhancing nuclear weaponry at the computational and theoretical levels. ....

As none of the facility's systems, including its 1-petaflop capable supercomputer which was powered up in 2011, are meant to be connected to the Internet due to the research involved, once the engineers allegedly attempted to connect to the web for mining, the scheme was exposed.

"Similar attempts have recently been registered in a number of large companies with large computing capacities, which will be severely suppressed at our enterprises, this is technically a hopeless and criminal offense," Zalesskaya added. ....

Posted by Russian Nuclear Center engineers arrested for using supercomputers to mine cryptocurrency at August 23, 2019 10:38 AM

It has been reported the Australian Federal Police (AFP) is investigating two Bureau of Meteorology (BOM) staff over allegations they were using the bureau's equipment to mine for cryptocurrency.

Posted by Bureau of Meteorology staff questioned by AFP over cryptocurrency mining: Report at August 23, 2019 10:39 AM

Pe măsură ce le creşte cota, monedele virtuale, cum sunt Bitcoinul sau Monero, devin atrăgătoare şi pentru romani. ...

Posted by Romanian National Research Institute for Nuclear Physics and Engineering was also caught mining cryptocurrency at work at August 23, 2019 10:45 AM

Between March and July 2019, Paige Thompson accessed at least 30 institutions’ servers managed by an unnamed cloud computing company, compromising at least 100 million customer accounts, according to a release published Wednesday. While there is no indication Thompson attempted to sell this information, she did use stolen computing power to mine cryptocurrencies.

Posted by Capital One Hacker Used Stolen Computing Power to Mine Crypto at September 1, 2019 01:26 PM

... Denis Baykov was handed the penalty by a jurisdictional city court for accessing the lab’s supercomputer to illegally mine the world’s top cryptocurrency by market valuation.

Located in Sarov, Russia, the top-secret lab was where the first Soviet nuclear bombs were manufactured in the late 1940s. It remains home to some of Russia’s most powerful computers.

The mining trio was first exposed last February and promptly handed over to the Federal Security Service. ....

Court verdicts for the other two scientists have not yet been reached.

Posted by Russian Nuclear Scientist Gets $7,000 Fine for Mining Bitcoin at Work at October 1, 2019 10:32 AM

Confirmed infections reported in UK, Germany and Switzerland...

Posted by Supercomputers hacked across Europe to mine cryptocurrency at May 18, 2020 07:00 AM

Dogecoin’s moment didn’t end with TikTok or Elon Musk. Instead, hackers have started using the meme cryptocurrency to control mining malware.
By Shaurya Malwa
Jul 29, 2020

In brief
* Dogecoin is now being used by hackers to maintain a crypto-mining botnet.
* Attackers are accessing APIs with DOGE wallets to mask their location.
* The attack is still ongoing.

Meme coin Dogecoin is being used by hackers to control Monero-mining malware on Linux operating systems, said security firm Intezer Labs yesterday.

When Intezer Labs was analyzing a relatively new backdoor trojan virus, called Doki, it found an old attacker was using it to direct mining malware on public web servers.

Posted by Hackers are now using Dogecoin to infiltrate computers at July 30, 2020 06:52 AM

Key Findings
. Ngrok Mining Botnet is an active campaign targeting exposed Docker servers in AWS, Azure, and other cloud platforms. It has been active for at least two years.
. We have detected a recent attack which includes a completely undetected Linux malware and a previously undocumented technique, using a blockchain wallet for generating C&C domain names.
. Anyone with publicly open Docker API access is at high risk to be hacked within the span of just a few hours. This is probable due to the hackers’ automated and continuous internet-wide scanning for vulnerable victims.
. The new malware, dubbed “Doki”, hasn’t been detected by any of the 60 malware detection engines in VirusTotal since it was first analyzed on January 14, 2020.
. The attacker is using the infected victims to search for additional vulnerable cloud servers.


Posted by Watch Your Containers: Doki Infecting Docker Servers in the Cloud at July 30, 2020 06:57 AM

A new Microsoft report states that India encounters the second-highest number of cryptojacking incidents in the APAC region.

Cryptojackers are hitting pay dirt in India, according to Microsoft's newly released Security Endpoint Threat Report 2019.

The report states that web users in India encounter crypto mining malware attacks at a rate 4.6 times higher than the regional and global average. India experiences the second-largest number of cryptocurrency mining attacks in the Asia Pacific region, lagging only behind Sri Lanka.

A cryptocurrency mining attack, commonly called cryptojacking, is an attack where hackers secretly install cryptocurrency mining malware on someone else's computer to use its computing power to mine cryptocurrencies.

Posted by Cryptojacking Almost 5 Times More Prevalent in India Than Global Average at July 30, 2020 07:01 AM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x557269c6bca8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.