Security experts from PaloAlto Networks have uncovered a large-scale crypto-currency mining operation active for over 4 months. Experts believe the activity involved around 30 million systems worldwide to mine the Monero cryptocurrency using the open-source XMRig utility.
The threat actors used VBS files and URL shortening services to deploy the mining tool, the most commonly hit countries are Thailand (3,545,437), Vietnam (1,830,065), and Turkey (665,058).
“Palo Alto Networks Unit 42 has observed a large-scale cryptocurrency mining operation that has been active for over 4 months. The operation attempts to mine the Monero cryptocurrency using the open-source XMRig utility,” states PaloAlto networks.
“Based on publicly available telemetry data via bitly, we are able to estimate that the number of victims affected by this operation is roughly around 15 million people worldwide.”
The analysis of data from the Bit.ly URL shortening service revealed that at least 15 million people were impacted by the campaign.
Hackers also used the Adf.ly URL shortening service that remunerates users when someone clicks on the link. When users clicked on these Adf.ly URLs, they were redirected and found themselves downloading the crypto-currency mining malware instead.
The Monero cryptocurrency mining operation is huge, researchers detected over 250 unique Microsoft Windows PE files, most of them were downloaded from online cloud storage provider 4sync.
The files have generic names and appear to originate from popular looking file-sharing services.
The miner used in this Monero cryptocurrency mining operation execute XMRig mining software via VBS files, and leverages XMRig proxy services to hide the ultimate mining pool destination.
Researchers also noticed that threat actors use the Nicehash marketplace to trade hashing processing power.
According to the experts from PaloAlto the date October 20, 2017, was a milestone in this operation. Before October 20, 2017, the attackers were using the Windows built-in BITSAdmin tool to download the XMRig mining tool from a remote location. Apart from a few exceptions, the final payload was primarily installed with the filename ‘msvc.exe’.
After October 20, 2017, the experts observed attackers started using HTTP redirection services.
Since November 16, 2017, threat actors stopped using the SFX files and adopted executables compiled in Microsoft .NET Framework.
“Beginning on November 16, 2017, the attackers yet again changed tactics regarding their malware. They no longer made use of SFX files, but instead transitioned to using an executable file compiled in Microsoft .NET Framework that would write a VBS file to disk and modify the victim’s Run registry key to ensure persistence.” continues the analysis.
“The last changes we’ve seen took place in late December 2017, when the attackers yet again changed the dropper that was used to deploy the malware. Moving away from .NET, they instead create the necessary VBS file using a dropper compiled with Borland Delphi. Unlike the .NET droppers, this particular dropper will place the VBS file in the victim’s startup folder in order to obtain persistence. Otherwise, the flow of execution remains the same.”
The last samples that were using this dropper referenced a new IP address for XMRig communication( 5.23[.]48[.]207).
“Monero mining campaigns are certainly not a new development, as there have been various reported instances recently. However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time. ” concluded Palo Alto.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.