There is no doubt that cryptocurrency has been on a steady rise. According to a research paper by the University of Cambridge, the market capitalization of cryptocurrency has increased more than three-fold since early last year and it’s not likely to stop there. With more and more people realizing that cryptocurrency is potentially a significantly profitable investment, this rise is likely to continue for the foreseeable future. And where there is profit, that is where malware attacks will gather. Which is why we have been expecting more threats similar to the one we discussed in our article “A Peculiar Case of Orcus RAT Targeting Bitcoin Investors” two weeks ago.

 

True enough, FortiGuard Labs has found a new, but also familiar malware attack scheme targeting the cryptocurrency market. It is being perpetrated by the group behind the VenusLocker ransomware that was discovered in the second half of last year. Except that this time they have switched their crosshairs from extortion to mining Monero, an open-source cryptocurrency created in April of 2014 that is currently trading at around $400 USD.

 

With the security industry’s constant effort to combat ransomware, the ability for cybercriminals to successfully encrypt user files should no longer be a cake walk. For instance, this past October Microsoft added a Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) alteration of important files. Features such as this can effectively thwart ransomware attacks. Which is probably part of the reason why the threat actors behind VenusLocker decided to switch targets.

 

This article discusses a new attack that specifically targets South Korean users.

 

Phishy Egg Leads to Monero Miner Malware
The attack arrives as phishing emails using a variety of social engineering contexts. For example, one variant pretends to be from a South Korean online garment seller who falsely claims that the recipient’s information from their website has been leaked due to a website hack. And of course, the the email explains that the (infected) attachment should be opened for more details and instructions. Another variant we found threatens that that the recipient’s website is legally liable for images being abused without consent. It then recommends that the recipient opens the attached file to check the images in question.

 

Files attached to these malicious emails are compressed in EGG archive format, which is not very common. However, this archive format is less likely to be uncommon for the intended targets, since it is a proprietary format developed by the South Korean software development company ESTsoft.

 

In addition, this relatively uncommon format provides an additional layer of evasion. As shown in the latest VT scan result below, only FortiGuard Labs has so far been able to both extract and detect the contents of the EGG archive. Instead, most of the AVs on the list were only able to detect the extracted executable, but were not able to extract the archive.

 

The archive contains the actual miner malware with hidden file attribute along with several shortcut files, all pointing to the said malware. Icons and file extensions for the shortcut files are disguised as images and documents to trick users.

 

An interesting observation is that this same scheme has been used by VenusLocker in the past. To confirm this assumption, we had to take a closer look at the shortcut files’ metadata, and sure enough, we found a direct relation to the ransomware. Aside from the target paths, the shortcut files used during the VenusLocker ransomware period are practically identical to the ones being used in this campaign, as shown in the next figure.

 

Once the malware is executed, an embedded binary of the Monero CPU miner XMRig v2.4.2 is executed. As a basic attempt to hide this resource hogging operation, the miner is executed as a remote thread under the legitimate Windows component wuapp.exe, which is executed beforehand to avoid raising suspicions.

 

As a simple process persistence mechanism, if the miner is terminated (in this case wuapp.exe), the parent process (pope.exe in the screenshot), acting like a watchdog, simply executes it again. So in order to effectively terminate the malware, the parent process must first be terminated.

 

Why Monero?
Why not take advantage of Bitcoin’s growing surge in price (~18,800USD)? Compared to Monero’s current value at ~4000USD, it should be a no-brainer right? There are two major reasons for this, as we briefly explained in our previous article, Cryptojacking: Digging for your own Treasure.

 

The first is that Monero’s mining algorithm is designed for ordinary computers, unlike Bitcoin which requires specialized equipment such as Application-Specific Integrated Circuits (ASICs) or high-end GPUs in order to effectively participate in the mining process. So it is only logical that threat actors would choose the former to hit a wider potential target.

 

The second reason is Monero’s promise of transaction anonymity. With Bitcoin, a wallet is a public record. Anyone can check an account’s incoming and outgoing fund transfers, including the source and destination accounts, because they are broadcast throughout the Bitcoin network. In the case of Monero, however, it uses what is referred to as “stealth addresses” along with “transaction mixing,” making such detailed transparency non-existent. A layman’s discussion of this schema is discussed in this report.

 

Conclusion
With Monero’s promise of anonymity and undemanding requirements, it makes sense for threat groups to be attracted to using it to gain profits through mining malware campaigns.

 

We can only guess as to whether this switch in focus from ransomware to crytocurrency mining is the start of a new trend for the coming year, but with cryptocurrency values being more enticing than ever, it is a real possibility. But rest assured that, FortiGuard Labs will remain on the lookout for new threats vectors and trends.

 

FortiGuard Labs Protections

 

The following AV signatures have been created to detect malware files related to this attack:

  • W32/VenusMiner.FLT!tr
  • Riskware/MoneroMiner
  • LNK/VenusMiner.FLT!tr

FortiSandbox also rates the main malware executable as “High Risk” without additional reconfiguration.

 

Additional Resources

  • Follow Fortinet on Twitter, LinkedIn, Facebook and YouTube.

RECOMMENDED ARTICLE FOR TECHWORLD


 
Cyber-Spy Groups Are Moving towards Using Supply Chain Attacks and Legitimate Tools to Attack Financial Institutions, Warns Kaspersky Lab
Techworld Date Posted: 18 October 2017 1:15 PM | 381 Views
Yury Namestnikov of Kaspersky Lab's Global Research and Analysis Team (GReAT) in Russia discuss the tectonic shift of cyberespionage groups stealing not just data but also money of organizations in the Asia Pacific region. They.... See More
 
Cyber-Spy Groups Are Moving towards Using Supply Chain Attacks and Legitimate Tools to Attack Financial Institutions, Warns Kaspersky Lab
Techworld Date Posted: 1:15 PM | 381 Views
Yury Namestnikov of Kaspersky Lab's Global Research and Analysis Team (GReAT) in Russia discuss the tectonic shift of cyberespionage groups stealing not just data but also money of organizations in the Asia Pacific region. They...See More

 
New Kaspersky CyberTrace Streamlines Threat Intelligence Flows for Better Initial Response to Cyberthreats
Techworld Date Posted: 21 February 2019 2:00 PM | 40 Views
With the number of available threat intelligence sources continuing to grow, a third of Chief Information Security Officers (CISOs) feel under pressure as they cannot consume cybercrime intelligence easily or effectively. . See More
 
New Kaspersky CyberTrace Streamlines Threat Intelligence Flows for Better Initial Response to Cyberthreats
Techworld Date Posted: 2:00 PM | 40 Views
With the number of available threat intelligence sources continuing to grow, a third of Chief Information Security Officers (CISOs) feel under pressure as they cannot consume cybercrime intelligence easily or effectively. See More

 
Printers, eSport and Cryptocurrencies: New Kaspersky Lab DDoS Intelligence Quarterly Report Combines Them All
Techworld Date Posted: 25 July 2018 4:27 PM | 355 Views
Kaspersky Lab has published its report on botnet-assisted DDoS attacks for the second quarter of 2018. Over the last three months, the company’s experts have observed cybercriminals recall old vulnerabilities, make use of cameras.... See More
 
Printers, eSport and Cryptocurrencies: New Kaspersky Lab DDoS Intelligence Quarterly Report Combines Them All
Techworld Date Posted: 4:27 PM | 355 Views
Kaspersky Lab has published its report on botnet-assisted DDoS attacks for the second quarter of 2018. Over the last three months, the company’s experts have observed cybercriminals recall old vulnerabilities, make use of cameras...See More

 
Transcend Releases Lightning-fast PCIe Solid-state Drive for Mac Computers
Techworld Date Posted: 29 August 2017 3:50 PM | 318 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is proud to announce the release of the JetDrive 820 PCI Express (PCIe) Gen 3.0 solid-state drive (SSD) for Mac computers. The JetDrive.... See More
 
Transcend Releases Lightning-fast PCIe Solid-state Drive for Mac Computers
Techworld Date Posted: 3:50 PM | 318 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is proud to announce the release of the JetDrive 820 PCI Express (PCIe) Gen 3.0 solid-state drive (SSD) for Mac computers. The JetDrive...See More

Frank Emmanuel Trazo
Steam Greenlight: An End of a Chaotic Era
All About Gaming • By: Frank Emmanuel Trazo | Date Posted: 6 September 2017 9:34 AM | 25 Views
On June 6, 2017, Valve decided to discontinue Steam Greenlight. After suspending the submission of new games, they had more than 3400 games that were pending in Steam Greenlight. Some titles weren't granted approval.... See More
Frank Emmanuel Trazo
Steam Greenlight: An End of a Chaotic Era
All About Gaming • By: Frank Emmanuel Trazo | Date Posted: 9:34 AM | 25 Views
On June 6, 2017, Valve decided to discontinue Steam Greenlight. After suspending the submission of new games, they had more than 3400 games that were pending in Steam Greenlight. Some titles weren't granted approval...See More

 
Fortinet Survey Reveals 48% of APAC IT Decision Makers Are Confident of Their Cybersecurity Postures despite 86% of Organizations Being Breached
Techworld Date Posted: 15 December 2017 9:25 AM | 25 Views
Fortinet® (NASDAQ: FTNT), the global leader in broad, integrated and automated cybersecurity solutions, today revealed additional findings from its Global Enterprise Security Survey. According to the research, 40 percent of IT decision makers (ITDMs). See More
 
Fortinet Survey Reveals 48% of APAC IT Decision Makers Are Confident of Their Cybersecurity Postures despite 86% of Organizations Being Breached
Techworld Date Posted: 9:25 AM | 25 Views
Fortinet® (NASDAQ: FTNT), the global leader in broad, integrated and automated cybersecurity solutions, today revealed additional findings from its Global Enterprise Security Survey. According to the research, 40 percent of IT decision makers (ITDMs)See More

 
VST-ECS Appointed as Riverbed Technology’s New PH Distributor
Techworld Date Posted: 15 March 2019 2:53 PM | 52 Views
Riverbed Technology, The Digital Performance Company, announced on Tuesday that it has signed a strategic distribution partnership with local ICT distribution powerhouse VST ECS Phils., Inc., (formerly MSI-ECS Phils., Inc) . See More
 
VST-ECS Appointed as Riverbed Technology’s New PH Distributor
Techworld Date Posted: 2:53 PM | 52 Views
Riverbed Technology, The Digital Performance Company, announced on Tuesday that it has signed a strategic distribution partnership with local ICT distribution powerhouse VST ECS Phils., Inc., (formerly MSI-ECS Phils., Inc) See More

 
CORSAIR Announces Partnership with League of Legends Organization ROX
Techworld Date Posted: 24 August 2017 10:49 AM | 514 Views
CORSAIR�, a world leader in enthusiast memory, PC components and high-performance gaming hardware today announced its title sponsorship with ROX , a leading League of Legends eSports organization in South Korea.ROX will be the.... See More
 
CORSAIR Announces Partnership with League of Legends Organization ROX
Techworld Date Posted: 10:49 AM | 514 Views
CORSAIR�, a world leader in enthusiast memory, PC components and high-performance gaming hardware today announced its title sponsorship with ROX , a leading League of Legends eSports organization in South Korea.ROX will be the...See More


 
TRIAL and ERROR: Kaspersky Lab Unearths iOS Cryptomining Attacks, Careless Mistakes by Roaming Mantis
Techworld Date Posted: 24 September 2018 4:57 PM | 263 Views
Just five months after Kaspersky Lab’s first report on the DNS hijacking operation to infect Android smartphones in Asia, the attack dubbed ‘Roaming Mantis’ remains highly active, exploring new tricks and techniques to extend.... See More
 
TRIAL and ERROR: Kaspersky Lab Unearths iOS Cryptomining Attacks, Careless Mistakes by Roaming Mantis
Techworld Date Posted: 4:57 PM | 263 Views
Just five months after Kaspersky Lab’s first report on the DNS hijacking operation to infect Android smartphones in Asia, the attack dubbed ‘Roaming Mantis’ remains highly active, exploring new tricks and techniques to extend...See More


Power by

Download Free AZ | Free Wordpress Themes