Category Archives: cryptomining

Fake Adobe update really *does* update Flash (while also installing cryptominer)

Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.

The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.

The State of Security: Fake Adobe update really *does* update Flash (while also installing cryptominer)

Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.

The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.



The State of Security

Shocking: Hackers using Googlebots in cryptomining malware attacks

By Waqas

Hackers are abusing Googlebot servers to deliver malicious payloads. Last year, HackRead exclusively reported on how hackers were using Google Adwords and Google Sites to spread malware. Then came another shocking research from Cisco Talos exposing how hackers exploited Google Search Results to distribute Zeus Panda banking trojan. Now, researchers at F5 identified a strange and infrequent behavior […]

This is a post from HackRead.com Read the original post: Shocking: Hackers using Googlebots in cryptomining malware attacks

Crooks leverages Kodi Media Player add-ons for malware distribution

Security experts have spotted a Monero cryptomining campaign that abused Kodi add-ons to deliver miner that target both Linux and Windows systems.

Crooks are abusing Kodi Media Player to distribute malware, researchers from ESET recently spotted a cryptomining campaign that compromised about over 5,000 computers.

Kodi users can add new functionality by installing add-ons that are available on the official Kodi repository and in several third-party stores

An attacker can deliver malicious code by compromising the add-ons that are automatically updated by the Kodi media player.

According to ESET researchers, attackers can target Kodi to spread malware using three different mechanisms:

  1. They add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.
  2. They install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.
  3. They install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.

The malicious code distributed in this campaign is able to compromise both Windows and Linux platforms. It is a multi-stage malware that implements measures to make it hard for analysts to trace the malicious code back to the add-on.

Attackers added the malicious add-on to the XvMBC, Bubbles, and Gaia repositories.

Most of the infections were observed in the United States, Israel, Greece, the United Kingdom, and the Netherlands.

Kodi

“After victims add the malicious repository to their Kodi installation, the malicious repository serves an add-on named script.module.simplejson – a name matching that of a legitimate add-on used by many other add-ons.  However, while other repositories only have the script.module.simplejson add-on at version 3.4.0, the malicious repository serves this add-on with version number 3.4.1.” continues the repository.

“Since Kodi relies on version numbers for update detection, all users with the Auto Update feature enabled (which is a common default setting) will automatically receive script.module.simplejson version 3.4.1 from the malicious repository.”

Although the main repositories used in this campaign are now either closed or cleaned, many devices are still running the malicious add-ons to mine Monero.

Researchers from ESET, revealed that crooks behind the campaign have already mined about $6,700 worth of Monero.

“According to these statistics of the malware authors’ Monero wallet, provided by Nanopool, a minimum of 4774 victims are affected by the malware at the time of writing, and have generated 62,57 XMR (about 5700 EUR or 6700 USD) as of this writing.” concludes the report.

Further details, including the IoCs, are available in the report.

Pierluigi Paganini

(Security Affairs – Kodi, malware)

The post Crooks leverages Kodi Media Player add-ons for malware distribution appeared first on Security Affairs.

Blog | Avast EN: Cryptojacking surges and here’s what to do about it | Avast

In the bustling industry of cybercrime, ransomware has always been a popular weapon of choice...until this year. In 2018, illicit cryptomining (AKA cryptojacking) took the title, surging 459%. Cryptojacking is the crime of using somebody else’s computer processing power to mine cryptocurrency. Victims may not even notice, as there are no outward signs that the mining is occurring, save possible slowing down or overheating of the system.



Blog | Avast EN

Cyber Threat Alliance Releases Cryptomining Whitepaper

This post is authored by Ashlee Benge.

Despite the recent devaluation of some cryptocurrencies, illicit cryptocurrency miners remain a lucrative and widespread attack vector in the threat landscape. These miners are easy to deploy, and attackers see it as a quick way to steal other users' processing power to generate cryptocurrency. These attacks are harder to notice than a traditional denial-of-service or malware campaign, resulting in reduced risk and a more stable foothold for a malicious actor. The Cyber Threat Alliance, with contributions from Cisco Talos and other CTA members, has released a whitepaper detailing the rise of cryptomining attacks that outlines what you — and your organization — should know about these kinds of campaigns.

This paper covers the fact that there is a low technical barrier to entry for attackers, and that there are accessible patches to protect users from many of these attacks. Because cryptomining campaigns are easy to launch, a broader set of actors have engaged in this activity, resulting in a higher rate of attacks. Talos often observes multiple actors with illicit cryptomining software on the same compromised box. The use of well-known vulnerabilities by attackers essentially turns this problem into a canary-in-the-coalmine situation for defenders. If you discover unauthorized cryptomining software on one of your assets, there is a high likelihood that other actors have also leveraged the weaknesses in your systems to gain access — potentially for more damaging purposes.

Prior Coverage


Snort signatures exist to provide coverage for a variety of miner downloads, malware variants related to cryptocurrency miners and to block protocols commonly used by miners.

The following SIDs detect incoming clients and miner downloads:

44692-44693, 45265-45268, 45809-45810, 45949-45952, 46365-46366 and 46370-46372.

The following SIDs detect malware variants known to be associated with miners:

20035, 20057, 26395, 28399, 28410-28411, 29493 - 29494, 29666, 30551- 30552, 31271- 31273, 31531 - 31533, 32013, 33149, 43467 - 43468, 44895 - 44899, 45468 - 45473, 45548, 45826 - 45827, 46238 - 46240.

The following SIDs detect Stratum protocols used by cryptocurrency workers:

26437, 40840 - 40842, 45417, 45549 - 45550, 45825, 45955.

Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Linux & Windows hit with disk wiper, ransomware & cryptomining Xbash malware

By Waqas

Xbash is an “all in one” malware. Palo Alto Networks’ Unit 42 researchers have come to the conclusion that the notorious Xbash malware that has been attacking Linux and Windows servers is being operated by the Iron Group which is an infamous hacker collective previously involved in a number of cyber crimes involving the use […]

This is a post from HackRead.com Read the original post: Linux & Windows hit with disk wiper, ransomware & cryptomining Xbash malware

Cybercriminals Changing Tactics as Seen in First Half Report

Today, Trend Micro released its first half 2018 security roundup report in which we want to share the threat intelligence we discovered through the Trend Micro™ Smart Protection Network™ that allows us to identify the threats that have targeted our customer base. Below are some thoughts I’d like to share with you about these trends and how they could affect you and your organization.

Cybercriminals regularly change who they target, how they target them, and what they are after. Most recently we’ve seen a shift from large ransomware spam campaigns to more targeted attacks using ransomware as the tool to disrupt critical business operations. Any organization that depends on critical systems to run their businesses need to ensure they have prepared themselves for a targeted attack. Secondly, we’ve seen a shift towards cryptomining and cryptojacking as the predominate threat for many cybercriminals today. This threat has taken over as the threat du jour within the criminal undergrounds, with a lot of chatter on how best to perpetrate this crime. While this threat is not as destructive as ransomware, it can disrupt system operations, as the goal of most cryptomining malware is to use as many system resources as possible to perform the mining functions, and as such the system will not be supporting its primary business operation.

Any organization that supports critical infrastructure needs to look at how to harden up their ICS/SCADA networks as we’re starting to see threat actors looking to perform destructive attacks versus simply doing reconnaissance and testing capabilities when compromising these networks. As our Zero Day Initiative is finding out, vulnerabilities within the applications and devices in this sector are increasing and, more worrying, we’re not seeing quick patching of the vulnerabilities by the affected vendors. This will likely change as the vendors are made more accountable for fixing their bugs, but until then providers of critical infrastructure need to build improved patching processes, like the use of virtual patching at the network and host layers.

As the FBI has shared, the BEC threat has been increasing every year since 2013 with total losses from this threat reaching $12B US. This shows the threat actors behind these attacks are emboldened due to the simplicity (i.e. low investment in perpetrating), as well as the high monetary returns. We will likely see more actors and criminal syndicates leveraging this threat to target businesses of all sizes. The good news is that diligence in educating your financial and HR employees on how to identify this threat, along with implementing two-factor verification of requests, can greatly mitigate the risk of compromise.

Overall, organizations need to continue being vigilant in reviewing their security processes, as well as their existing cybersecurity solutions. Solution sprawl is a real problem due to technological complexities and a lack of trained personnel required to run them. Instead, businesses should look at consolidating and connecting their defenses in a way that allows faster protections from new threats and improved visibility across their entire network infrastructure. Lastly, look to invest in and enable advanced threat protections that are coming to market using artificial intelligence and machine learning, but don’t forget that many traditional technologies are still very effective at stopping a bulk of today’s threats.

There’s more details within our report you should read to ensure you have a full understanding of the threats we saw during this most recent first half. I will also be covering the trends and data in my upcoming live monthly threat webinar series I do on August 30 or watch it on-demand later.

If you have any questions or comments, please do so below.

The post Cybercriminals Changing Tactics as Seen in First Half Report appeared first on .