Nebraska Man Faces 50 Years for Multi-Million Dollar Cryptojacking Scheme

April 16, 2024 Bitcoin.com

Windows tool targeted by hackers deploys crypto mining malware

September 7, 2023 Coin Telegraph

Software installers affected are mainly used for 3D modeling and graphic design, with French being the most frequent language used in the malware campaign.

Hackers have been using a Windows tool to drop cryptocurrency-mining malware since November 2021, according to an analysis from Cisco's Talos Intelligence. The attacker exploits Windows Advanced Installer — an application that helps developers package other software installers, such as Adobe Illustrator — to execute malicious scripts on infected machines.

According to a Sept. 7 blog post, the software installers affected by the attack are mainly used for 3D modeling and graphic design. Additionally, most of the software installers used in the malware campaign are written in French. The findings suggest that the "victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries," explains the analysis.

The attacks predominantly affect users in France and Switzerland, with a few infections in other countries, including the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam, the post notes based on DNS request data sent to the attacker’s command and control (C2) host.

The illicit crypto mining campaign identified by Talos involves the deployment of malicious PowerShell and Windows batch scripts to execute commands and establish a backdoor in the victim's machine. PowerShell, specifically, is well-known for running in the memory of the system instead of the hard drive, making it harder to identify an attack.

Example of a software installer packaged with malicious scripts using Advanced Installer. Source: Talos Intelligence.

Once the backdoor is installed, the attacker executes additional threats, such as the Ethereum crypto-mining program PhoenixMiner, and lolMiner, a multi-coin mining threat.

"These malicious scripts are executed using Advanced Installer’s Custom Action feature, which allows users to predefine custom installation tasks. The final payloads are PhoenixMiner and lolMiner, publicly available miners relying on computers’ GPU capabilities"

The use of crypto mining malware is known as cryptojacking, and involves installing a crypto mining code on a device without the user's knowledge or permission in order to illegally mine cryptocurrencies. Signs that mining malware may be running in a machine include overheating and poorly performing devices.

Using malware families to hijack devices to mine or steal cryptocurrencies isn't a new practice. Former smartphone giant BlackBerry recently identified malware scripts actively targeting at least three sectors, including financial services, healthcare and government.

Magazine: ‘Moral responsibility’ — Can blockchain really improve trust in AI?

Cybercrooks to ditch BTC as regulation and tracking improves: Kaspersky

November 23, 2022 Coin Telegraph

Bitcoin

The cybersecurity firm predicted that crypto-related cybercrime won't slow down in 2023, but it will move on from Bitcoin as a source of payment.

Bitcoin (BTC) is forecasted to be a less enticing payment choice by cybercriminals as regulations and tracking technologies improve, thwarting their ability to safely move funds.

Cybersecurity firm Kaspersky in a Nov. 22 report noted that ransomware negotiations and payments would rely less on Bitcoin as a transfer of value as an increase in digital asset regulations and tracking technologies will force cybercriminals to rotate away from Bitcoin and into other methods.

As reported by Cointelegraph, ransomware payments using crypto topped $600 million in 2021 and some of the biggest heists such as the Colonial Pipeline attack demanded BTC as a ransom.

Kaspersky also noted that crypto scams have increased along with the greater adoption of digital assets. However, it said that people have become more aware of crypto and are less likely to fall for primitive scams such as Elon Musk-deepfake videos promising huge crypto returns.

It predicted malicious actors will continue trying to steal funds through fake initial token offerings and nonfungible tokens (NFTs) and crypto-based theft such as smart contract exploits will become more advanced and widespread.

2022 has largely been a year of bridge exploits with more than $2.5 billion already pilfered from them as reported by Cointelegraph.

The report also noted that malware loaders will become hot property on hacker forums as they are harder to detect. Kaspersky predicted that ransomware attackers may shift from destructive financial activity to more politically-based demands.

Back to the present, the report noted an exponential rise in 2021 and 2022 of “infostealers” — malicious programs that gather information such as logins.

Cryptojacking and phishing attacks have also increased in 2022 as cybercriminals employ social engineering to lure their victims.

Cryptojacking involves injecting malware into a system to steal or mine digital assets. Phishing is a technique using targeted emails or messages to lure a victim into revealing personal information or clicking a malicious link.

‘Cryptojacking’ rises 30% to record highs despite crypto slump: Report

July 27, 2022 Coin Telegraph

Coin Telegraph

Cryptojacking has become a lucrative choice for cybercriminals as many victims are unaware they have been compromised.

New research shows that despite falling digital asset prices, cryptojacking has reached record levels in the first half of 2022.

According to a mid-year update on cyber threats by American cybersecurity company SonicWall, global cryptojacking volumes rose by $66.7 million, or 30% in the first half of 2022 compared to the same period last year.

Cryptojacking is a cybercrime whereby malicious actors commandeer a victim’s computer resources by infecting the machine with malware designed to mine cryptocurrencies. It is often executed through vulnerabilities in web browsers and extensions.

The report stated that the overall rise in cryptojacking can be attributed to a couple of factors.

Firstly, cybercriminals are leveraging the Log4j vulnerability to deploy attacks in the cloud. In December 2021, a critical vulnerability affecting java based logging utility was discovered in the Open Source Library managed by software company Apache. Hackers can exploit it to gain remote access to a system.

Secondly, cryptojacking is a lower-risk attack than ransomware which needs to be made public to succeed. Cryptojacking victims are often unaware that their computers or networks have been compromised.

Finance sector beware

Attackers also appeared to have changed their preferred targets during the period, moving from the government, healthcare and education sectors to the retail and financial sectors.

Cryptojacking attacks targeting the finance sector skyrocketed 269% in the period, more than five times greater than the second highest industry — retail, which saw attacks increase by 63%.

“The number of attacks on the finance industry is five times greater than the second highest industry — retail, which used to be at the very bottom of the list,” the researchers noted.

The researchers, however, noted that the volume cryptojacking attacks began to fall alongside the crypto markets in the first half of the year, as attacks were becoming less lucrative.

They observed a pattern of significantly higher volumes in the first quarter, followed by “cryptojacking summer slump” in Q2. The firm said that based on past trends, Q3 volumes will likely also be low, with attacks likely to pick up again in Q4.

This year's summer decline has also been attributed to a falling in crypto asset prices as markets have shrunk by 57% since the beginning of the year.

13 apps removed after researchers uncover Trojan crypto wallet scheme

March 30, 2022 Coin Telegraph

android

The scheme, which has been in operation since May 2021, targeted Chinese users through social media groups and fake websites.

Research by cyber security firm ESET has uncovered a “sophisticated scheme” that disseminates Trojan apps disguised as popular cryptocurrency wallets.

The malicious scheme targets mobile devices using Android or Apple (iOS) operating systems which become compromised if the user downloads a fake app.

According to ESET's research, these malicious apps are distributed through bogus websites, and imitate legitimate crypto wallets, including MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey.

The firm also discovered 13 malicious apps impersonating the Jaxx Liberty wallet, available on the Google Play Store. Google has since removed the offending apps, which were installed more than 1,100 times, but there are still many more lurking out there on other websites and social media platforms.

The threat actors disseminated their wares through social media groups on Facebook and Telegram, intending to steal crypto assets from their victims. ESET claims to have uncovered “dozens of trojanized cryptocurrency wallet apps,” going back to May 2021. It also stated that the scheme, which it believes is the work of one group, was primarily targeting Chinese users via Chinese websites.

Lukáš Štefanko, the researcher who unraveled the scheme, said that there were other threat vectors, such as sending seed phrases to the attacker’s server using unsecured connections, adding:

“This means that victims' funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network.”

The fake wallet apps behave slightly differently depending on where they are installed. On Android, it targets a new cryptocurrency that the user may not have previously traded, prompting the user to install the appropriate wallet. While on iOS the apps need to be downloaded using arbitrary trusted code-signing certificates circumnavigating Apple’s App Store. This means that the user can have two wallets installed simultaneously, the genuine one and the Trojan, but poses less of a threat since most users rely on App Store verification for their apps.

ESET advises cryptocurrency investors and traders to only install wallets from trusted sources that are linked to the official website of the exchange or company.

In February, Google Cloud unveiled the Virtual Machine Threat Detection (VMTD) system, which scans for and detects “cryptojacking” malware designed to hijack resources to mine digital assets.

According to a January Chainalysis report, cryptojacking accounted for 73% of the total value received by malware-related wallets and addresses between 2017 and 2021.

Google Cloud to detect crypto-mining malware on virtual machines

February 7, 2022 Coin Telegraph

Bitcoin mining

Bad actors using malware to steal GPU power to mine crypto will have to up their game to deal with Google Cloud's latest security protocol.

It’s a shot in the arm for Google Cloud users at risk of cryptocurrency mining attacks. The Google Cybersecurity Action Team (GCAT) has created a threat detection service to shield “poorly configured” accounts that attackers use to mine cryptocurrency.

In a blog post, Google Cloud announced the Virtual Machine Threat Detection (VMTD) release in its Security Command Center (SCC) area. A means of scanning compute engines in Google Cloud, the VMTD successfully detects threats, including crypto-mining malware used inside virtual machines.

Crypto-mining malware attacks, sometimes called “cryptojacking,” are an ongoing nuisance in the industry. While browser-based cryptojacking activity spiked in the 2019 bear market, cloud-based crypto mining continues to beleaguer the space.

Cointelegraph reported in November last year that of 50 analyzed incidents relating to compromised Google Cloud Protocols, 86% were related to crypto mining. The Google “Threat Horizons” report highlighted hackers may seek to hijack GPU space to mine crypto as it is a “cloud resource-intensive for-profit activity.”

Upon receiving the data, the Google Cybersecurity Action Team sought to remedy the situation, building better protections for its virtual machine users.

The result is VMTD, a program that provides agentless memory scanning to help detect threats like crypto-mining malware. As well as delivering protections from coin mining, the VMTD also secures users from data exfiltration and ransomware.

Ransomware attacks flourished in 2021, reaching highs in April 2021. Some commentators suggest that the rise in ransomware attacks went hand in hand with crypto’s meteoric rise; regulators and industry players have made efforts to blunt the malpractice.

Regarding crypto-mining malware attacks, Google has made a concerted effort to stem the onslaught of malicious actors taking advantage of unknowing internet users’ CPU power and electricity in order to mine cryptocurrencies. In 2018, over 55% of businesses were reportedly affected worldwide, including Google’s Youtube.

The VMTD will steadily integrate with other parts of Google Cloud over the coming months, benefitting further Google Cloud users.

‘Less sophisticated’ malware is stealing millions: Chainalysis

January 20, 2022 Coin Telegraph

chainalysis

Chainalysis warned that even “low-skilled cybercriminals” are using malware to swipe funds from crypto hodlers.

Cryptojacking accounted for 73% of the total value received by malware related addresses between 2017 and 2021, according to a new malware report from blockchain analysis firm Chainalysis.

Malware is used to conduct nefarious activity on a victim’s device such as a smartphone or PC after being downloaded without the victim’s knowledge. Malware-powered crime can be anything from information-stealing to denial-of-service (DDoS) attacks or ad fraud on a grand scale.

The report excluded ransomware, which involves an initial use of hacks and malware to leverage ransom payments from vicitms in order to halt the attacks. Chainalysis stated:

“While most tend to focus on high-profile ransomware attacks against big corporations and government agencies, cybercriminals are using less sophisticated types of malware to steal millions in cryptocurrency from individual holders.”

Chainalysis’ Jan. 19 report focuses on the various types of crypto-malware, excluding ransomware, used over the last decade such as info stealers, clippers, cryptojackers and trojans, noting that they are generally cheap to acquire and even “low-skilled cybercriminals” can use them to siphon funds from their victims.

Cryptojacking tops the list of value received via malware at 73%, Trojans were ranked second at 19%, ‘Others’ totalled 5% while information stealers and clippers represented a mere 1% each.

According to Chainalysis, malware addresses send the “majority of funds on to addresses at centralized exchanges,” but note that figure is declining. As of 2021, exchanges only received 54% of funds from those addresses compared to 75% in 2020 and around 90% in 2019.

“DeFi protocols make up much of the difference at 20% in 2021, after having received a negligible share of malware funds in 2020.”

The report looked at the prolific Hackboss clipper that has stolen around $560,000 since 2012 by infecting user's clipboards to steal and replace information. It found that the “Cryptobot” infostealer was significant source source of ill-gotten gains in 2021, generating $500,000 worth of Bitcoin (BTC) from around 2,000 transactions.

Cryptojacking

Cryptojacking malware utilizes the victim’s computing power to mine various cryptocurrencies, with the target asset of choice “usually Monero” but Zcash (ZEC) and Ethereum (ETH) are sometimes also mined.

Chainalysis notes that a specific amount generated by this method is hard to pin down as the funds are transferred from mempools to unknown mining addresses as opposed to “the victim’s wallet to a new wallet” in other cases.

Despite being unable to provide an estimated monetary figure on the harm caused by cryptojackers, Chainalysis projects this malware type to account for almost three quarters of the total value generated by crypto-malware.

The report noted a 2020 report from Cisco’s cloud security division stated that cryptojacking affected 69% of its clients, thus translating to an “incredible amount of stolen computer power” used to mine large amounts of crypto.

It also highlighted a 2018 report from Palo Alto Networks which estimated that 5% of Monero’s circulating supply was mined by cryptojackers, estimated to be worth around $100 million in ill-gotten revenue.

Info Stealer and clippers

Info stealers are used to swipe the victim’s crypto wallet info and account credentials, while clippers can be used to insert a specific text into the victim’s clipboard.

Clipper malware is often used to hijack the victim's outgoing transactions by inserting the cybercriminal’s wallet address when victims attempt to paste a sending address.

The report noted that these two types of malware received a combined 5,974 transfers from victims in 2021, up from 5,449 in the year prior.

cryptojacking