Posted on

Researchers Uncover Threat of ‘Unusual’ Virtual Machine Crypto Mining

Cybersecurity firm ESET has detected what it describes as an unusual and persistent cryocurrency miner distributed for macOS and Windows since August 2018.

Cybersecurity firm ESET has detected what it describes as an unusual and persistent cryocurrency miner distributed for macOS and Windows since August 2018. The news was revealed in a report from ESET Research published on June 20.

According to ESET, the new malware, dubbed “LoudMiner,” uses virtualization software — VirtualBox on Windows and QEMU on macOS — to mine crypto on a Tiny Core Linux virtual machine, thus having the potential to infect computers across multiple operating systems.

The miner itself reportedly uses XMRig — an open-source software used for mining privacy-focused altcoin monero (XMR) — and a mining pool, thereby purportedly thwarting researchers’ attempts to retrace transactions.

The research revealed that for both macOS and windows, the miner operates within pirated applications, which are bundled together with virtualization software, a Linux image and additional files.

Upon download, LoudMiner is installed before the desired software itself, but conceals itself and only becomes persistent after reboot.

ESET notes that the miner targets applications whose purposes are related to audio production, which usually run on computers with robust processing power and where high CPU consumption — in this case caused by stealth crypto mining — might not strike users as suspicious.

Moreover, the attackers purportedly exploit the fact that such complex applications are usually complex and large in order to conceal their virtual machine images. The researchers add:

“The decision to use virtual machines instead of a leaner solution is quite remarkable and this is not something we routinely see.”

ESET has identified three strains of the miner targeted at macOS systems, and just one for Windows thus far.

As a warning to users, the researchers state that “obviously, the best advice to be protected against this kind of threat is to not download pirated copies of commercial software.”

Nonetheless, alongside high CPU consumption, they offer several hints to help users detect something might be awry, included trust popups from an unexpected, “additional” installer, or a new service added to the startup services list (Windows) or a new Launch Daemon (macOS).

Network connections to unusual domain names — due to scripts inside the virtual machine that contacting the C&C server to update the miner’s configuration — are another giveaway, the researchers add.

Yesterday, Cointelegraph published an in-depth report analyzing various malware deployments within the crypto industry, including for stealth crypto mining.

Posted on

Hodler’s Digest, June 10–16: Top Stories, Price Movements, Quotes and FUD of the Week Top Stories This Week

Bitcoin is reportedly producing as much carbon emissions as Kansas City, while Facebook gets some new backers for its crypto project.

CCN casts doubt on shutdown plans as Google appears to correct visibility

Cryptocurrency news outlet CCN (formerly CryptoCoinsNews) is apparently not going through with its total shutdown, as reported earlier this week. The outlet had previously posted a note that a recent Google Core Update had led to a more than 70% visibility drop on mobile overnight, leading the organization to decide to shut down rather than downsize. However, an update this week from CCN Markets Director Jonas Borchgrevink notes that, for an unexplained reason, the crypto outlet’s old domain name, CryptoCoinNews, has been showing up with new 2019 articles on Google, leading the team to decide to keep working. Theories about the visibility drop, which affected other news outlets, have ranged from it being a block of clickbait titles or a ban on conservative outlets by an allegedly “liberal” Google.

U.S. residents will lose access to many altcoins on Binance starting in September

United States residents who use major crypto exchange Binance will lose trading option access for many cryptocurrencies when the exchange puts into action its updated terms of service this September. As reported this week, Binance updated its terms of service to include trading on the platform for U.S. residents, a change that comes shortly after its announcement of a U.S.-exclusive fiat-to-crypto exchange. According to a table created by CryptoPotato, there are a number of cryptos that will no longer have a trading outlet in the U.S., as well as several tokens that will be listed on only one exchange after Binance closes for U.S. residents. However, veteran cryptocurrencies — including XRP, DASH, XLM, ETC and ZRX — will still be listed on four or more other U.S. exchanges.

Sale of Telegram’s token “gram” on exchange Liquid is not official: Source

The announcement this week from crypto exchange platform Liquid that it would be offering encrypted messenger Telegram’s token, gram, in a sale is not officially connected with Telegram, according to a source close to the messaging app. As Cointelegraph had reported earlier this week, Liquid had said that it would be the representative of gram tokens for Gram Asia, which it called the largest holder of the token in Asia. However, in comments to Cointelegraph, a source close to Telegram noted that it was the first time that it had heard of Gram Asia. In separate comments, an investor in Telegram’s token told Cointelegraph that no one has rights to sell the tokens before its official launch. Liquid CEO Mike Kayamori told Cointelegraph that the public sale is the result of an exclusive agreement between Liquid and Gram Asia, without the direct involvement of Telegram.

Picture 1

Bitcoin generates more carbon emissions than some countries, study warns

According to a new report published in the journal Joule, the carbon emissions generated by bitcoin (BTC) are comparable to the whole of Kansas City. According to Christian Stoll, one of the project’s researchers, the energy consumption used in mining the largest cryptocurrency is only growing, noting that the computing power needed to solve a BTC puzzle has more than quadrupled since last year. The study was based on data from IPO filings and IP addresses of some of the largest mining companies, finding that bitcoin is placed around Jordan and Sri Lanka — in international terms — due to its annual emissions of CO2, estimated to be between 22 and 22.9 megatons.

Report: Facebook secures support from dozens of new firms for its crypto project

According to a report from The Block, Facebook has reportedly secured support from dozens of players in the cryptocurrency and blockchain sector for its upcoming, secretive digital currency. The Wall Street Journal had reported earlier this week that Facebook had allegedly received the backing of $10 million each from firms — including Visa, Mastercard, PayPal and Uber — for the project, dubbed “Libra.” The Block cited further materials, noting that the project’s investors also include venture capital firms Andreessen Horowitz and Union Square Ventures, cryptocurrency exchange Coinbase and nonprofit organizations including Mercy Corps. According to a source speaking to The Block, the company aims to gather 100 members in the governing consortium, with a total planned for $1 billion, including all participants.

Winners and Losers

The crypto markets have seen a slight uptick at the beginning of the week, with bitcoin trading at $9,054, ether at $269.54 and XRP at $.41. Total market cap is at $281 billion.

The top three altcoin gainers of the week are acre, commerce data connection and renos. The top three altcoin losers of the week are tronclassic, segwit2x and hypnoxys.

Picture 2

For more info on crypto prices, make sure to read Cointelegraph’s market analysis.

Most Memorable Quotations

“Some short term pains may be necessary for long term gains. And we always work hard to turn every short term pain into a long term gain.”

CZ, Binance CEO

“If Google thinks that CCN, all of a sudden — remember, literally overnight — is bad, then why not give us the chance to understand the why and give us a way to change before any major update. Instead, we are kicked in the teeth overnight with zero knowledge of what we have done wrong, impacting a team of 60+ people.”

Jonas Borchgrevink, director and founder of CCN Markets and Hawkfish AS

“Millennials don’t carry cash, they date on apps and watch on-demand entertainment. We have to be there, we have to learn from successful tech companies, and we have to provide a universal solution that makes it easy for younger generations to engage with the Church.”

Rick Santorum, former United States senator

Picture 3

FUD of the Week

Blockchain developer Dispatch Labs suffers losses, despite market recovery

Dispatch Labs, a blockchain company, is currently incurring large losses, despite extensive investment and a recovering cryptocurrency market. The blockchain firm had raised over $13 million in a series of private rounds in 2018, with investors including China-based capital firm Fenbushi Capital. Dispatch Labs’ total remaining investment has since dropped to around $6.5 million, with CEO Matt McGraw reporting noting that the company did not have sufficient over-the-counter availability to liquidate digital currency that could have staved off the threat driven by the market downturn. However, McGraw added that the company has enough working capital to last through the year, taking into consideration the tentative market recovery.

Trend Micro: Cybercriminals use obfuscation trick to install crypto mining malware

Cybersecurity firm Trend Micro confirmed this week that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install monero (XMR) mining malware. The malware uses certificate files as an obfuscation trick to carry out cryptojacking, a process wherein malware uses a computer’s operating processing power to mine for cryptos without the owner’s consent or knowledge. According to Trend Micro, a security patch for the Oracle WebLogic vulnerability had been released in the national vulnerability database earlier this spring. The report also includes a recommendation for firms using that server to update their software to the latest version with the security patch in order to mitigate the risk of cryptojacking.

Crypto exchange Bittrex to block U.S. users from trading in 32 cryptos

Cryptocurrency exchange Bittrex said this week that it would block its U.S.-based users from trading in 30 cryptocurrencies. According to the announcement, after June 21, American traders will be unable to access a list of coins traded on the exchange, including QTUM and STORJ. Bittrex noted that U.S. users will receive an email with explanations behind what they are and are not allowed to do with the aforementioned assets, included selling them for assets that will stay available to them, canceling orders and moving them off the exchange. Once the ban comes into effect, U.S. users will not be able to buy or sell the select coins, and all open orders involving those coins will be cancelled. However, the coins will be transitioned to the Bittrex International platform.

Picture 4

Best Cointelegraph Features

Safe space: A guide to special economic zones for crypto, from China to Switzerland

Cointelegraph takes a look at the types of special economic zones for cryptocurrencies around the world: to some Russian spaces, which seemed to have paused development, to Switzerland’s Crypto Valley, which is not technically a special economic zone, despite its name.

Exclusive: New report reveals details of Telegram’s TON blockchain

Instant messaging service Telegram and its Telegram Open Network (TON) blockchain have been surrounded in relative secrecy since the project raised $1.7 billion last year. With an exclusive report published on Cointelegraph about the TON blockchain, this analysis goes through the newly revealed TON services in more technical detail for our readers.

“CoinLab is a big stopping block”: Mark Karpeles talks Mt. Gox creditor claims and life after trial

Cointelegraph speaks with Mark Karpeles, former CEO of the now-defunct Mt. Gox, about what’s going on with the much elongated creditor process as well as debunking some of the media rumors around his not-new role at Tristan Technologies.

Posted on

Trend Micro: Outlaw Hacking Group’s Botnet Is Now Spreading a Monero Miner

Trend Micro claims to have detected a web address spreading a botnet featuring a monero mining component alongside a backdoor.

Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13.

Per the report, the firm attributes the malware to Outlaw Hacking Group, as the techniques employed are almost the same used in its previous operations. The software in question also holds Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.”

Trend Micro also believes that the creators of the malware in question are still testing and developing it, since it contained some scripts that were included, but not executed. The firm’s telemetry also reportedly detected infection attempts in China.

As Cointelegraph reported earlier this month, Trend Micro had confirmed that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install monero mining malware while using certificate files to obfuscate the endeavor.

In May, Firefox Quantum, the latest version of open-source internet browser Firefox, announced a new privacy toggle that protects against cryptojacking. Users can now toggle an opt-in feature that purportedly blocks would-be cryptojackers from taking advantage of spare computing power to mine cryptocurrencies.

Posted on

Trend Micro: Cybercriminals Use Obfuscation Trick to Install Crypto Mining Malware

Cybersecurity firm Trend Micro has confirmed that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install XMR mining malware.

Cybersecurity firm Trend Micro has confirmed that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install monero (XMR) mining malware, while using certificate files as an obfuscation trick. The news was revealed in a Trend Micro blog post published on June 10.

As previously reported, forms of stealth crypto mining are also referred to with the industry term cryptojacking — the practice of installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

According to Trend Micro’s post, a security patch for theOracle WebLogic vulnerability (“CVE-2019-2725”) — reportedly caused by a deserialization error — was released in the national vulnerability database earlier this spring.

However, Trend Micro cites reports that emerged on the SANS ISC InfoSec forum alleging that the vulnerability has already been exploited for cryptojacking purposes, and confirms that it has verified and analyzed the allegations.

The firm notes that the identified attacks deployed what it describes as “an interesting twist” — namely that “the malware hides its malicious codes in certificate files as an obfuscation tactic”:

“The idea of using certificate files to hide malware is not a new one […] By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.”

Trend Micro’s analysis begins by noting that the malware exploits CVE-2019-2725 to execute a PowerShell command, prompting the download of a certificate file from the command-and-control server.

After continuing to trace its steps and characteristics — including the installation of the XMR miner payload — Micro Trend notes an apparent anomaly in its current deployment:

“[O]ddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.”

The post concludes with a recommendation to firms using WebLogic Server to update their software to the latest version with the security patch in order to mitigate the risk of cryptojacking.

As recently reported, Trend Micro detected a major uptick in XMR cryptojacking targeting China-based systems this spring, in a campaign mimicking earlier activities that had used an obfuscated PowerShell script to deliver XMR-mining malware.

Posted on

Trend Micro Detects Major Uptick in New Strain of XMR Malware Targeting China-Based Systems

Cybersecurity firm Trend Micro has detected a major uptick in monero cryptojacking malware targeting China-based systems this spring.

Cybersecurity firm Trend Micro has detected a major uptick in monero (XMR) cryptojacking malware targeting China-based systems this spring. The news was revealed in an official Trend Micro announcement on June 5.

As previously reported, cryptojacking is an industry term for stealth crypto mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

The XMR-focused malware — which wields malicious PowerShell scripts for illicit mining activities on Microsoft-based systems — reportedly surged against Chinese targets in mid-May. Hitting a peak on May 22, the wave of cryptojacking attacks has since ostensibly steadied, according to Trend Micro. China accounted for 92% of the firm’s detections of the new strain.

In an analysis of the attacks, the cybersecurity firm identified that this latest campaign resembles a previous wave of activities that used an obfuscated PowerShell script (dubbed “PCASTLE”) to deliver XMR-mining malware. The earlier campaign, by contrast, targeted a host of different countries — notably Japan, Australia, Taiwan, Vietnam, Hong Kong and India.

Trend Micro’s report describes in detail how the malware’s infection chain functions, and notes that while the campaign is focused on one geographic area, it seems to be indiscriminate in terms of industry. Trend Micro also notes that alongside their cross-industry target field, the attackers’:

“Use of XMRig as their payload’s miner module is […] not surprising. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues.”

In its conclusion, Trend Micro notes that even while the motivations behind the attackers’ focus on China remain unclear, the campaign demonstrates that fileless malware techniques represent a persistent threat — one of the most prevalent in the current landscape, according to the firm.

As reported earlier this month, Trend Micro also detected a malware dubbed BlackSquid that infects web servers by employing eight different security exploits and installs XMRig monero Central Processing Unit-based mining software.

Posted on

Trend Micro: BlackSquid Malware Infects Servers to Install Monero Cryptojacking Software

A malware dubbed BlackSquid infects web servers by employing eight different security exploits and installs mining software.

Cybersecurity firm Trend Micro announced that it found a malware dubbed BlackSquid that infects web servers employing eight different security exploits and installs mining software. The findings were announced in a blog post published on June 3.

Per the report, the malware targets web servers, network drives and removable drives using eight different exploit and brute force attacks. More precisely, the software in question employs “EternalBlue; DoublePulsar; the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464; and three ThinkPHP exploits for multiple versions.”

While the sample acquired by Trend Micro installs the XMRig monero (XMR) Central Processing Unit-based mining software, BlackSquid could also deliver other payloads in the future. According to Trend Micro data, most of the instances of the malware in question have been detected in Thailand and the United States.

The malware can reportedly infect a system via three different routes: through a website hosted on an infected server, exploits, and removable or network drives. BlackSquid also cancels the infection protocol if it detects that the username, device driver or the disk drive model suggests that the software is running in a sandbox environment.

As Cointelegraph recently reported, as many as 50,000 servers worldwide have allegedly been infected with an advanced cryptojacking malware that mines the privacy-focused open source cryptocurrency turtlecoin (TRTL).

At the beginning of May, Trend Micro also noted that cybercriminals are now exploiting known vulnerability CVE-2019-3396 for crypto mining in the software Confluence, a workspace productivity tool made by Atlassian.

Posted on

Firefox Quantum Offers Anti-Cryptojacking Feature

Mozilla’s browser Firefox Quantum has a privacy toggle that protects against cryptojacking.

Firefox Quantum, the latest version of open-source internet browser Firefox, has a new privacy toggle that protects against cryptojacking, according to a blog post by Mozilla on May 21.

Mozilla previously warned official blog post that websites can deploy scripts that launch a crypto miner on a user’s machine without them being aware — a practice known as cryptojacking.

To combat these exploitative practices, Mozilla partnered with online privacy company Disconnect to create a crypto mining blocker for their browser. Users can now toggle an opt-in feature, that purportedly blocks would-be cryptojackers from taking advantage of spare computing power to mine cryptocurrencies.

Mozilla initially announced that it would block cryptojacking in new browser releases in August 2018. As per a report by Cointelegraph, Firefox featured cryptojacking protection in its Firefox Nightly 68 and Beta 67 versions this April, just prior to the launch of Quantum.

Firefox Quantum also aims to mitigate the practice of so-called “fingerprinting,” which makes a sort of digital fingerprint of a user that is employed to monitor their activities on the internet.

Cryptojacking at the consumer level was called “essentially extinct” by cybersecurity company MalwareBytes on April 23. According to the report:

“Marked by the popular drive-by mining company CoinHive shutting down operations in early March, consumer cryptomining seems to have gone the way of the dodo. Detections of consumer-focused bitcoin miners have dropped significantly over the last year and even from last quarter, while business-focused miners have increased from the previous quarter, especially in the APAC region.”

According to the report, consumer malware detections have gone down by approximately 40%. Businesses, however, are being targeted more heavily by cryptojacking attempts, with

Business detections increasing by about 7% during the first quarter of 2019.

Posted on

Crypto Miners Dominate Top 10 List of Most Prolific Malware Threats

The three most prevalent types of malware in April were all crypto miners, according to Check Point Research’s global threat report.

A global threat report has concluded that the three most common malware variants detected in April were crypto miners, according to a news release on May 14.

Check Point Research said Cryptoloot, malware that uses the victim’s computing power to mine for crypto without their knowledge, was last month’s biggest threat. XMRig, open-source software which is used for mining monero (XMR), was in second place. Rounding off the top three was JSEcoin, a JavaScript miner embedded in websites.

Despite their prevalence, the company’s researchers believe that criminals are shifting their focus away from crypto mining. Several popular services used to target unsuspecting computer users, such as Coinhive, have closed. In addition, the collapse in crypto prices at the start of the year meant other strategies were more lucrative.

According to Check Point, multi-purpose trojans are on the rise — with its experts warning this is concerning because of how they steal private data and target databases and backup servers with ransomware demanding up to $1 million.

Maya Horowitz, the company’s threat intelligence and research director, said:

“As these malware constantly morph, it is crucial to have a robust line of defense against them with advanced threat prevention.”

Last month, American software company Symantec detected a spike in a new crypto mining malware, Beapy, that targets enterprises. Beapy is reportedly spread through malicious emails, and according to researchers, its file-based approach to cryptojacking is considerably more profitable for hackers than browser-based tools.

Also in April, two Romanian cybercriminals were convicted in the United States of spreading malware to steal credit card details and illicitly mine crypto.

Posted on

Malware Shellbot is Now Capable of Shutting Down Other Miners

Cryptojacking malware Shellbot is now armed with new capabilities.

The Shellbot cryptojacking malware has gone through an update and come out with some new capabilities, technology news website TechCrunch reported on May 1.

Per the report, these findings come from Boston-based cybersecurity firm Threat Stack. The company claims that Shellbot, which was first discovered in 2005, has received a major update.

The original Shellbot was capable of brute-forcing the credentials of SSH remote access services on Linux servers protected by weak passwords. The malware then mines privacy-focused monero (XMR). Threat Stack claims that this new-and-improved version is capable of spreading through an infected network and shutting down other miners running on the same machines.

Threat Stack apparently uncovered the new iteration of Shellbot on the Linux server of an unspecified United States company. While it is still unclear how the malware is delivered, the researchers identified three components and found the script used to install it.

The command and control server of the malware is an Internet Relay Chat (IRC) server, which attackers can use to deliver commands and check the status of an infected server. Shellbot was reportedly making about $300 a day, a figure that stands to grow as the malware spreads. Sam Bisbee, chief security officer at Threat Stack, told TechCrunch that the potential of the virus does not end there:

“They are fully capable of using this malware to exfiltrate, ransom, or destroy data.”

As Cointelegraph reported last week, cybersecurity company MalwareBytes declared illicit crypto mining  against consumers — also known as cryptojacking — “essentially extinct.”

Just days later, American software security firm Symantec found a spike in a new crypto mining malware that mainly targets corporate networks.