Over 30 Million Users Fall Victim to Hidden Cryptocurrency Miners

Interest in cryptocurrency among cybercriminals continues to grow. In January 2018 alone, several malicious campaigns related to cryptocurrencies were uncovered. For example, criminals have started infecting Oracle WebLogic servers with mining software, major botnet operators are showing increased interest in cryptocurrency, and even ransomware is now disguising itself as cryptocurrency wallets.

Experts at Palo Alto Networks have identified another large-scale malicious campaign spreading hidden Monero cryptocurrency miners targeting regular users. The attackers are using the open-source XMRig solution and are focusing on users in Southeast Asia, North America, and South America.

Infection Map and Attack Methods

The attackers operate in a straightforward manner: they distribute links to various popular file-sharing and cloud storage services, such as 4sync, among regular users. The criminals use VBS files and links from popular URL shortening services (like Bit.ly and Adf.ly), making it impossible to determine the exact number of victims. However, researchers estimate that at least 30 million users have been affected. Some complaints from victims can be seen below. As shown in the provided screenshots, users genuinely believed they were downloading something useful from the file-sharing service, such as cheat software for Counter-Strike: Global Offensive.

Campaign Evolution and Tactics

According to analysts, the malicious campaign has been active for at least four months, during which time the attackers have repeatedly changed their tactics. After November 2017, the campaign operators almost completely abandoned the use of SFX files and switched to executable files compiled with Microsoft .NET Framework. In December 2017, the attackers demonstrated a dropper created using Borland Delphi. The attack scheme is illustrated in the image below.