Crooks Switch from Ransomware to Cryptocurrency Mining

Criminals behind the VenusLocker ransomware have switched to cryptocurrency mining in their latest campaign targeting computer users in South Korea. Instead of attempting to infect targeted computers with ransomware, the group is now trying to install malware on PCs that mines for Monero, an open-source cryptocurrency.

The shift was spotted by FortiGuard Labs, which said the group behind the attacks is attempting to capitalize on a surging cryptocurrency market.

“With more and more people realizing that cryptocurrency is potentially a significantly profitable investment, this rise is likely to continue for the foreseeable future. And where there is profit, that is where malware attacks will gather,” wrote FortiGuard in a report Wednesday.

Researchers said the shift by threat actors is also spurred by anti-ransomware mitigation efforts that have made infecting systems with malware harder.

“This past October Microsoft added a Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) alteration of important files. Features such as this can effectively thwart ransomware attacks. Which is probably part of the reason why the threat actors behind VenusLocker decided to switch targets,” researchers said.

Why Monero crypto currency, and not the surging Bitcoin? According to FortiGuard, Monero’s mining algorithm is designed for ordinary computers. Bitcoin, on the other hand, requires higher-end systems equipped with Application-Specific Integrated Circuits or high-end GPUs, according to researchers.

“The second reason is Monero’s promise of transaction anonymity. With Bitcoin, a wallet is a public record,” researchers wrote. Monero’s wallet uses “stealth addresses” along with “transaction mixing” allowing criminals to cloak account activity.

Those behind VenusLocker, and now Monero mining malware, are targeting South Korean users via phishing campaigns. Emails contain malicious attachments compressed in EGG archive format, developed by ESTsoft, a South Korean tech firm.

Ploys range from fake messages from a website insisting recipients open an accompanying attachment that contains important personal breach information pertaining to a recent website hack. Another message insists a recipient open the malicious attachment in order to view copyright protected images illegally used on the target’s website.

“Once the malware is executed, an embedded binary of the Monero CPU miner XMRig v2.4.2 is executed. As a basic attempt to hide this resource hogging operation, the miner is executed as a remote thread under the legitimate Windows component wuapp.exe, which is executed beforehand to avoid raising suspicions,” researchers describe.

Researchers also noted many similarities between the hidden file attribute and shortcut files used to trick users in the VenusLocker malware and the mining malware.

“An interesting observation is that this same scheme has been used by VenusLocker in the past. To confirm this assumption, we had to take a closer look at the shortcut files’ metadata, and sure enough, we found a direct relation to the ransomware. Aside from the target paths, the shortcut files used during the VenusLocker ransomware period are practically identical to the ones being used in this campaign,” researchers said.

FortiGuard researchers say the switch to crytocurrency mining by ransomware crooks is a growing trend that could extend into 2018. “With cryptocurrency values being more enticing than ever, it is a real possibility,” they said.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!