A new version of the NRSMiner is actively spreading in the southern region of Asia. The majority of detections (54%) have been found in Vietnam, followed by Iran (16%) and Malaysia (12%). The new version either updates existing NRSMiner infections, or spreads to new systems using the EternalBlue exploit.
EternalBlue is one of the NSA exploits stolen by the Shadow Brokers and leaked to the public. It was patched by Microsoft in March 2017, leaked by Shadow Brokers in April 2017, and used by WannaCry in May 2017. That EternalBlue is still being used to spread malware nearly two years after it was patched by Microsoft points to a massive failure in patching.
The cryptocurrency craze of 2018 helped drive a 1,500 percent increase in coinmining malware when compared to 2017, according to eSentire.
Coinmining malware mines cryptocurrency (typically Monero) directly on infected endpoint devices (CoinMiner) or in web browsers (Coinhive) when a user visits a website running malicious code. Once infected, the coinmining malware silently mines cryptocurrency while consuming a significant amount of processor cycles. With the recent decline in the value of cryptocurrencies, the computing, power and cooling costs to legitimately mine cryptocurrencies now exceeds their value on the open market. Monero-based malware does not face these same economic challenges as all of the mining costs are absorbed by the device owner.
A recently discovered piece of malware targeting Mac systems is a combination of two open-source programs, Malwarebytes security researchers warn. Detected as DarthMiner, the threat is distributed through an application called Adobe Zii, which supposedly helps in the piracy of various Adobe programs, but which in this case does nothing of the sort.
The fake application was designed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, which appears to be a version of Adobe Zii, most likely to hide the malicious activity.
The number of cryptomining attacks increased by more than 83 percent in the past year, with more than 5 million people attacked with the malware in the first three quarters of 2018. That’s compared to 2.7 million people over the same period in 2017, according to stats from Kaspersky Lab.
The firm’s research also found that cryptomining attacks increased steadily during the first half of the year, peaking in March, when around 1.2 million users faced an attack. Kaspersky Lab researchers found that drivers behind this ramp aren’t necessarily the most obvious: The analysis revealed that neither cryptocurrency legislation nor the falling cost of power has a significant impact on the spread of malicious cryptominers.
Read more about the findings of the new research on Threatpost.
Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by.
The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn’t have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes.
Read more about the sophisticated new Linux malware on ZDNet.
Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation’s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit’s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.
Trustwave researchers discovered the cryptominer on the Make-A-Wish International’s website and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.
Read more about the cryptojacking attack on Threatpost.
If exploits and malware were stocks and bonds, the third quarter of 2018 would have been a bull market. That’s the broad takeaway from Fortinet’s Q3 2018 “Global Threat Landscape Report,” which found malware, exploits, and threats all on the increase. From July through September, unique malware variants grew 43%, while the number of malware families grew by nearly 32%.
Despite those numbers, Anthony Giandomenico, senior security strategist/researcher at FortiGuard Labs, says cryptojacking is one of the more serious threats he’s seeing. Giandomenico realizes that many researchers view crypto-jacking as more of an annoyance, but he sees two problems with that view.
Read more about the findings of the Fortinet report on DarkReading.
The latest Check Point Global Threat Index reveals that while cryptomining malware continues to dominate the rankings, a remote access Trojan has reached the top ten’s list for the first time. During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data.
Meanwhile, cryptomining malware continues to lead the Index, with Coinhive the most prevalent malware with a global impact of 18%, while Cryptoloot has risen to second on the list impacting 8% of organizations worldwide.
McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. WebCobra silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects.
The researchers believe this threat arrives via rogue PUP installers. They have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.
Read more about the WebCobra cryptojacking malware on McAfee.
As the popularity of cryptocurrency rises, so does the amount of cryptominer Trojans that are being created and distributed to unsuspecting victims. One problem for cryptominers, though, is that the offending process is easily detectable due to their heavy CPU utilization. To make it harder to spot a cryptominer process that is utilizing all of the CPU, a newly discovered Linux variant attempts to hide its presence by utilizing a rootkit.
According to a new report by TrendMicro, this new cryptominer+rootkit combo will still cause performance issues due to the high CPU utilization, but administrators will not be able to detect what process is causing it.