Cybercriminals change their preferences, prefer to dig cryptocurrency than to infect ransomware

According to research carried out by the University of Cambridge, the market capitalization of cryptocurrencies has more than tripled since the beginning of last year and it will not end there. More and more people are realizing that investing in cryptocurrencies can be very profitable. In turn, where there is a profit, attacks of cybercriminals also appear.

Analysts from Fortinet's FortiGuard Labs have discovered new, but similar to previously known, malicious software attacking the cryptocurrency market. The criminal group behind the VenusLocker ransomware is responsible for its creation.

The authors of this malware have changed their way of acting and paid attention to Monero, an open-source cryptocurrency created in April 2014, which currently costs about USD 400.

How does Monero Miner work?

Malware is designed to dig cryptocurrencies for criminals from the victim's computer. The attack comes as a phishing e-mail. For example, one of the variants pretends to be from an online clothing retailer who claims that the recipient's data was revealed as a result of a site hacking. Of course, the e-mail prompts you to open an infected attachment to get more details and an operating manual. Another variant informs the recipient of the e-mail that he is legally responsible for using graphics on his website without the consent of their creators. It then recommends that the recipient opens the attachment to check the files in question.

XMRig uruchamiane jest przez systemowy komponent, z kolei ten uruchamiany jest przez malware z załącznika.

After loading the malicious software, the Monmer CPU XMRig v2.4.2 binary file is run. To hide this operation, malware masquerades as wuapp.exe, which is launched earlier, which allows you to avoid suspicion.

Skrypt XMRig jest dostępny w serwisie GitHub.

Interestingly, the same scheme has been used in the past by the VenusLocker ransomware.

To confirm this, FortiGuard Labs analysts looked at the metadata of the shortcut files and found a direct link with the ransomware. In addition to the target paths, shortcut files used in the VenusLocker ransomware are virtually identical to those used in this campaign - explains Robert Dąbrowski, head of the Fortinet engineering team.

Why Monero?

Why are not cybercriminals focusing on Bitcoin only on much lower Monero? There are two main reasons.

First of all: the Monero mining algorithm is designed for ordinary computers, unlike Bitcoin, which requires specialized hardware, such as application-specific integrated circuits (ASICs) or high-end graphics processors. Thus, criminals choose this cryptocurrency, which allows them to carry out more extensive campaigns.

The second reason is the promise of the anonymity of the Monero transaction, which uses so-called "stealth addresses" along with "mixing of transactions", which means that no specific transparency exists.

We can only guess if the change of interest in ransomware to excavating cryptocurrencies is the beginning of a new trend for the coming year. The likely reason for such "re-shaping" of criminal groups is the significant effort that the cybersecurity industry puts in the fight against ransomware attacks. For this reason, extorting a ransom is not as easy as in the past.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.