Cybersecurity Firm Detects Cryptojacking Malware on Make-A-Wish Foundation Website

Hackers have infected the website of global non-profit organization the Make-A-Wish Foundation with cryptojacking malware, according to a report by cybersecurity firm Trustwave posted Nov. 19.

According to Trustwave researchers, crypto jackers managed to incorporate a JavaScript (JS) miner CoinImp into the domain in order to illicitly mine privacy-focused cryptocurrency Monero (XMR). Similarly to the notorious Monero mining software CoinHive, CoinIMP has reportedly been using the computing power of website visitors to mine cryptocurrency.

Per the report, the CoinImp script infected the website through the domain, which is associated with another campaign that exploited a critical Drupal vulnerability to compromise websites since May 2018.

The researchers noted that the recently detected campaign deployed a number of techniques to evade detection, including alterations of its already obfuscated domain name, as well as different domains and IPs in a WebSocket proxy.

Trustwave reportedly contacted Make-A-Wish in order to report the cryptojacking attack, but the foundation did not respond. However, the malicious injected script was eventually removed shortly after Trustwave attempted to reach the foundation, according to the report.

According to data acquired by Bloomberg, scales of cryptocurrency mining attacks have surged up to 500 percent in 2018. Recently, Internet security provider and research lab McAfee Labs uncovered a new Monero-mining malware called WebCobra that allegedly originates from Russia.

Earlier in November, Japanese global cybersecurity company Trend Micro detected a new strain of crypto-mining malware targeting PCs running Linux.

Source link

New Linux-Targeting Crypto-Mining Malware Combines Hiding and Upgrading Capabilities

Japanese multinational cybersecurity firm Trend Micro has detected a new strain of crypto-mining malware that targets PCs running Linux, according to a report published Nov. 8.

The new strain is reportedly able to hide the malicious process of unauthorized cryptocurrency-mining through users’ CPU by implementing a rootkit component. The malware itself, detected by Trend Micro as Coinminer.Linux.KORKERDS.AB, is also reportedly capable of updating itself.

According to the report, the combination of hiding and self-upgrading capabilities gives the malware a great advantage. While the rootkit fails to hide the increased CPU usage and the presence of a running crypto-mining malware, it is also improved by updates, which can completely repurpose the existing code or tools by editing a few “lines of code,” the report notes.

The new crypto-mining malware strain infects Linux PCs via third-party or compromised plugins. Once installed, the plugin reportedly gets admin rights, with malware able to be run with privileges granted to an application. In this regard, Trend Micro mentioned another case of Linux-targeting crypto malware that used the same entry point, and took place in September this year.

Based on web server statistics, the estimated market share of Linux on personal computers amounted to around 1.8 percent in 2016. The share of Microsoft Windows systems in 2016 was around 89.7, while Mac OS served around 8.5 percent of users.

Recently, Cointelegraph reported that a group of South-Korean hackers will face trial for a cryptojacking case that allegedly infected more than 6,000 computers with malicious crypto-mining malware.

In September, a report revealed that leaked code targeting Microsoft systems, which hackers allegedly stole from the U.S. National Security Agency (NSA), sparked a fivefold increase in cryptocurrency mining malware infections.

Source link

Experts Warn of Cryptojacking Malware That Mimics Adobe Flash Updates

Researchers have identified cryptojacking malware that conceals itself behind a fake Adobe Flash update. The finding has been revealed in a cyber threat report published by Unit 42 research group on Oct. 11.

Cryptojacking is the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

According to new research released by Unit 42, Palo Alto Networks’ threat intelligence team, the malware strain surreptitiously compels computers to mine Monero (XMR) by installing an “XMRig cryptocurrency miner.”

The new malware is said to be particularly harmful, as the developers have copied the pop-up notification from an official Adobe installer. Moreover, the download really does update targets’ computers with the latest version of Flash, further adding to its seeming legitimacy. 

Unit 42 analyst Brad Duncan has stated that:

“In most cases, fake Flash updates pushing malware are not very stealthy… [but in this instance, b]ecause of the latest Flash update, a potential victim may not notice anything out of the ordinary.”

Unit 42 reportedly uncovered the strain while searching for “popular” fake Flash updates using AutoFocus, a Palo Alto Networks intelligence tool:

“77.. malware samples are identified with a CoinMiner tag in AutoFocus.The remaining 36 samples share other tags with those 77 CoinMiner-related executables.”

As previously reported, coin miner works by using Coinhive – a JavaScript program created to mine Monero via a web browser. According to Unit 42, samples that deceptively mimic and install an actual Flash update have been in circulation as of August 2018.

Just yesterday, Iran’s cybersecurity authority issued a report that claimed that the highest number of recorded incidents of Coinhive infection have taken place in Brazil;  India came in second, followed by Indonesia.

As reported in September, cryptojacking malware reports are said to have surged almost 500 percent in 2018. According to estimations in June, around 5 percent of the total circulating Monero supply was mined using malware.

Source link

Fortnite Gamers Targeted by Malware That Steals BTC Addresses

Cybersecurity firm Malwarebytes has found that scammers are using malware that targets the Bitcoin (BTC) wallet addresses of Fortnite gamers, according to a post published October 2.

Fortnite is currently one of the most popular video games in the world, with reports suggesting that 125 million people are active players.

Malwarebytes has investigated the game’s online ecosystem and found that “con artists” are sneaking malicious data theft code into downloads that apparently promise “free” season six Fortnite Android versions, among other “bogus cheats, wallhacks and aimbots.” So-called “free V-Bucks” – an in-game currency that can be used to purchase additional gaming content – also conceal malicious packages of code, according to the investigation.

Malwarebytes found that these deceptive links are promoted via scammers’ youtube channels, which redirect users to downloads that conceal the malware. For one malicious file, the investigation reportedly found that over 1,200 downloads had already been completed; Malwarebytes’ detection methods identified the file as “Trojan.Malpack,” and found that it was a data stealer targeting Bitcoin wallets, browser session information, cookies, and other data.

The file in question reportedly attempted to redirect the siphoned information “via a POST command to an /index.php file in the Russian Federation, courtesy of the IP address 5(dot)101(dot)78(dot)169.”

Malwarebytes further warned that the accompanying readme file to the malware advertises the option to purchase more Fortnite game cheats “for $80 Bitcoin.” The investigation noted that other types of suspiciously packaged code use a process known as “Stealer.exe,” and post the ill-gotten data to “to /gate.php instead of index.php.”

As previously reported, multiple cybercrime threat analyses this year have emphasized the rising popularity of crypto mining malware – or cryptojacking – among hackers. In late September, McAfee Labs released data suggesting that total samples of one type of such malware known as “coin miner” had risen by 86 percent in the second quarter of 2018.

Source link

Amateur Cryptojackers and Apple Macs Emerge as Two Mining Malware Trends for 2018

2017 was a big year for cryptojacking. It increased by 8,500 percent, according to figures published by Symantec in March. And it would seem that 2018 has so far been an even bigger year for mining malware, as the Cyber Threat Alliance September report revealed that, beginning on Jan. 1, cryptojacking still had room to increase by a further 500 percent.

However, beneath this simple outline of growth, there is a bigger, more complicated picture. Despite reports from some quarters showing that mining malware detections increased in the first two quarters of 2018, other reports suggest that they have in fact decreased.

And while the overall growth in mining malware since last year has been attributed to the volatility of cryptocurrency prices and the existence of software bugs, other factors have played a significant role, such as the involvement of amateur cryptojackers and the cost of mining legitimately.

Amateur cryptojackers

If there’s one dominant trend this year in the underworld of cryptojacking, it’s that most mining malware focuses on Monero. Indeed, Palo Alto Networks revealed in July that Monero accounts for 84.5 percent of all detected malware, compared to 8 percent for Bitcoin and 7 percent for other coins.

The reason for this is simple: Monero (XMR) is not only a privacy coin, but also the most valuable privacy coin by market cap — and 10th overall. Using the Cryptonight proof-of-work (PoW) algorithm, it mixes the user’s inputs with those of other users, and it also uses “ring confidential transactions” that obscure the amount of XMR being transferred. It’s therefore ideal for cybercriminals.

Monero was already the most popular coin for cryptojackers in 2017, but a number of new developments have emerged in 2018 to distinguish this year from its predecessor. Most notably, cryptojacking is increasingly becoming the province of amateur ‘hackers,’ who are lured into the illicit activity by the cheap availability of mining malware and by obvious financial rewards. According to Russian cybersecurity firm Group-IB, the dark web is “flooded with cheap mining software,” which can often be purchased for as little as $0.50.

Such software has become abundant this year: In 2017, Group-IB encountered 99 announcements regarding for-sale cryptojacking software on underground forums, while in 2018 it counted 477, signalling an increase of 381.8 percent. As the firm notes in its report:

Low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes.”

More growth

PCIn other words, cryptojacking has become a kind of hobbyist crime, popular among thousands of amateur hackers. This would perhaps account for why there has been a marked increase in detections this year, with Kaspersky Labs informing Cointelegraph that the number of PC cryptojacking victims increased from 1.9 million in 2016/17 to 2.7 million in 2017/18. Evgeny Lopatin — a malware analyst at Kaspersky Lab – shared:

“The mining model […] is easier to activate and more stable [than other attack vectors]. Attack your victims, discreetly build cryptocurrency using their CPU or GPU power and then transfer that into real money through legal exchanges and transactions.”

Of course, whenever “detections” are mentioned, the possibility arises that any increase is largely the result of an improvement in detection measures. “However, this is not the main driver here, as we see actual growth,” says Lopatin.

“Our analysis shows that more and more criminals increasingly use crypto miners for malicious purposes across the world.”

McAfee noted in a report from April that the vast majority of its detections were of CoinMiner, a piece of malware that surreptitiously inserts code taken from the CoinHive XMR mining algorithm into the victim’s computer. This occurs when the victim downloads an infected file from the web, but what’s new in 2018 is that such a vulnerability now affects Apple Macs as well, which had previously been regarded as much more secure than its Windows rivals.

This development was noted by United States security firm Malwarebytes, which in a May blog post reported on the discovery of a new malicious crypto miner that harnesses the legit XMRig miner. Thomas Reed, the director of Mac and mobile at the company, wrote:

“Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, [and] decoy documents users are tricked into opening.”

In fact, this wasn’t the first piece of Mac mining malware it had discovered, with Reed stating that it “follows other cryptominers for macOS, such as Pwnet, CpuMeaner and CreativeUpdate.”


However, while cryptojacking has become more of an amateur-driven phenomenon, it still remains the case that many of this year’s exploits can be traced to more ‘elite’ sources. Cybersecurity firm Proofpoint reported at the end of January that Smominru, a cryptojacking botnet, had spread to over half a million computers — largely thanks to the National Security Agency, which had discovered a Windows bug that was then leaked online.

This vulnerability is better known as EternalBlue, which most famously was responsible for the WannaCry ransomware attack/incident of May 2017. And according to Cyber Threat Alliance (CTA), it’s another big factor in this year’s 459 percent increase in cryptojacking.

Worryingly, the CTA’s report suggests that cryptojacking is only likely to increase as it becomes more successful and profitable:

“[Cryptojacking’s] influx of money could be used for future, more sophisticated operations by threat actor groups. For instance, several large-scale cryptocurrency mining botnets (Smominru, Jenkins Miner, Adylkuzz) have made millions of dollars.”

And things are already bad enough in the present, with the CTA writing that infection by mining malware comes with steep costs for victims.

“Taken in aggregate, when criminals install cryptocurrency miners in large enterprise networks, the costs in excess energy usage, degraded operations, downtime, repairs of machines with physical damage and mitigation of the malware in systems incurred by the victims far outweigh the relatively small amount of cryptocurrency the attackers typically earn on a single network.”


The mention of costs is significant when it comes to cryptojacking, not just for (potential) victims, but also for perpetrators. That’s because cryptojacking is essentially the theft of electricity and CPU, which implies that it will continue being prevalent not only for as long as Monero and other coins remain valuable, but also for as long as it remains expensive to mine XMR and other cryptos.

According to CryptoCompare’s profitability calculator for Monero, an individual U.S.-based miner using a graphics card capable of a 600 H/s hash rate (e.g., the Nvidia GTX 1080) and using 100W of power (a very conservative estimate) will make only $0.8033 in profit every month. This, clearly, isn’t especially promising, which is a large part of the reason why so many amateurs have turned to cryptojacking, since mining XMR while paying for your own electricity just isn’t fruitful when you’re not a big mining company.

There are, however, recent signs that Monero mining has become more profitable, even for the smaller miner. This came after its hard fork on April 6, which changed its PoW protocol so as to make it incompatible with ASIC miners, which tend to dominate mining (particularly in the case of Bitcoin).

As soon as this hard fork was completed, reports came from the Monero subreddit that profitability had increased by 300 percent or even 500 percent, although this boost was soon lost in the following weeks, according to BitInfoCharts.

MONEROLikewise, Monero itself has been cautious with regard to promising that it can resist ASIC mining equipment forever. “Thus, it is recognized that ASICs may be an inevitable development for any proof-of-work [cryptocurrency],” wrote developers dEBRYUNE and dnaleor in a February blog. “We also concede that ASICs may be inevitable, but we feel that any transition to an ASIC-dominated network needs to be as egalitarian as possible in order to foster decentralization.”


Assuming that it has become more profitable to mine XMR legitimately, this would account for a flattening in cryptojacking growth that has been observed by some cybersecurity firms. In its Q2 2018 report, Malwarebytes revealed that mining malware detections dropped from a peak of 5 million at the beginning of March, to a low of 1.5 million at the beginning of June. This decline may contradict what other analysts have reported this year, but given that Malwarebytes’ research is the most recent in terms of the dates covered, it’s arguably the most authoritative.

It’s not clear whether this decline is the result of an increase in profitability for legit Monero miners, of business and individuals wising up to the threat of cryptojacking, or of a general decline in the value of cryptocurrencies. Regardless, Malwarebytes predict that “Cryptocurrency miners will be going out of style” as a cybersecurity threat. “Of course, we are still going to see plenty of miners being distributed and detected,” its report concludes. “However, it looks like we are at the tail end of the ‘craze.'”

Source link

Crypto Mining Malware Grows by 86% in Q2, Over 2.5 Mln New Coin Miner Samples

The number of crypto mining malware attacks used by hackers has continued rising, with total samples growing by 86% in the second quarter of 2018, according to the latest threat report by cybersecurity firm McAfee Labs released September 25.

In the report, cybersecurity experts stated more that than 2.5 million new malware coin miner samples were found in Q2. In comparison, the number of crypto malware attacks in Q1 amounted to around 2.9 million, which is a 629 percent rise from around the 400,000 samples found in Q4 2017.

The report concluded that coin miner malware “remains very active,” following the general surge of crypto mining malware with “new coin miner threats [that] have jumped massively in 2018.”

Coin miner threats statistics. Source: McAfee Labs, 2018

Specifically, the report stresses the fact that cybercriminals have found “new angles” of illegal coin mining to raise profits, which is coming on the heels of a surge in popularity of crypto and blockchain technology. McAfee Labs also cited the recent threat report named “Don’t Join Blockchain Revolution Without Ensuring Security” to warn users of the emerging technologies about the associated risks.

Christiaan Beek, Lead Scientist and Senior Principal Engineer with McAfee Advanced Threat Research, commented to Business Wire that apart from PCs, low-CPU devices have become a new source of “profitable revenue stream” for cybercriminals.

Due to their “propensity for weak passwords,” as well as the ability to take over “tremendous volume” of devices such as Wi-Fi routers, video cameras, and other Internet-of-Things (IoT) appliances, they represent a “very attractive platform” for illicit crypto mining activities.

Last week, Cointelegraph reported that official government websites have become the main target for cryptojacking in India, including websites of municipal administrations.

In late August, Firefox announced that they will start blocking cryptojacking malware in future versions of their web browser, including crypto mining scripts that “silently mine cryptocurrencies” on users’ devices.

Source link

Crypto Mining Malware | Instances Up Nearly 500% in 2018

According to a crypto jacking report published by the Cyber Threat Alliance (CTA), crypto mining malware infections are up nearly 500% in 2018.

Crypto Mining Malware Report

The threat of illicit cryptocurrency mining represents an increasingly common cybersecurity risk of enterprises and individuals. According to the report, the CTA found that malware detections were up 459% between 2017 and 2018.

“Combined threat intelligence from CTA members show that this rapid growth shows no signs of slowing down, even with recent decreases in cryptocurrency value,” the company writes in a preface.

The threat is relatively new, and many people do not understand it. The CTA states that the operations are becoming much more sophisticated now and the crypto mining malware is becoming harder to detect.

The report signifies the Monero mining campaign, Smominru, as an example. Analysts have recently observed widespread attackers successfully employing legitimate functionality to execute and download miners that is far too difficult for any antivirus software to detect.

NSA Software Flaw

Bloomberg reported that these hackers have been able to generate Monero, Bitcoin, and other cryptocurrencies by exploiting the software flaw that was leaked by the US government.

As of July of 2018, 85 percent of all the illicit cryptocurrency mining has targeted Monero. No surprise there. Monero has been highly criticized in the past, as it allows its users to secretly send and receive money without showing any trace of identity.

>> Binance is Looking Global

Bitcoin made up around eight percent of the illicit mining, and the other altcoins accounted for seven percent, according to the report.

The flaw in the code gained notoriety when North Korea and Russia used it in massive attacks. It seems the hackers were overshadowed by the larger hackers and managed to get away with a lot of illegal digital coins.

When hackers illicitly generate cryptocurrency using others’ computers, it creates ‘free’ money for them and could erode the value of the currency being made by increasing its supply.

Featured Image: Depositphotos/© maxkabakov

If You Liked This Article Click To Share

Source link

Cryptocurrency Mining Malware Detections Up Almost 500 Percent in 2018: Report

Leaked code targeting Microsoft Systems which hackers allegedly stole from the U.S. National Security Agency (NSA) sparked a fivefold increase in cryptocurrency mining malware infections, Bloomberg reports Wednesday, September 19, citing a new cryptojacking report.

Eternal Blue, the tool which can exploit vulnerabilities in Microsoft software, is behind the now-infamous global cyberattacks WannaCry and NotPetya, which continue to cause disruption since they first surfaced in 2017. Bloomberg notes that Eternal Blue was allegedly stolen from the NSA in 2017 by a hacking group called the Shadow Brokers.

Hackers have since been using the tool in order to gain access to computers in order to covertly mine for cryptocurrency, with detections up 459 percent this year, according to the report from the Cyber Threat Alliance (CTA).

“Combined threat intelligence from CTA members show that this rapid growth shows no signs of slowing down, even with recent decreases in cryptocurrency value,” the company writes in a preface to its most recent report, stating:

“Because this threat is relatively new, many people do not understand it, its potential significance, or what to do about it.”

Cointelegraph has often reported on the emergence of crypto mining malware infecting user devices such as PCs and smartphones. Rather than Bitcoin (BTC) or Ethereum (ETH), it is privacy-focused altcoins such as Monero which are hackers’ preferred target, the report notes.

The uptick, CTA says, comes as such operations are becoming more “sophisticated.”

“Analysts have observed successful and widespread attackers ‘living off the land,’ or employing legitimate functionality to download and execute miners that would be more difficult for an observer or antivirus to detect,” the preface continues, highlighting the Monero mining campaign Smominru as an example.

The NSA did not respond to Bloomberg’s request for comment on the findings upon publication.

Source link

Crypto Wallet Protection App Wants to Secure Your Wallets Against Malware

Malware, a persistent thorn in the side of the internet’s wider community, has become an increasing concern for cryptocurrency users. A problem that comes in many forms, malicious software is leveraged by hackers to rob community members of their funds. One program, dubbed the clipboard hijacker, for instance, operates by secretly gaining control of a Windows device’s running memory. It then replaces the Bitcoin address copied into a user’s clipboard with the address of the attacker, leading the user to unwittingly transfers funds to the hacker.

New Jersey–based BlockSafe Technologies is determined to make mobile crypto wallets more secure with a mobile wallet protection app called the CryptoDefender. According to the company, the CryptoDefender mobile app proactively prevents keylogging malware from stealing your cryptocurrency wallet login details.

The mobile app, which has a desktop version, is loaded with a host of features including a password generator that creates and stores strong passwords, a password vault for encrypting and storing passwords securely, a secure browser and an OATH-complaint one-time password (OTP) generator for websites that allows for two-factor authentication.

Proactive Defense

George Waller, who serves as the CEO of BlockSafe and the co-founder of cybersecurity outfit StrikeForce Technologies, played a pivotal role in introducing out-of-band authentication and keystroke encryption to the marketplace. He has also held management roles at RxRemedy, TeachMeIT and HealthSCOUT.

Speaking with Bitcoin Magazine, Waller said the threat posed by bad actors and malware is one of the biggest barriers to the mass adoption of cryptocurrency.

“Wallets are very vulnerable and insecure, with an average of $9 million stolen every day. By far, those most at risk of becoming victims at the hands of bad actors are those without IT teams, sophisticated cybersecurity tools, or the experience to understand how great the risk can really be,” he remarked.

“The best targets to steal crypto from are the everyday investors, the folks that did the research and took the chance of investing their hard-earned dollars in an emerging and revolutionary technology, and as blockchain cybersecurity experts, we simply won’t stand idly by while the community that is the very foundation of this space are robbed straight out of it.”

At the core of how CryptoDefender operates is its keystroke encryption, which blocks keylogging malware and other forms of malware from breaching mobile crypto wallets.

It accomplishes this by encrypting every keystroke a user makes, rather than trying to detect keylogging malware on the device. The app installs an encrypted keystroke keyboard and then routes each encrypted keystroke through its secure data stack, bypassing the original data stack that can easily be hijacked by hackers.

Other Features

CryptoDefender comes with a secure mobile browser, which Waller says prevents against all forms of attack, including man-in-the-middle and man-in-the-browser attacks. Each time a user launches the browser, CryptoDefender will “generate a brand new browser on the fly, [and] when you close it, we dissolve it,” Waller explained.

“We don’t allow browser extensions, tabs, injections, cookies, or any other vulnerable attributes to be loaded into the browser. Every time you open our browser, it’s a brand new one for the first time.”

Users can create strong passwords up to 99 characters in length and store them automatically in the Password Vault for safekeeping. The Vault, which Waller claims is “extremely safe,” works hand in hand with the browser and the encrypted keyboard. He went on further by saying that the Vault uses AES-256 encryption — a key-generation technique used to encrypt data and prevent unwanted access to data — and fingerprint authentication to secure it.

“Many of us buy, sell, and move cryptocurrencies from our phones and desktops; if one device is protected while the other remains vulnerable to intrusion, they both are at risk. CryptoDefender is a tremendous milestone as it represents phase one in our three-part mission to secure the blockchain ecosystem,” Waller added.

Waller said the app is different from a long list of anti-keylogger software offering similar solutions because of its utility as both a downstream and upstream prescription. He also claimed the app is the “only keystroke encryption” product designed to protect crypto wallets.

“We built this with the assumption that your device is already infected, therefore, as soon as you install this, you are protected. Products that take a reactive approach, i.e., anti-virus software, are always stuck in that cat-n-mouse cycle and getting bypassed on a daily basis.”

The mobile app is available on the BlockSafe website for both Android and iOS devices.

Source link

Firefox to Block Cryptojacking Malware in New Browser Releases

Firefox will block cryptojacking malware in future versions of its web browser, according to an announcement August 30.

The move comes as part of an anti-tracking initiative expected to be implemented over the next few months. In the announcement, Firefox cites a study by browser extension Ghostery, stating that 55.4 percent of the total time required to load an average website is spent loading third party trackers.

Future versions of Firefox will reportedly block such practices as cryptomining scripts that “silently mine cryptocurrencies” on users’ devices by default. By blocking tracking and offering a “clear set of controls,” Firefox is looking to provide its users more choice over what data they share with websites.

Back in 2016, Mozilla, the company behind Firefox browser, implemented practices encouraging users to take care of their online privacy and security in an ongoing shift towards data encryption. Firefox reportedly was going to block connections to HTTPS secure servers employing weak encryption and establish a minimum of 1023 bits for TLS handshakes using Diffie-Hellman keys.

Another major web browser, Opera, included anti-crypto mining in their integrated ad-blocker for desktop in December last year. Later in January, the company announced plans to add the feature to their mobile browser as well.

This month, Opera announced the launch of its desktop web browser with built-in crypto wallet functionality. As with the mobile app, the desktop client will support tokens as well as digital collectibles, with product lead of Opera Crypto Charles Hamel commenting that browser integration represents a further step in “making cryptocurrencies and Web 3.0. mainstream.”

Source link