Sharp Rise in Mining-Related Malware on the Russian-speaking Underground

Verint’s powerful portfolio of interception and monitoring solutions provides full monitoring and operational value. Dedicated systems address separate real-time and retroactive investigation needs, for lawful monitoring, field operations and background research. In the case below, we have used our Cyber and Webint suite to constantly monitor, collect and analyze malware-related items, to gain actionable intelligence and perform the investigation.

We constantly monitor groups, markets and IM channels manually and automatically, in this case, our monitoring has revealed in recent months a sharp rise in mining malware traded on numerous Dark Web forums, where hackers of various underground communities reside. This is hardly surprising, considering the rise in the value of cryptocurrency since late 2017. As a ramification of this trade, in recent months, a sharp rise in mining malware attacks has also been observed.

The rise in the trade in mining malware originates with cybercriminals engaged in attacks against banks and their clients, who are currently opting to focus on attacks designed to bring various kinds of cryptocurrency into their hands. For instance, SenseCy analysts spotted known sellers of banking malware, starting to offer for sale malware related to crypto-currency mining. These attacks can be divided into two types:

  • Infection with mining malware – we have spotted a rise in the trade of mining malware in hacking communities, as well as an increase in the number of discussions related to these types of attacks. This indicates an elevated interest in this field and a shift by hackers previously engaged in other criminal activities to acquiring knowledge and attack tools in the illegal mining field. These attacks are targeting a wide scope of end users and servers, and are designed to take advantage of their systems’ resources to mine cryptocurrency. Along with the slowdown of the infected system, mining malware can sometimes cause significant damage to the hardware, as in the case of the Loapi Android Trojan that worked a phone so hard its battery overheated and burst open the device’s back cover.
  • Attacks against cryptocurrency holders, be they private wallet owners or cryptocurrency exchange platforms. While the former are usually targeted by phishing or Man-in-the-Middle (MitM) attacks designed to steal credentials, the latter is a large-scale attack designed to steal cryptocurrency from the exchange platform. We see a large volume of evidence related to the first type in closed sources, but the second type is usually coordinated outside of hacking forums.

The picture received from our automatic monitoring systems surfaced according to pre-defined queries supports these findings, which were manually identified by our analysts. More than 4,000 mentions of “miner” on password-protected forums were identified in the period between September 1, 2017, and February 24, 2018, compared to just 1,000 for the same period one year earlier. In addition, a sharp rise in the number of discussions can be clearly observed starting from mid-October 2017, following the rise in the price of Bitcoin and other cryptocurrencies. In fact, the number of discussions on hacking-dedicated platforms correlates with the fluctuations in Bitcoin value (with a slight delay of several days).

The number of discussions from password-protected hacking sources in which the word “miner” was mentioned. Source: Verint DarkAlert
The value of Bitcoin in USD during the same period. Source: CoinDesk
The value of Bitcoin in USD during the same period. Source: CoinDesk

For instance, we identified two prominent threat actors from the Russian underground, who usually offer mobile “injections” – fake overlay pages designed to be used along with mobile Trojans to steal user credentials (usually for banking and e-commerce apps.) These threat actors started offering injections targeting users of popular Bitcoin wallets during the same period that the Bitcoin price increased.

Another example is the trade of a new mining malware dubbed CryptoNight, which started two months ago (February 10, 2018). For US$ 50, the author offers a miner for a variety of cryptocurrencies (those that use the CryptoNight or CryptoNight-lite algorithm), with a relatively low detection rate (according to tests run by other forum members). The malware also possesses clipboard stealer capabilities designed to steal credentials of the most popular cryptocurrency wallets (Bitcoin, Ethereum, Dogecoin and others).

TOO SOON TO PATCH? – TIMESPAN FROM EXPOSURE TO ATTACK

This is an excerpt from the SenseCy 2017 Annual Report. To receive the full version of the report, please contact us at CyberThreat.Insider@verint.com

In the past year, the number of disclosed vulnerabilities (14,712) reached an all-time peak in all of cyber-history – twice as high as the two previous years: 6,480 vulnerabilities were Continue reading “TOO SOON TO PATCH? – TIMESPAN FROM EXPOSURE TO ATTACK”

Political Tension in Spain Leads to Cyber-Attacks against Spanish Websites

The political tension after the Catalonia referendum on October 1, 2017, has influenced the virtual arena as well, resulting in cyber-attacks against Spanish websites carried out by hacktivists leaking information about high profile targets and claiming responsibility for shutting down websites. These threat actors use various anti-Spain hashtags that indicate the different cyber campaigns: #OpEspana, #OpCatalonia, #OpCatalonya and #OpSaveCatalonia. Continue reading “Political Tension in Spain Leads to Cyber-Attacks against Spanish Websites”

Significant Increase in Cloud-Based Attacks in the Last Year

According to a recently published report for the first quarter of 2017, there has been a significant rise in consumer and enterprise accounts in the Cloud. As more and more organizations migrate to the Cloud, the frequency and sophistication of Cloud-based attacks is growing. Continue reading “Significant Increase in Cloud-Based Attacks in the Last Year”

New Variant of Notorious Svpeng Currently for Sale on the Russian Underground

In recent days, there have been numerous reports about the new Svpeng variant, with extended capabilities. These capabilities include keystroke logging and taking control of many device functions, using the accessibility services feature. Continue reading “New Variant of Notorious Svpeng Currently for Sale on the Russian Underground”

Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry

In the past few hours, multiple reports were published about a mass-scale cyber-attack taking place in Ukraine. The attack hit multiple government resources, as well as corporate, financial and critical infrastructure systems (Kyiv subway and airport, electricity and oil companies, etc). Continue reading “Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry”

#OpIcarus Cyber Campaign – Round 5

Hacktivists recently launched the fifth phase of the #OpIcarus cyber campaign (also dubbed #OpSacred) against the financial sector around the world. This campaign was first launched in February 2016, and as in previous phases, the official target list contains mainly websites of central banks around the world. In addition, the initiators share links to download known DDoS tools, such as Continue reading “#OpIcarus Cyber Campaign – Round 5”

Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web

Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves. Continue reading “Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web”

Updates about the Upcoming #OpIsrael Campaign

The number of participants in the event pages of the #OpIsrael campaign, as of the first week of April 2017, is approximately 600 Facebook users – a very low number of supporters compared to the same period in previous campaigns. In general, the response on social networks to the #OpIsrael campaign over the years since 2013 is constantly declining. Continue reading “Updates about the Upcoming #OpIsrael Campaign”