Throughout February, researchers at Forcepoint have been identifying a new and unusual piece of malware – the miniature Monero mining botnet.
Just like the California Gold Rush attracted amateurs lured by the promise of easy money (the original ’49ers’), a low barrier-to-entry is tempting unskilled individuals to take up cryptocurrency mining. In January 2017 it was reported that the Sundown Exploit Kit was dropping a cryptocurrency miner based on open source code. At the time, the lack of ‘tradecraft’ evident in this sample was noted and it was suggested that it was representative of a trend towards so-called novices engaging in cybercrime. February 2017 sees a similar, arguably more successful campaign which appears to affect a range of machines in France, predominantly associated with SMEs and local government systems in the Haut-Rhin region, including several local government networks amongst others.
Upon initial execution the file connects to its primary C2 server to download an initial configuration file. It then receives instructions in an unobfuscated file and if the payload finds the machine is not already infected then two more files are downloaded. In the miner example reported in January, the perpetrator left references to his personal Github account in the code – a mistake which was his ultimate undoing. The actor behind this example appears to have learnt from his mistakes. However, there are some indications of a less professional approach – the use of 7zip for compression for example, the use of pass as a password and the domain registration details match a derivative of the username seen in the files.
Carl Leonard, Principal Security Analyst at Forcepoint:
“Whilst this case appears to be a small, simplistic campaign it is indicative of the low barrier to entry in cybercrime. The ready availability of open source tools combined with well-documented techniques and procedures may well lead to more and more individuals finding themselves tempted to ‘have a go’. Although this particular case has focused on France with victims appearing to be related to French infrastructure, Forcepoint urges all regions to be alert, to take care when opening attachments and to ensure senders are verified.”
More information on this is available on the Forcepoint blog: https://blogs.forcepoint.com/security-labs/21st-century-49ers-small-time-cryptocurrency-mining