Lucky
Essential
- Joined
- 14.09.20
- Messages
- 97
- Reaction score
- 464
- Points
- 33
Kaspersky Lab experts have analyzed an up-to-date malware program aimed at hijacking other people's cryptocurrency mining facilities. This Windows malware is distributed under the guise of legitimate applications and mainly attacks users from the former CIS countries.
During the current campaign, several programs were identified, the names of which the attackers borrow for disguise, such as ad blockers AdShield and Netshield, as well as the OpenDNS service. Malicious fakes are distributed from specially created sites that can be accessed by clicking on a link from the search results. Researchers believe that the current attacks are a continuation of the summer campaign that Avast revealed.
The behavior of the malware is the same in all cases. At startup, it changes DNS settings, redirecting requests to the NS server of its hosts — this allows you to track and block access to the sites of information security companies. After that, it connects to the C2 server, sends data to the infected system, and checks for updates by running updater.exe.
Once updated, the malware downloads a modified transmission torrent client from a fake site and runs it. The latter, in turn, signals operators about successful installation and downloads the mining module - a set of files unique for each infected machine.
Decryption of the payload leads to the launch of the XMRig cryptominer under the guise of a legitimate utility find.exe. To ensure the continuous operation of this "service", a special task is created in the Windows scheduler.
Since the beginning of February, Kaspersky security solutions have registered more than 7,000 unique attempts to install fake apps as part of the current campaign. During peak days, the attackers carried out more than 2.5 thousand such attacks, mainly in Russia and other former CIS countries.
During the current campaign, several programs were identified, the names of which the attackers borrow for disguise, such as ad blockers AdShield and Netshield, as well as the OpenDNS service. Malicious fakes are distributed from specially created sites that can be accessed by clicking on a link from the search results. Researchers believe that the current attacks are a continuation of the summer campaign that Avast revealed.
The behavior of the malware is the same in all cases. At startup, it changes DNS settings, redirecting requests to the NS server of its hosts — this allows you to track and block access to the sites of information security companies. After that, it connects to the C2 server, sends data to the infected system, and checks for updates by running updater.exe.
Once updated, the malware downloads a modified transmission torrent client from a fake site and runs it. The latter, in turn, signals operators about successful installation and downloads the mining module - a set of files unique for each infected machine.
Decryption of the payload leads to the launch of the XMRig cryptominer under the guise of a legitimate utility find.exe. To ensure the continuous operation of this "service", a special task is created in the Windows scheduler.
Since the beginning of February, Kaspersky security solutions have registered more than 7,000 unique attempts to install fake apps as part of the current campaign. During peak days, the attackers carried out more than 2.5 thousand such attacks, mainly in Russia and other former CIS countries.