Security Weekly 39

Security Weekly 39 Main Logo

Security Weekly 39: Where To Hide The Miner And A Brief Excursion Into The Darknet Marketing

Security Weekly 29 Photo 1

Fans of free crypto-currency, it seems, amicably puzzled by the question of where to hide the miner so that he could not be found longer. As you know, wherever all the banal has already been tried, the open space for creativity opens up. So, some craftsmen found the source of inspiration in the beautiful face of the Hollywood star Scarlett Johansson.

Hunters for Monero have entered the code of the miner directly into the photo of the star in PNG format. This allowed scammers to not only express themselves but also use a legal photo hosting to store the malware And at the same time to receive some of the antivirus software.

  • Cybercriminals chose the PostgreSQL database servers as the target for the attack. Before deploying on the server mining, legible fans Johansson conducted a reconnaissance of computing power, so as not to hunt anywhere (more precisely, where it is unprofitable).

Making sure that the server is good, scammers uploaded a picture from the photo hosting to it and then extracted the malicious code from it using the standard Linux utility dd. Next, the file was given full rights, and when starting it created the actual program-getter.

  • When the campaign was discovered, it was this work of art that was removed from the hosting, but how many still cloudy photos contain the same (or different) code – nobody knows.

The authors of another Monero-miner have found a way to conveniently hide their offspring, one might say, on the surface. Cryptocurrency hunters decided to use GitHub to store the installer. Where else to hide the malicious code, if not among other code?

  • For greater reliability, the hunters behind the cryptocurrency created a lot of forks of projects that are in the public domain, and each placed an installer: indeed, many – not a few. At the same time, they did not become original in spreading the malicious program by selecting time-tested fake Adobe Flash Player updates.

In response to an attempt to clean GitHub from infection, criminals used the tactics of the Lernea hydra: while some infected pages were deleted, the miner appeared to others. As the great ones said, the key to success is the ability to go to their goal, despite the failures.

Black marketing among cybercriminals

But not cybercriminals are full of miners. Since the beginning of the year, at least three campaigns have been recorded with the Trojan Qrypter, whose authors prefer self-attacking the lease of their software. So to speak, Malware-as-a-Service. And, like the rest of the characters in our collection, they come to the point with the soul.

  • Traders of malware bet on active marketing: they advertise their offspring, offer profitable tariffs to those who wish to resell it and support users through the Black & White Guys forum.

Among the advantages of the Trojan, colorfully written by the authors, remote control over the infected device, including access to webcams, unlimited manipulation of files and programs and the ability to manage the task manager. In addition, malware monitors working on the computer firewalls and antiviruses.

  • However, advertising their services, they were not limited to descriptions of the merits of the “product”. To finally convince potential customers of the exclusivity of their program, craftsmen clearly demonstrate the shortcomings of competing solutions. And not in theory, but in practice: developers periodically post in the darknet the hacked versions of other Trojans.

So bad guys not only spread their malware but also give an opportunity to completely outside attackers to use the developments of their competitors. The enchanting hotbed of contagion.