Cyber Criminals Are Using YouTube To Install Cryptojacking Malware

Cyber Criminals Are Using YouTube To Install Cryptojacking Malware

Software security firm Eset uncovered that cyber criminals are using YouTube to distribute cryptojacking modules

[ihc-hide-content ihc_mb_type=“show“ ihc_mb_who=“reg“ ihc_mb_template=“1″ ]

Slovakian software security firm Eset has uncovered that cyber criminals behind the Stantinko botnet have been distributing a Monero (XMR) cryptocurrency mining module via Youtube.

On Nov. 26, the major antivirus software supplier Eset reported that the Stantinko botnet operators have expanded their criminal reach from click fraud, ad injection, social network fraud and password stealing attacks, into installing crypto malware on victims‘ devices using Youtube.

Stantinko botnet has been active since at least 2012

The Stantinko botnet, which has been active since at least 2012 and predominantly targets users in Russia, Ukraine, Belarus and Kazakhstan, reportedly uses YouTube channels to distribute its cryptojacking module, which mines the privacy-focused crypto coin Monero on the CPUs of unsuspecting victims.

This cryptocurrency-stealing malware has reportedly infected around 500,000 devices, and is similar to the recently discovered malicious malware, Dexphot, malware discovered by Microsoft that has already infected more than 80,000 computers.

These crypto-hijacking codes steal processing resources, take over legitimate system processes and disguise the nefarious activity with the ultimate goal of running a crypto miner on the infected devices.

Eset informed YouTube, which reportedly responded by removing all the channels that contained traces of Stantinko’s code.

Malware on Monero’s official website was stealing crypto

In November, Monero’s core development team said that the software available for download on Monero’s official website might have been compromised to steal cryptocurrency. A professional investigator going by the name of Serhack confirmed that the software distributed after the server was compromised was indeed malicious:

“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained the wallet. I downloaded the build yesterday around 6pm Pacific time.”


Zur Quelle
[/ihc-hide-content]

Software security firm Eset uncovered that cyber criminals are using YouTube to distribute cryptojacking modules

Trend Micro: Cybercriminals Use Obfuscation Trick to Install Crypto Mining Malware

Trend Micro: Cybercriminals Use Obfuscation Trick to Install Crypto Mining Malware

Cybersecurity firm Trend Micro has confirmed that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install XMR mining malware

[ihc-hide-content ihc_mb_type=“show“ ihc_mb_who=“reg“ ihc_mb_template=“1″ ]

Cybersecurity firm Trend Micro has confirmed that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install monero (XMR) mining malware, while using certificate files as an obfuscation trick. The news was revealed in a Trend Micro blog post published on June 10.

As previously reported, forms of stealth crypto mining are also referred to with the industry term cryptojacking — the practice of installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

According to Trend Micro’s post, a security patch for theOracle WebLogic vulnerability (“CVE-2019-2725”) — reportedly caused by a deserialization error — was released in the national vulnerability database earlier this spring.

However, Trend Micro cites reports that emerged on the SANS ISC InfoSec forum alleging that the vulnerability has already been exploited for cryptojacking purposes, and confirms that it has verified and analyzed the allegations.

The firm notes that the identified attacks deployed what it describes as “an interesting twist” — namely that “the malware hides its malicious codes in certificate files as an obfuscation tactic”:

“The idea of using certificate files to hide malware is not a new one […] By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections.”

Trend Micro’s analysis begins by noting that the malware exploits CVE-2019-2725 to execute a PowerShell command, prompting the download of a certificate file from the command-and-control server.

After continuing to trace its steps and characteristics — including the installation of the XMR miner payload — Micro Trend notes an apparent anomaly in its current deployment:

“[O]ddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier. This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date.”

The post concludes with a recommendation to firms using WebLogic Server to update their software to the latest version with the security patch in order to mitigate the risk of cryptojacking.

As recently reported, Trend Micro detected a major uptick in XMR cryptojacking targeting China-based systems this spring, in a campaign mimicking earlier activities that had used an obfuscated PowerShell script to deliver XMR-mining malware.


Zur Quelle
[/ihc-hide-content]

Cybersecurity firm Trend Micro has confirmed that attackers have been exploiting a vulnerability in the Oracle WebLogic server to install XMR mining malware