Monero again exploited in cryptocurrency mining operation
Potentially 15 million victims of a new XMRig attack.
Security researchers have found a large-scale cryptocurrency mining operation has been active for several months. Using the open source XMRig tool, about 15 million victims have been exploited over the last four months, according to Palo Alto Networks.
However, it's possible that twice as many people have fallen victim to the malware that uses VBS (Visual Basic Scripting) files and various online URL shortening services to install and run the XMRig payload.
Palo Alto said it found the malicious files were stored on 4sync's cloud storage and distributed by obfuscating filenames by using URL shortening services. Users were then duped into opening the files which, in turn, installed the malicious payloads. The malware used the Nicehash marketplace to sell the stolen processor power, harvested by the malware, to generate Monero cryptocurrency.
Although this particular scam wasn't detected in Australia – most of the victims were in South America and Asia – we can expect these types of scams to reach our shores.
This isn't the first time Monero has been used by threat actors and criminals. In another recent cryptojacking operation, Malware used YouTube adds to mine cryptocurrency using the computing resources of its victims.
In that case, Trend Micro said the bad guys used CoinHive – a supplier of cryptojacking software who skims 30% of the profit generated when their software is used.
With the days of the script-kiddy behind us, online crime has moved from malice and damage to commerce and greed. If you want to know where the bad guys are working, you simply need to follow the money. And with Monero one of the more highly rated cryptocurrencies on the market, it's unsurprising that criminals are targeting it as a way of generating funds.
If your computer starts running slowly, use a system utility like Activity Monitor on a Mac or Task Manager with Windows to check if your processor is getting thrashed when it should otherwise be idle. That may be a sign you've been cryptojacked.