Poplar Cryptomining Campaign Affects Over 500,000 Computers: Significant Evolution Uncovered by Carbon Black’s Threat Analysis Unit (TAU)

Hey Bay Area folks, how’re you doing? I’ve got some quite intriguing, albeit a little chilling, tech news to share with you today. You know how we’re all obsessed with following the latest trends, be it in fashion, tech or food? Well, it seems a similar mentality might be seeping into the dark corners of the cyberworld.

Yep, that’s right. Trendsetting has made its way into the world of malware, and the hottest new trend, it appears, is something dubbed “Access Mining.” This nifty term refers to a technique where attackers use run-of-the-mill malware to hide a more sinister agenda – selling system access to the highest bidder on the dark web. So, if your computer becomes infected, hackers can use it as a gateway for launching more extensive attacks.

This isn’t a new thing, though. Access Mining started around two years ago, thanks to the peaks and troughs in the cryptocurrency market and the easy availability of open source attack tools. Who knew market fluctuations could influence malware trends?

I was surprised to find out that this could potentially affect over half a million computers worldwide. Makes me want to hit ‘update’ on my antivirus software immediately!

So, have you ever wondered how folks would stumble upon such complex things? To tell you the truth, it takes an entire team. The discovery of Access Mining was a bit like a game of dominoes, with weird behaviors seen on multiple endpoints that led investigators to spot something unusual. This set off a series of events that uncovered the multi-stage malware sending detailed system metadata to hijacked web servers—possibly for future resale on remote access marketplaces scattered across the dark web.

Something else that caught my attention in the reports was the geography of it all. Apparently, 60% of the victims come from the Asia Pacific region, with the rest mainly hailing from Russia and Eastern Europe. What a diverse set of victims!

Don’t be fooled into thinking the criminals behind this are strictly using high-tech tools. A lot of their toolbox actually consists of modified exploits, repurposed tools, and stolen infrastructure. They use a modified version of XMRig, a mining malware, to mint Monero coins. They’re known to use open-source tools like Mimikatz and EternalBlue to spread from infected systems and broaden their campaign’s reach.

It’s scary stuff, but fascinating too – a stark reminder of how complex and fast-paced our cyber world is becoming. Open-source platforms have served as treasure chests for these attackers, helping them to evolve their methods quickly and effectively.

In essence, the combination of using commodity malware to gain system access and then selling that access is proving to be a lucrative business model. It’s hard to ignore an estimated $1.6 million annual profit!

Overall, this discovery highlights just how incredibly vulnerable any system can be. It isn’t just the large corporations with known intellectual property assets that are valuable to cybercriminals. The reality is, any potential access point can be valuable in cybercrime as it presents a profitable way to launch targeted attacks.

Alright, folks, stay safe out there in the digital world, yeah? Be sure to keep those firewalls up and those systems updated!

by Morgan Phisher | HEAL Security