NEW MONERO CRYPTO MINING BOTNET LEVERAGES ANDROID DEBUGGING TOOL

by Christopher Kanaracus em 05/02/2018 no site Threatpost

A new botnet that distributes malware for mining Monero cryptocurrency has emerged, infecting Android devices through a port linked with a debugging tool for the OS, according to researchers at Qihoo 360 Netlab.

Dubbed ADB.Miner by 360 Netlab, the botnet is gaining entry to Android devices–mostly smartphones and TV boxes–through port 5555, which is associated with Android Debug Bridge, a command-line tool that is used for debugging, installing apps and other purposes.

ADB typically communicates with devices via USB, but it’s also possible for it to use wifi with some setup, according to Android documentation.The botnet propagates itself in “worm”-like fashion, looking for open 5555 ports on other devices, most of which are Android-based, 360 Netlab researcher Hui Wang said in a blog post.

Notably, it uses some port scanning code from the Mirai botnet, which is the first time Mirai code has been used to target Android devices, he claimed. Mirai, which emerged in August 2016, has historically been used to attack Linux devices.

Most of the Android devices being targeted by ADB.Miner are located in China and South Korea, but 360 Netlab is not identifying any of them at this time.

“Overall, we think there is a new and active worm targeting android system’s adb debug interface spreading, and this worm has probably infected more than 5,000 devices in just 24 hours,” Wang wrote. In fact, 5555 port scanning traffic has hit the top 10, according to 360 Netlab’s own scanning data.

The botnet is distributing malicious code that is mining Monero coins, but as of yet none have been paid out, according to Wang.

Cybercriminals have been increasingly turning to cryptocurrency mining via botnets, with Monero a favored target. Those behind the massive Smominru botnet have generated as much as $3.6 million since May through an army of more than 500,000 infected machines, according to Proofpoint.

Crypto mining botnets have clear advantages over other types of attacks, such as ransomware, since they don’t necessarily require social engineering and by their nature are meant to operate stealthily, stealing nothing from victims but CPU cycles. In fact, crypto miners may be the “new payload of choice” for cybercriminals, researchers at Cisco Talos said recently.

Chrome Extension with 105,000 installs is a Cryptocurrency Miner

Por Wagas em 29/12/2017 no site HackRead

“Archive Poster” extension for Chrome browser is being currently used by 105,000 users. The primary function of this extension is to allow users to “quickly reblog, queue, draft, and like posts right from another blog’s archive” but now, a Las Vegas-based security researcher Troy Mursch (“Bad Packets” on Twitter) has identified that Archive Poster is infecting user browser with a cryptocurrency miner.

Generating Monero Through CoinHive

According to Bad Packets’ analysis, the malicious Chrome extension is using cryptocurrency mining code provided by CoinHive and uses victim’s computer power to generate Monero (XMR) digital coin (1 XMR equals $392.71 USD). CoinHive is a company that provides cryptocurrency miner, which sends any coins mined by the browser to the owner of the website, application or extension.

In the case of Archive Poster, a number of users reviewed that the extension tries to use their browser for mining purposes. One of the reviews posted on December 8th, 2017, by Furkan Tunalı said “I rated it 5 before. Now it’s mining with your CPU by CoinHive in the background. Beware Sad.”

Screenshot grab shows reviews posted by users

In a Twitter thread, Bad Packets stated that CoinHive’s JavaScript code loads from this URL: https://c7e935.netlify[.]com/b.js

Extension Is Up And Running

Mursch told HackRead that they reported the issue to Google but there was no response from the company. Another user who reported the presence of cryptocurrency miner extension received the following reply that did not make sense.

View image on Twitter

Dung D. Bär@DungDerBaer

Replying to @bad_packets @Google

I contacted the Google Chrome Store Support about this and they wrote back that. Is this a joke? "only the owner of the item can change the behavior of this item." !? So Google allows hyjacked crypto mining in Chrome addons!? Seriously?

8:50 AM - Dec 29, 2017

•  11 Reply
 
•  Retweets
 
•  22 likes

Twitter Ads info and privacy

Remember, a couple of weeks ago, HackRead identified a malware scam in which hackers used Google AdWords and Google Sites to drop malware in fake Chrome browser downloader file. The issue was reported to Google, however, there was no reply from the company.

Mursch is urging users to report “Archive Poster” extension to Google but maintains that it might be work of a “disgruntled employee.”

Monero Mining On Facebook And Android Phones

Monero mining is not limited to PCs, extensions or websites. In fact, hackers are infecting Android apps with Monero code to use Android devices to generate Monero coins. Furthermore, Facebook users on Messenger are also at risk of being infected with Monero mining Malware called Digmine.

How To Stop CoinHive Code From Using Your CPU Power

In October this year, Google announced blocking cryprocurrency miners with new security features in Chrome, but, Opera browser was quick to understand the seriousness of the matter and introduced Opera 50 beta version that comes with a builtin cryptocurrency Mining Blocker.

Since the use of the CoinHive code is increasing, there are several ways to block the code from using your computer. For instance, No Coin and minerBlock extensions available on Chrome web store are developed to block any crypto miners from using your computing power.

At the time of publishing this article, Archive Poster extension was still available on Chrome Web Store.

Beware of Cryptocurrency Mining Virus Spreading Through Facebook Messenger

Swati Khandelwal em 21/12/2017 no site The Hacker News

If you receive a video file (packed in zip archive) sent by someone (or your friends) on your Facebook messenger — just don’t click on it.

Researchers from security firm Trend Micro are warning users of a new cryptocurrency mining bot which is spreading through Facebook Messenger and targeting Google Chrome desktop users to take advantage of the recent surge in cryptocurrency prices.

Dubbed Digmine, the Monero-cryptocurrency mining bot disguises as a non-embedded video file, under the name video_xxxx.zip (as shown in the screenshot), but is actually contains an AutoIt executable script.

Once clicked, the malware infects victim’s computer and downloads its components and related configuration files from a remote command-and-control (C&C) server.

Digimine primarily installs a cryptocurrency miner, i.e. miner.exe—a modified version of an open-source Monero miner known as XMRig—which silently mines the Monero cryptocurrency in the background for hackers using the CPU power of the infected computers.

Besides the cryptocurrency miner, Digimine bot also installs an autostart mechanism and launch Chrome with a malicious extension that allows attackers to access the victims’ Facebook profile and spread the same malware file to their friends' list via Messenger.

Since Chrome extensions can only be installed via official Chrome Web Store, "the attackers bypassed this by launching Chrome (loaded with the malicious extension) via command line."

"The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video" Trend Micro researchers say.

"The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components."

It's noteworthy that users opening the malicious video file through the Messenger app on their mobile devices are not affected.

Since the miner is controlled from a C&C server, the authors behind Digiminer can upgrade their malware to add different functionalities overnight.

Digmine was first spotted infecting users in South Korea and has since spread its activities to Vietnam, Azerbaijan, Ukraine, Philippines, Thailand, and Venezuela. But since Facebook Messenger is used worldwide, there are more chances of the bot being spread globally.

When notified by Researchers, Facebook told it had taken down most of the malware files from the social networking site.

Facebook Spam campaigns are quite common. So users are advised to be vigilant when clicking on links and files provided via the social media site platform.