Updated cryptojacking malware steals user data from 500,000 computers

Getting your Trinity Audio player ready...

Having infiltrated over 500,000 machines globally, the Smominru cryptojacking malware has now been updated to steal user data from its victims. The attackers have capitalized on easy access to open source exploits, speeding up their innovation, a report by Massachusetts-based cybersecurity company Carbon Black has indicated. The stolen data is likely being sold on dark web marketplaces.

Carbon Black’s Threat Analysis Unit discovered the secondary component in the cryptojacking malware recently. In a new form of attack known as ‘Access Mining,’ the attackers send the stolen system metadata to a network of hijacked web servers.

The company explained the updated attack in a blog post: “Access Mining is a tactic where an attacker leverages the footprint and distribution of commodity malware, in this case a cryptominer, using it to mask a hidden agenda of selling system access to targeted machines on the dark web. This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose.”

The attackers use a custom version of XMRig to mine Monero (XMR). XMRig is a high performance Monero CPU miner. In addition, the attackers also use readily available malware such as Mimikatz and EternalBlue which they customize to suit their needs. They use compromised servers to store toolsets and collect stolen data, including IP addresses, usernames, passwords and domain information.

Combining commodity malware with access-for-sale in the new Access Mining attack is a lucrative business, the report revealed. The Monero cryptojacking malware has in the past been revealed to mine close to 9,000 XMR in just six months. At the current rate, this amounts to over $1.6 million a year.

In dark web marketplaces, the cost of access to a compromised machine averages $6.75. With over 500,000 machines compromised globally, the attackers could make over $3 million from the sale of user data.

Victims of the malware have been predominantly located in Eastern Europe, Russia and Asia Pacific.

The malware will force security experts to enhance their security protocols as well as improve on behavioral monitoring, the report stated, noting, “This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”

As CoinGeek reported recently, yet another cryptojacking malware was detected by Trend Micro which turns Elasticsearch, an enterprise search engine, into a crypto mining botnet. The malware targets out of date servers which it forces to download and execute the offending scripts.