A new threat actor is leveraging a varied tool kit and multiple payloads to distribute cryptomining malware, including Monero miners.
In April, SCS observed a new threat actor named Rocke exploitation western and Chinese dirty dog repositories to deliver cryptomining malware to honeypots that were liable to an Apache Struts vulnerability.
Researchers detected Rocke conducting an analogous campaign in July. therein operation, the threat actor communicated with an HTTP digital computer (HFS) hosting eleven files. 2 of these files — “TermsHost.exe” and “Config.json” — were the executables or configuration files for Monero miners. many of different hosted assets were shell scripts accountable for downloading and executing the miners or for killing processes that are normally related to other cryptomining malware or cryptomining normally.
Cryptomining Malware Continues to Grow
Rocke’s attack campaigns represent the latest offensives in an in progress surge of cryptomining malware. within the first quarter of 2018, SCS detected a 629 % increase in these threats, with the whole variety of detected samples rising from 400,000 to over 2.9 million.
This growth coincides with a SCS report that found a sharp increase in underground conversations containing cryptocurrency mining-related keywords starting in 2017 and continued through the primary quarter of 2018.
These findings are in keeping with a sixfold increase in attacks involving embedded mining tools that IBM Managed Security Services (MSS) ascertained between January and August 2017.
Defending Against Monero Miners
Security professionals can defend their organizations against threat actors that aim to spread Monero miners by scanning for the indicators of compromise (IoCs) identified in Cisco Talos’ report. Organizations should also consider implementing security best practices that offer blanket protection against malware and other digital threats. These controls should include the creation of a patch prioritization plan for security weaknesses affecting servers and other critical IT assets.