An EITest campaign is using tech support scams to deliver Coinhive's Monero Miner, the same JavaScript cryptocurrency miner silently being used to exploit visitors to The Pirate Bay site.
Once a user visits a compromised website, an overlay designed to mimic a legitimate Microsoft Windows notification pops up, alerting victims that the system has been "infected" with malware and instructing them to contact a phony tech support number, while in the background, a malicious executable file is being downloaded, according to a Sept. 22, Trend Micro blog post.
The malware runs smoothly and a victim likely won't notice that their device has been affected aside from system lag and performance issues. The campaign has been active since 2014 and starting in 2017, has avoided the use of exploits in favor of “HoeflerText” phishing attacks or tech support scams.
Researchers noted cybercriminal cryptocurrency mining is gaining traction because it's an apparent non-zero-sum game where threat actors can quickly turn a profit without investing time into creating their own malware but instead misuse existing “grayware.”
Similar to appeal of ransomware, these attacks offer cybercriminals a low cost, but high reward, method of making fast money by casting massive nets to target users.
“Use of cryptocurrency miners is on the rise in the world of cybercrime,” Trend Micro Vice President of Cloud Security Mark Nunnikhoven told SC Media. “We haven't yet seen them coupled with ransomware, but that combination is one that's likely to surface.”
Nunnikhoven said that if a cybercriminal attacks your system and uses it in a botnet, they the need to find a buyer for this service whereas with a cryptocurrency miner, the cybercriminal starts making money shortly after the infection.
The attack method also gives cybercriminals pseudonymity to keep law enforcement away from their activities by reducing the artifacts generated during the cybercrime. In a botnet, for example, the larger the botnet, each node generates evidence that helps law enforcement track down the cybercriminal.
“With a miner, the evidence will point to a cryptocurrency wallet and transaction trail,” Nunnikhoven said. “That may help law enforcement track down the cybercriminal, but this is where the pseudonymity of cryptocurrency comes into play to reduce the chances of that happening.”
And while mining activities don't threaten other systems or data, the vulnerabilities exploited to install the miner can put other areas at risk to malware taking advantage of security gaps left exposed.
To avoid infection, Mac and Windows users are encouraged to have the latest version of their browser of choice and use the auto-update feature.
