When it comes to cybercrime one does not necessarily have to be good to be successful as is being demonstrated by the cryptomining campaign Vivin.
Cisco Talos first came across samples of Vivin’s activity in November 2019, but upon further research found this mining activity had been ongoing since at least 2017. The fact it remained under the industry’s radar for so long enabling its operators to mine thousands of dollars’ worth of Monero is curious because Vivin exhibits poor operational security.
“Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media,” Talos wrote, adding that organizations need to be aware of bottom feeders along with more sophisticated operations as there is still money to be made mining cryptocurrency.
The threat actor also makes the same mistake of many people when it comes to protecting their security and reuses the same or similar usernames for a number of online accounts, including services used in the execution chains of the cryptomining malware.
The malware used is a variant of XMRig which is set up to use up to 80 percent of the victim’s processing power for mining.
The Vivin crew infects computers by posing their cryptominer as pirated software hoping to lure a victim looking to save a few bucks. It also spreads a very wide net giving the notion that creator is more interested in hitting a volume, as opposed to, a few more lucrative targets.