Malwarebytes researcher Jerome Segura analyzed a RIG exploit campaign distributing malware coin miners delivered via drive-by download attacks from malvertising.
Around November 2017, Segura began noticing exploit kits containing larger-than-usual payloads carrying one or more cryptominers for Monero and other popular currencies such as Bytecoin and Electroneum, according to a Jan. 9 blog post.
In the Ngay campaign, researchers noticed various redirection techniques to download the RIG EK to infect users with processes that will mine multiple cryptocurrencies in a single attack.
A Monero miner spotted in the campaign looks to register itself permanently as a running service. Simultaneously, another cryptominer would be mining Electroneum, the “mobile friendly” digital currency via a malicious coin miner binary, maxing out a user’s CPU to 100 percent.
It’s worth noting that some miners are more discrete and won’t be such an obvious drain on a user’s power.
Segura told SC Media these new malware based browsers have an advantage over in-browsers silent miners as the malware based miners have the advantage to permanently stay into the system, even after a user restarts their machine. This is typically done via registry keys that launch the malicious code at boot up time or via a scheduled task.
“As cryptocurrencies become more and more popular, we can only expect to see an increase in malicious coin miners, driven by the prospect of financial gains and increased anonymity,” Segura said. “As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors.”
Segura said he has seen these types of attacks and that the group behind the attacks is one of the top offenders via malvertising campaigns adding that they appear to be interested in noisyattacks that drop multiple payloads without a great degree of sophistication.