Data Security, Encryption, Malware

Vivin’s low-end cryptomining campaign enters third year of activity


When it comes to cybercrime one does not necessarily have to be good to be successful as is being demonstrated by the cryptomining campaign Vivin.

Cisco Talos first came across samples of Vivin’s activity in November 2019, but upon further research found this mining activity had been ongoing since at least 2017. The fact it remained under the industry’s radar for so long enabling its operators to mine thousands of dollars’ worth of Monero is curious because Vivin exhibits poor operational security.

“Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media,” Talos wrote, adding that organizations need to be aware of bottom feeders along with more sophisticated operations as there is still money to be made mining cryptocurrency.

The threat actor also makes the same mistake of many people when it comes to protecting their security and reuses the same or similar usernames for a number of online accounts, including services used in the execution chains of the cryptomining malware.

The malware used is a variant of XMRig which is set up to use up to 80 percent of the victim’s processing power for mining.

The Vivin crew infects computers by posing their cryptominer as pirated software hoping to lure a victim looking to save a few bucks. It also spreads a very wide net giving the notion that creator is more interested in hitting a volume, as opposed to, a few more lucrative targets.

“Many of the samples are packed as self-extracting RAR files which extract and install what appears to be the actual software and covertly drop malicious files. The pirated software from our observed sample run contains a second stage payload that is written to AppDataLocalTemp as "setup.exe." Upon successful execution, the observed samples dropped both a JavaScript ("setup.js") and VBScript ("dllm.vbs") file to the victim host's AppDataLocalTemp and WindowsStart MenuProgramsStartup folders,” Talos said.

Despite Vivin’s seemingly lackadaisical attitude in opsec, the creators due take some precautions. Talos found a fair amount of obfuscation and evasion techniques employed, including actually downloading some of the expected pirated software. For persistence it sets Windows Scheduler to to create the job "anydesk" to execute setup JavaScript every 30 minutes.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.