Security researchers discovered that a recently released Monero cryptocurrency miner sends out the generated income to the Kim Il Sung University in North Korea. An in-depth code analysis reveals that it can be updated to include additional components as well.
The Monero CryptoCurrency Miner Revealed
One of the first large-scale attacks bearing Monero miner viruses was reported back a few months ago. Such malware usually abuse the available system resources in order to mine for the Monero cryptocurrency. The attacks a few months ago focused on exploiting Windows servers using exploit code. Intrusions through vulnerabilities were one of the main tactics for spreading the dispensed samples.
The latest samples appear to have been compiled around the Christmas Eve 2017. In comparison with other similar threats it has been found to feature a slightly different behavior. Instead of using predefined mining pools that are usually some of the most popular ones it seeks to establish a connection with a command and control server. The analysis shows that it is hosted at the Kim Il Sung University in North Korea. The actual miner itself connects to a mining pool and starts to mine the crypto currency. A network access test has been made which shows that the hacker server is unreachable. Consequently any mined currencies would not be transferred to the criminal operators.
Monero CryptoCurrency Miner Behavior Pattern
The Monero miner in question is widely distributed as software bundle installer. Typically such threats are distributed on hacker-controlled portals. The hackers acquire popular free or trial versions of famous software and modifies them to include the Miner software. Depending on their exact configuration the victims may be able to disallow installation by unchecking certain options during the setup process. Infection sources can include any of the following:
- Counterfeit Download Portals — They are designed to appear as legitimate services offering helpful software.
- Email Messages —They are distributed to computer victims and depending on the configuration the malware files can either be attached or linked. Social engineering tactics are employed in order to coerce the victims into falling for the threat.
- Web Scripts — All forms of ads, redirects and pop-ups can lead to a dangerous malware infection.
Once the virus code has been deployed the Monero CryptoCurrency Miner is started. Its file name is called intelservice.exe which is a generic name often used by other miner software. According to the analysts that reviewed the infection patterns it appears to be based on the xmrig tool.
There are several possible cases for the creation of this particular Monero cryptocurrency miner. One of the scenarios states that the miner is designed with the intent of running it in a closed local area network. It is possible that the Internet release of the code has been an incident.
However if the Monero cryptocurrency miner is viewed as a simple virus threat with shut-down servers. Finally the third possible cause is a prank aimed against the security researchers.
Further Monero CryptoCurrency Miner Details
Speculations about the origins and actual intentions about this particular Monero cryptocurrency miner suggests that the found samples may be testing versions of a future malware. The analysts detected that the code contained fake filenames which are probably stealth protection mechanisms that can be employed.
Two similar samples were identified during the investigation. They appear to be a related simpler version probably made by different authors. Some of their code originates from the same source.
All of this points to the possibility of having the original source on sale on the underground hacker markets. The fact that the signatures are still not entirely known to the security researchers shows that any future attacks may prove damaging if a large-scale attack is enforced.
Previous North Korea based attackers that utilize various Monero cryptocurrency miners are two hacking groups:
- Bluenorroff — The group became well-known for a partially succeful intrusion from the Bank of Bangladesh. They were able to penetrate servers and install the viruses onto them thus generating a large amount of income.
- Andariel — This hacking group also utilizes various Monero miners. A high-impact target was an undisclosed major South Korean company. They are also responsible for thefts from the South Korean Ministry of Defense.
The malware specialists were able to track down the Bitcoin transactions coming in and out from North Korea as the country’s IP range is very limited. One of the notable addresses is actively trading on various BitCoin exchanges. It was involved in several hacking attacks back in 2014/2015 where it was assigned as a command and control server.
The new wave of incoming attack once again signal the need for users to have a quality anti-spyware solution. Computer users can scan their systems for free.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: