A new Monero mining campaign has been spotted in the wild. The operation and propagation techniques are similar to the ransomware attacks.
The big picture - Check Point researchers found that the mining operations have been active since January 2019. The campaign uses two specific trojans - Trojan.Win32.Fsysna and a variant of Monero mining malware - to further the attack process.
Although it is unclear as to how the initial infection of an unprotected PC in a network occurs, researchers claim that the malware utilizes Mimikatz to spread through unpatched network systems.
Once installed, the trojan uses Windows’ default Taskkill application to kill older versions of itself that are running on the machine. This enables the malware to gain persistence over the infected system.
“It additionally uses the WMI application to stop other processes that running from Windows Temp folder and have names as its payload,” Check Point researchers added.
What's new with this variant of Monero miner - The new variant of Monero miner leverages legitimate IT admin tools, Windows system tools and previously disclosed Windows vulnerabilities to spread across the network of an organization.
Researchers point out that the use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage and establish persistence would make it harder for organizations to detect such attacks.