Hackers Recycle old Ransomware for new Crypto Malware

Cybersecurity experts at Fortinet and Kaspersky have discovered new cryptocurrency malware that has been developed using updated versions of known ransomware according to September 5, 2018, reports.

Cryptojacking Malware

If you have been following blockchain media, you will be aware of the aggressive surge in cryptocurrency mining malware that allows hackers to implement code into a website that mines cryptocurrency using each visitors processing power without informing the user. This practice is commonly referred to as “cryptojacking.”

The Monero-mining protocol CoinHive was the first software of this kind when it launched in September 2017. It was developed with the intention of providing website owners with an alternative monetization tool that could replace advertising. However, the CoinHive protocol was almost immediately hijacked by malicious actors who implemented this code into as many websites as possible to make illicit gains in the untraceable digital currency Monero (XMR).

Hackers went as far as to implement the CoinHive code into YouTube Ads to make money from YouTuber users while they watched videos on Google’s popular streaming platform.

As CoinHive is an open-source protocol, newer iterations of the cryptomining software also quickly appeared, which can only be categorized as malware.

According to ITPro Today, researchers at Fortinet and Kaspersky have found that hackers have started to take old ransomware and “upgrade” it to either steal cryptocurrency from its victims or mine cryptocurrency using the infected computer.

Kaspersky cybersecurity experts Egor Vasilenko and Orkhan Mamedov explained in a blog post how a trojan that has been around since 2013 has been revamped to now go through a checklist when deployed on its victim’s computer before it decides whether to start mining cryptocurrency on that computer or not. The two researchers wrote:

“The decision to download the cryptor or the miner depends on the presence of the folder %AppData%\Bitcoin. If the folder exists, the downloader decides to download the cryptor. If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component, which is described below in the corresponding part of the article.”

In other words, if the victim has bitcoin, the ransomware aspect of the malware will kick it to ask for a ransom payment in bitcoin to decrypt the files on the computer. If the victim does not have bitcoin, but the machine is strong enough to be used for mining, it will deploy a cryptocurrency miner that mines Monero. Alternatively, the malware will try to access other computers in the network.

Research analysts at Fortinet have found that an old malware, called Jigsaw, which first appeared in 2016 has now been re-engineered to steal cryptocurrency.

In a blog post, Evgeny Ananin and Artem Semenchenko detail how the new malware steals digital currencies by enabling the hackers to copy and paste their own address into crypto wallets in a nearly undetectable manner when a user makes a payment. This malware falls under the category of “clipboard-substitution malware.”

According to Ananin and Semenchenko, this crypto stealing malware works as follows: “It will replace the bitcoin address to the address of an attacker, thereby sending money to another wallet. One would think that when copying a person would clearly see the replacement of the addresses. However, this malware has an interesting feature – it cleverly replaces the legitimate address with a forged-one having similar (or the same) symbols at the beginning and the end of the string.”

According to Fortinet, this specific crypto-stealing campaign netted a little over eight BTC worth around $60,000 at the time. This new crypto stealing “Jigsaw” clone, however, was not the only new clipboard-substitution malware the researchers found.

“During our investigation, we discovered even more projects. These were not identical, but they had the same common set of specific characteristics. Based on the assembly project name BitcoinStealer.exe, we found several advertisements on underground forums for downloading the malware builder with the source code, called ‘BTC Stealer,’” the researchers stated.

Moreover, the WannaCry ransomware, which made headlines in May 2017 when it infected over 200,000 computers, has also reportedly been repurposed for cryptojacking.

The new malware dubbed “WannaMine” is using the same software as the WannaCry ransomware but, instead, deploys it to hijack its victims’ computing power to mine Monero. Anthony Giandomenico, a senior security strategist at Fortinet, told ITPro Today:

“As the cybercrime ecosystem matures, there is a lot of malicious software out there, and many times that software is leaked to others or to the public. When it’s leaked, it is usually picked up by other bad actors and either reused as is or modified or enhanced. Why reinvent the wheel when you have the wheel and you can just focus on enhancing it? It’s all about efficiency. It’s all about the mighty dollar. They say that necessity is the mother of invention, but in the cyber dark world it’s money that drives invention.”

This trend shows that cybercriminals are finding new ways to get their hands on cryptocurrency. It is also the ideal prey for hackers since cryptocurrency transactions cannot be reversed. Anyone who holds cryptocurrency, therefore, needs to ensure they follow basic cybersecurity measures to mitigate the risk of falling victim to cybercriminals.

Most malware is still being spread through attachments in email. Hence, the adage, do not download attachments or click on any links in emails from unknown senders should act as the first line of defense.

Moreover, purchasing anti-virus software and malware detecting software such as Avast and Malware Bytes will alert users when they reach websites with embedded crypto miners as well as flag attachments that may contain malicious software. Adding a crypto mining blocker as an extension in your browser can be an additional mitigating course of action.

Staying away from non-kosher websites and not downloading unlicensed software is also advisable to avoid catching crypto stealing malware on your PC. To catch crypto mining, you should regularly monitor your CPU usage. If you are experiencing a spike in usage, you may have been infected with cryptocurrency mining malware.

Finally, you should upgrade your computer with all necessary upgrades as these will include patches for vulnerabilities that hackers may attempt to exploit.