Tag: cryptominer | SpinSafe

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

January 11, 2024/in Computer Security

A noticeable difference between NoaBot and Mirai is that rather than DDoS attacks, the botnet targets weak passwords connecting SSH connections to install cryptocurrency mining software.

Cybersecurity researchers at Akamai have discovered cryptomining malware called NoaBot based on the notorious Mirai botnet. The crytojacking malware NoaBot is currently targeting Linux servers and has been active since January 2023.

According to Akamai, a noticeable difference between NoaBot and Mirai is that rather than DDoS attacks (Distributed Denial of Service attacks), the malware targets weak passwords connecting SSH connections and installs cryptocurrency mining software, allowing attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth.

Here, it is important to mention that NoaBot malware has also been used to deliver P2PInfect, a separate worm discovered by Palo Alto Networks in July 2023.

NoaBot is compiled using the UClibc code library, unlike the standard Mirai library. This changes how the antivirus protections detect NoaBot, categorizing it as an SSH scanner or generic trojan. The malware is statically compiled and stripped of symbols, while strings are obfuscated instead of saved as plaintext, making it harder for reverse engineers to extract details.

The NoaBot binary runs from a randomly generated folder, making searching devices harder. The standard Mirai dictionary is replaced with a large one, and a custom-made SSH scanner is used. Post-breach capabilities include installing a new SSH-authorized key.

This botnet has grown significantly, with over 800 unique IP addresses worldwide showing signs of NoaBot infections. The worm is a customized version of Mirai, a malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices.

Interestingly, the malware includes embedded song lyrics from the “Who’s Ready for Tomorrow” song by Rat Boy and IBDY, but later samples do not have these. The botnet also adds command line arguments, such as the “noa” flag, which installs a persistence method after a reboot.

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer — Screenshot: Akamai

Threat actors…

Source…

Norton Put a Cryptominer in Its Antivirus Software

January 8, 2022/in Computer Security

This week, we reported that Signal has gone forward with its controversial cryptocurrency integration. All of the encrypted messaging app’s users now have access to MobileCoin, a privacy-focused cryptocurrency that US exchanges still don’t offer. The intent is to give monetary transactions the same protection from surveillance that Signal brought to messaging. But skeptics worry that introducing a financial element will bring unwanted complexity and regulatory scrutiny to Signal, an app that millions of people have come to rely on.

In hacking news, criminal campaign has struck thousands of victims in over a hundred countries, which in itself isn’t necessarily all that unusual. Microsoft fixed the vulnerability the attackers are exploiting, though, nearly a decade ago. The problem: The patch is optional, and most users wouldn’t know where to get it even if they wanted to. If anything, it’s surprising that it took this long for someone to take advantage.

It’s a new year, which means it’s a great time for a couple of refreshers on how to stay safe online. We looked at how to send messages that automatically vanish on various chat apps. And we walked you through a few ways to delete yourself from the internet altogether, should the occasion call for it.

As part of this year’s virtual WIRED HQ at CES, we had a wide-ranging conversation with former congressman Will Hurd about the future of cybersecurity, cryptocurrency, the metaverse, and much more.

And that’s not all! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

Norton, what are you doing! Several months ago the antivirus giant snuck a cryptominer into its consumer software, as noted by author and digital rights activist Cory Doctorow earlier this week. The pitch is that you can opt in to letting Norton mine cryptocurrency on your computer while you’re not using it; the software will even set up a secure wallet for you, all for a mere 15 percent cut of the proceeds. To be clear, you should absolutely not do this. Not only is cryptomining a drain on the environment, it introduces complexity and potential security issues to users who likely don’t know what they’re…

Source…

Tor2Mine cryptominer has evolved: Just patching and cleaning the system won’t help

December 3, 2021/in Computer Security

Sophos released new findings on the Tor2Mine cryptominer, that show how the miner evades detection, spreads automatically through a target network and is increasingly harder to remove from an infected system. Tor2Mine is a Monero-miner that has been active for at least two years.

Tor2Mine cryptominer

In the research, Sophos describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials. What happens next depends on whether the attackers successfully gain administrative privileges with the stolen credentials. This process is the same for all the variants analyzed.

For example, if the attackers manage to get hold of administrative credentials, they can secure the privileged access they need to install the mining files. They can also search the network for other machines that they can install the mining files on. This enables Tor2Mine to spread further and embed itself on computers across the network.

Tor2Mine cryptominer can execute the miner remotely and filelessly

If the attackers cannot gain administrative privileges, Tor2Mine can still execute the miner remotely and filelessly by using commands that are run as scheduled tasks. In this instance, the mining software is stored remotely rather than on a compromised machine.

The variants all attempt to shut down anti-malware protection and install the same miner code. Similarly, in all cases, the miner will continue to re-infect systems on the network unless it encounters malware protection or is completely eradicated from the network.

“The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. However, Tor2Mine is much more aggressive than other miners,” said Sean Gallagher, senior threat researcher at Sophos.

“Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures. Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt…

Source…