Tag Archive for: Mining

Monero Mining Malware Finds Success at Top of Google Search

/in


  • Nitrokod is currently featured at the top of Google search results for popular apps, including Translate
  • The malware maliciously mines monero using users’ computer resources, echoing once-prolific CoinHive

An insidious malware campaign targeting users searching for Google applications has infected thousands of computers globally to mine privacy-focused crypto monero (XMR).

You’ve probably never heard of Nitrokod. Israeli-based cyber intelligence firm Check Point Research (CPR) stumbled upon the malware last month. 

In a report on Sunday, the firm said Nitrokod initially masks itself as a free software, having found remarkable success at the top of Google search results for “Google Translate desktop download.”

Also known as cryptojacking, mining malware has been used to infiltrate unsuspecting user’s machines since at least 2017, when they rose to prominence alongside crypto’s popularity.

CPR previously detected well-known cryptojacking malware CoinHive, which also mined XMR, in November of that year. CoinHive was said to be stealing 65% of an end-user’s total CPU resources without their knowledge. Academics calculated the malware was generating $250,000 per month at its peak, with the bulk of it going to less than a dozen individuals.

As for Nitrokod, CPR believes it was deployed by a Turkish-speaking entity sometime in 2019. It operates across seven stages as it moves along its path to avoid detection from typical antivirus programs and system defenses. 

“The malware is easily dropped from software found on top Google search results for legitimate applications,” the firm wrote in its report.

Softpedia and Uptodown were found to be two major sources of fake applications. Blockworks has reached out to Google to learn more about how it filters these kinds of threats.

Image source: Check Point Research

After downloading the application, an installer executes a delayed dropper and continuously updates itself on every restart. On the fifth day, the delayed dropper extracts an encrypted file. 

The file then initiates Nitrokod’s final stages, which sets about scheduling tasks,…

Source…

Live news: Elon Musk says Tesla open to acquiring mining company

/in


Ukraine’s transmission network operator has suspended contractual obligations to transport gas through one of its key pipelines with Russia because of enemy troop activity, in a move that could cut flows to Europe.

The gas transmission system operator of Ukraine said that transit would halt at 7am on Wednesday at the Sokhranivka point along the smaller of two pipelines that deliver gas from Russia. It said it was unable to carry out operations at a border compression station in Luhansk — a region of Ukraine that Moscow claims as an independent state — because of the Russian occupation.

“The interference of the occupying forces in technical processes and changes in the modes of operation of gas transmission system facilities, including unauthorised gas offtakes from the gas transit flows, endangered the stability and safety of the entire Ukrainian gas transportation system,” it said in a statement on Tuesday.

The gas transmission system operator of Ukraine said that almost one-third of Russian supplies that go via the country to Europe would be affected, but it would still be possible to fulfil the needs of its European customers by rerouting gas to the Sudzha connection point.

Ukraine’s pipeline operator has previously cautioned that war-related damage to the system could endanger flows, but it is the first time since the invasion that it has declared force majeure, highlighting the risks to the supply of Russian gas to Europe.

Last year, EU states imported 155bn cubic metres of Russian gas, of which roughly 40 bcm transited through Ukraine. Nord Stream 1, the largest pipeline running from Russia to Germany, has the capacity to take 55 bcm.

The announcement of the halt sent future contracts tied to the European wholesale gas price benchmark nearly 6 per cent higher on Tuesday to almost €100 per megawatt hour, overturning earlier losses.

Yuriy Vitrenko, chief executive of Ukraine’s state gas company Naftogaz, pinned the blame on the Russian side. “Gazprom has been duly notified that Ukraine is no longer responsible for gas transit through territories occupied by Russia,” Vitrenko said.

Source…

Sorry, Tool to Unlock Nvidia’s Ethereum Mining Limiter Delivers Malware

/in


Yep, it was too good to be true. A software tool claiming it can remove the Ethereum mining limiter on Nvidia’s RTX 3000 graphics cards is actually capable of delivering malware

The tool’s creator, a mysterious developer known as “Sergey,” released a beta of the “LHR Unlocker” program this morning on his GitHub page, a few days ahead of a promised Saturday launch. However, a component inside the installer can fetch an Nvidia GeForce driver file that 18 different antivirus scans will detect as malware.

The malicious nature of LHR Unlocker was noticed by a Russian data scientist named Mikhail Stepanov, who posted an antivirus scan of the driver file on Sergey’s own GitHub page. 

A virus scan of the malicious driver file.


A virus scan of the malicious driver file.
(VirusTotal)

Stepanov, who mines cryptocurrency at his home, said he unpacked the installer and launched it on a virtual machine, but found no evidence it’ll unlock the Ethereum mining limiter on Nvidia’s RTX 3000 GPUs. Instead, the installer can fetch a malicious driver file from a server under the domain “drivers.sergeydev[.]com.” 

“This is a common Trojan,” Stepanov told PCMag in a chat on Telegram. “Most likely they wanted to build a botnet.” 

screenshot


The URL to the malicious driver file is inside one of the installer’s components.

PCMag also unpacked the LHR Unlocker installer, and found that a component inside called “AI_FileDownload” does indeed lead to the domain “drivers.sergeydev[.]com” to fetch the malicious Nvidia driver file. Antivirus scans from Kaspersky, McAfee, Avast, Symantec, and Microsoft all detect it as a malicious file or as a Trojan. There is a chance the antivirus scans flagged the Nvidia driver file incorrectly. But in its current state, the beta LHR Unlocker program doesn’t work.

Meanwhile, a separate malware scan using Joe Sandbox shows the LHR Unlocker installer will also try to prevent Windows Defender from detecting it, according to Tom’s Hardware.

Recommended by Our Editors

So far, Sergey hasn’t commented on the malware allegations. His background is unclear, but a domain lookup shows sergeydev[.]com is registered to a person in Poland named Sergey Bronovsky. 

The tool was released as…

Source…

Google Cloud Adds Crypto Mining Malware Detection Tool By DailyCoin

/in


Google Cloud Adds Crypto Mining Malware Detection Tool

Google Cloud has expanded its range of security features to address the growing threat of illegal cryptocurrency mining as more companies adopt cloud storage technology.

To protect Google (NASDAQ:) Cloud clients and the virtual machines running on its infrastructure, the company unveiled its newest threat detection layer, Virtual Machine Threat Detection (VMTD).

Illegal cryptocurrency mining is one of the most common exploits of compromised remote storage accounts. Digital asset mining typically requires large amounts of computing power, which Google Cloud customers happen to pay for.

The new Virtual Machine Threat Detection (VMTD) tool utilizes an agentless memory scanning that assists in detecting cryptocurrency mining malware as well as other threats such as data exfiltration and ransomware in virtual machines.

This means that VMTD users will be empowered to detect malicious behavior in their VMs without installing any additional software that could impact performance or increase the risk of a potential attack.

“Not running an agent inside of their instance means less performance impact, lowered operational burden for agent deployment and management, and exposing less attack surface to potential adversaries,” explained the Google team.

The VMTD feature is currently only available as a public preview for Google Cloud’s Security Command Center Premium customers. The company expects to be able to make the tool available to all of its customers within the next few months. In the meantime, the Google Cloud team is planning the steady release of new detection capabilities and integrations for other aspects that fall under the Google Cloud infrastructure purview.

The Use of Hacked Accounts to Mine Crypto

As more organizations worldwide continue to shift to employing cloud services and technologies, they have become common targets for hackers.

Compromised cloud accounts make up the majority of illegal cryptocurrency mining exploits. According to Google, 86% of its compromised cloud instances were used to mine digital currencies in 2021. In some cases, malicious actors installed crypto mining malware just 22 seconds…

Source…