Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

NAS Devices Used to Spread Cryptocurrency Mining Malware

Sophos has conducted a detailed analysis of a piece of malware designed to abuse infected computers for cryptocurrency mining and discovered that the threat leverages network-attached storage (NAS) devices to spread.

Sophos has conducted a detailed analysis of a piece of malware designed to abuse infected computers for cryptocurrency mining and discovered that the threat leverages network-attached storage (NAS) devices to spread.

The malware, detected by the security firm as Mal/Miner-C, leverages infected computers to mine Monero (XMR), an open source privacy-focused cryptocurrency which, unlike Bitcoin, can still be mined using regular computers. The threat is written in NSIS (Nullsoft Scriptable Install System), a scripting language used for creating Windows installers.

These types of Trojans are not unheard of. Last month, antivirus company Dr. Web reported spotting a Go-based Monero miner designed to target Linux systems.

What makes Mal/Miner-C interesting is the fact that it abuses FTP servers in an effort to spread to as many computers as possible. Some instances of the malware include a component, called tftp.exe, which randomly generates IP addresses and attempts to connect to them using a predefined list of usernames and passwords.

If it establishes a successful connection to an FTP service, the malware copies itself to that server and modifies the .html and .php files stored on it. The targeted web files are injected with code that generates an iframe referencing the malware. When users visit these infected webpages, they are presented with a “save file” dialog that serves the malicious files. If victims download and open these files, their systems will become infected with Mal/Miner-C.

Sophos identified over 1.7 million individual infections in the first half of 2016, but these instances only corresponded to 3,150 unique IP addresses. That is because the malware copies itself to every folder on an infected FTP server.

An Internet scan has showed that there are over 200,000 active FTP servers around the world that allow anonymous remote access, and more than 7,200 of them are not properly configured and have write access enabled. Of these, roughly 5,100 have already been infected with Mal/Miner-C.

While the malware has targeted various types of FTP servers, researchers noticed one particular device that is particularly susceptible to abuse. By default, Seagate’s Central NAS product provides a public folder that cannot be deleted or deactivated. If remote access is enabled on the device, attackers can easily plant the malware files in hopes that they will be executed by users once they are discovered.

Advertisement. Scroll to continue reading.

While Mal/Miner-C cannot directly run on Seagate Central, the NAS device can be highly useful for spreading the malware, and Sophos believes that most of these systems have already been infected.

After analyzing the wallets used by the cybercriminals to store their profits, researchers determined that they received a total of roughly 58,000 XMR from the MoneroPool mining pool they used. The infected machines had calculated 431,000 hashes per second, which accounted for half of the total pool.

When Attila Marosi, senior threat researcher at Sophos, wrote the report on Mal/Miner-C, Monero was worth less than $2, which meant cybercriminals had earned roughly $86,000. However, the value of Monero spiked this month after a popular dark web marketplace called AlphaBay integrated the cryptocurrency. One unit of the digital currency is currently worth more than $13, which means that the profit made by the cybercriminals is significantly higher.

Related: Go-Based Linux Trojan Used for Cryptocurrency Mining

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.