Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

NAS Devices Used to Spread Cryptocurrency Mining Malware

Sophos has conducted a detailed analysis of a piece of malware designed to abuse infected computers for cryptocurrency mining and discovered that the threat leverages network-attached storage (NAS) devices to spread.

Sophos has conducted a detailed analysis of a piece of malware designed to abuse infected computers for cryptocurrency mining and discovered that the threat leverages network-attached storage (NAS) devices to spread.

The malware, detected by the security firm as Mal/Miner-C, leverages infected computers to mine Monero (XMR), an open source privacy-focused cryptocurrency which, unlike Bitcoin, can still be mined using regular computers. The threat is written in NSIS (Nullsoft Scriptable Install System), a scripting language used for creating Windows installers.

These types of Trojans are not unheard of. Last month, antivirus company Dr. Web reported spotting a Go-based Monero miner designed to target Linux systems.

What makes Mal/Miner-C interesting is the fact that it abuses FTP servers in an effort to spread to as many computers as possible. Some instances of the malware include a component, called tftp.exe, which randomly generates IP addresses and attempts to connect to them using a predefined list of usernames and passwords.

If it establishes a successful connection to an FTP service, the malware copies itself to that server and modifies the .html and .php files stored on it. The targeted web files are injected with code that generates an iframe referencing the malware. When users visit these infected webpages, they are presented with a “save file” dialog that serves the malicious files. If victims download and open these files, their systems will become infected with Mal/Miner-C.

Sophos identified over 1.7 million individual infections in the first half of 2016, but these instances only corresponded to 3,150 unique IP addresses. That is because the malware copies itself to every folder on an infected FTP server.

An Internet scan has showed that there are over 200,000 active FTP servers around the world that allow anonymous remote access, and more than 7,200 of them are not properly configured and have write access enabled. Of these, roughly 5,100 have already been infected with Mal/Miner-C.

While the malware has targeted various types of FTP servers, researchers noticed one particular device that is particularly susceptible to abuse. By default, Seagate’s Central NAS product provides a public folder that cannot be deleted or deactivated. If remote access is enabled on the device, attackers can easily plant the malware files in hopes that they will be executed by users once they are discovered.

Advertisement. Scroll to continue reading.

While Mal/Miner-C cannot directly run on Seagate Central, the NAS device can be highly useful for spreading the malware, and Sophos believes that most of these systems have already been infected.

After analyzing the wallets used by the cybercriminals to store their profits, researchers determined that they received a total of roughly 58,000 XMR from the MoneroPool mining pool they used. The infected machines had calculated 431,000 hashes per second, which accounted for half of the total pool.

When Attila Marosi, senior threat researcher at Sophos, wrote the report on Mal/Miner-C, Monero was worth less than $2, which meant cybercriminals had earned roughly $86,000. However, the value of Monero spiked this month after a popular dark web marketplace called AlphaBay integrated the cryptocurrency. One unit of the digital currency is currently worth more than $13, which means that the profit made by the cybercriminals is significantly higher.

Related: Go-Based Linux Trojan Used for Cryptocurrency Mining

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.