Security Experts:

Connect with us

Hi, what are you looking for?



Nation-State Cyberspy Group Drops Coin Miners as Distraction Technique

A nation-state threat actor was observed using cryptocurrency miners to avoid attracting too much attention and establish persistence in targeted networks, Microsoft reported on Monday.

A nation-state threat actor was observed using cryptocurrency miners to avoid attracting too much attention and establish persistence in targeted networks, Microsoft reported on Monday.

Typically associated with cybercrime activities, these miners cause low-priority alerts, especially since they are not sophisticated threats, and security teams don’t treat them with high urgency.

This is exactly why a nation-state actor tracked by Microsoft as BISMUTH, which shows a series of similarities with a Vietnam-linked group named OceanLotus, adopted crypto-miners in campaigns running from July to August 2020. The attacks targeted private and government organizations in France and Vietnam.

Active since at least 2012, BISMUTH was observed running complex cyber-espionage attacks targeting governments, multinational corporations, the education and financial services sectors, and human and civil rights entities.

The group is known for the use of both custom and open-source tools and for leveraging techniques ranging from typical to more advanced, mainly focused on setting up continuous monitoring and espionage and in stealing data of interest.

BISMUTH’s use of coin miners is consistent with its methods of blending in. The attacks involved the use of spear-phishing emails specifically tailored for the target, and the heavy use of DLL side-loading (leveraging copies of legitimate software, such as outdated versions of Microsoft Defender Antivirus, Word 2007, Sysinternals DebugView, and a McAfee on-demand scanner).

“If we learned anything from ‘commodity’ banking Trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively,” Microsoft notes.

Spear-phishing emails were sent to a single recipient at each target organization. The group would also correspond with some targets before attempting to trick them into opening malicious attachments.

Once it has compromised a network, the adversary performs extensive discovery (this stage could take up to a month) before moving laterally to high-value targets, such as servers. Evasive PowerShell scripts are used to ensure the activity remains undetected, along with KerrDown, an exclusive, custom BISMUTH malware family.

Information the adversary would collect included directory forest, domain organizational unit (OU) data, credentials, and domain trust information. The group would also ping databases and file servers containing high-value information and would drop a Cobalt Strike beacon and set up a scheduled task for persistence.

Targets in Vietnam included organizations such as former state-owned enterprises (SOEs), entities owning significant portions of former SOEs, and organizations that conduct transactions with government agencies in Vietnam.

“Although the group’s specific objectives for these recent attacks cannot be defined with high confidence, BISMUTH’s past activities have included operations in support of broader espionage goals,” Microsoft notes.

Related: Vietnam-Linked Cyberspies Use New macOS Backdoor in Attacks

Related: PhantomLance: Vietnamese Cyberspies Targeted Android Users for Years

Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.