Talos, a new criminal malware mining campaign has affected India, Indonesia, Vietnam and several other countries targeting Bitvote
A new criminal malware mining campaign has affected India, Indonesia, Vietnam and several other countries. The common point is that all of them were tied to Bitvote, the new cryptocurrency launched in January. It has been discovered by cybersecurity Talos experts. The cybercrime probably aimed to benefit from the early period of this digital value, targeting the fork. To reach the goal, the malisious hackers used a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. “It is quite uncommon to implement this functionality in kernel – Talos reported on his blog – apart from the payload protection, and points to a moderate to high level of technical knowledge” behind the cyber-attack. The cryptomining campaign was active in February and March, and so far, it has brought limited returns for aggressors.
What cybersecurity experts discovered and predicted
Talos cybersecurity experts noted that “besides well-established cryptocurrencies such as Monero, malicious actors are also becoming early adopters of newly created cryptocurrencies. Bitvote is just one of these, created as a bitcoin fork and launched on Jan. 20. The attackers created trojanized calculator applications with an intention to create a large pool of infected machines to mine Bitvote”. Not only. This cryptomining campaign “is notable for using a kernel mode driver deployed in order to provide the complete infrastructure for the final payload, ranging from downloading the payload, reloading the malware configuration, as well as hiding and protecting the malicious modules from detection and removal”. It is “quite an unusual method for everyday malware campaigns, and requires at least a moderate technical knowledge”. Talos concluded that “we can expect attackers to continue this trend in the future as more cryptocurrencies opt to allow mining with commodity desktop CPUs”.