A hybrid Monero Miner cryptocurrency ransominer has infected more than 20,000 devices in two months, Kaspersky warned in a report on Wednesday.
In a ransomining attack, threat actors take over the device’s computing power to mine cryptocurrency and also encrypt the data to demand a ransom.
In the most recent ransomining attacks, the criminals use open-source XMRig ransominer as the malware base, Kaspersky said.
The malware disguises itself as “AdShield Pro” Windows application. On the surface, it looks and acts like a Windows version of the legitimate AdShield mobile ad blocker.
“After the user starts the program, it changes the DNS settings on the device so that all domains are resolved through the attackers’ servers, which, in turn, prevents users from accessing certain antivirus sites, such as Malwarebytes.com,” Kaspersky researchers said. “After substituting the DNS servers, the malware starts updating itself by running update.exe.”
With the help of the updater, the attackers can also download and deploy a modified Transmission torrent client. Thus sends the ID of the targeted computer to the command-and-control server (C2), and then proceeds to download the cryptominer application itself, Kaspersky researchers explained.
To make it harder for Windows and antiviruses to detect the malware, parts of the files are encrypted.
“The modified Transmission client runs flock.exe, which first of all calculates the hash of the parameters of the infected computer and the data from the data.pak file, and then compares it with the hash from the lic.data file,” the report further explained. “This is necessary because the C2 generates a unique set of files for each machine so as to hinder static detection and prevent the miner from running and being analyzed in various virtual environments.”
If the hashes match, the payload is decrypted and installed.
The miner creates a servicecheck_XX task is created in Windows Task Scheduler, to ensure continuous operation, the researchers explain adding, “the task runs flock.exe with the argument ‘minimize.’”
Kaspersky says the attacks are likely part of an earlier Monero Miner campaign first detected by Avast in August.
They believe users in Russia and Commonwealth of Independent States (CIS) will its prime targets.
According to Kaspersky, the miner can be removed by reinstalling the legitimate application that it mimics and performing additional cleanups.