The cybersecurity firm Kaspersky noted that recently most of the threat actors are using different new ways to leverage ransomware to earn money. threat actors are using the ransomware to attack the entire network by gaining publicly available RDP access and mining Monero with the help of XMRig Miner.
Researchers identified that the Trojan making some unusual attempts to affect the users’ computers. This Trojan was run to open remote desktop protocol (RDP) on the victims’ computers.
The attack behind organized groups and therefore use publicly available ransomware, targeting ordinary users instead of the corporate sector.
Attackers employed a unique technique to expand the payment from the each and every infection systems. In order to perform this operation, threat actors runs an administrator program to add a new user to gain the RDP access to the computer.
Once this operation is done, the ransomware Trojan-Ransom.Win32.Crusis started on the same machine, followed by the loader of the XMRig miner, which then set about mining Monero cryptocurrency.
It emerged that in August 2020 there were more than 5,000 attempts to install it on users’ computers. The parties responsible for its distribution turned out to be the Prometei malware family and a new family called Cliptomaner.” Kaspersky said.
Eventually, the computer will start to earn money but the user only sees the ransomware notes, additionally, the attacker starts learning the victim’s network to spread the ransomware to other systems.
Cliptomaner miner
Cliptomaner is a public exposure that is utilized by Microsoft Security Essentials, Windows Defender, and other anti-virus outcomes for a file that resembles to have trojan-like functions or performance and also uses XMRig to mine Monero.
The Cliptomaner is created to mine cryptocurrency, but it also replaces the crypto wallet locations saved on the operating system’s clipboard.
According to the report from Kaspersky, the Cliptomaner is detected in September 2020, and this new miner version is chosen according to the computer configuration that are downloaded from the C&C server. In this new version, there are many new techniques, but the exciting part is that Cliptomaner is written only in the AutoIT scripting language.
Prometei backdoor
Prometei is a modular brute that is generally used in the targeted attacks against the Windows Server systems. Prometei backdoor is active since 2016, and it was written in C++ and .NET language.
Prometei backdoor tries to enroll devices into a botnet to later use it to mine various kinds of cryptocurrencies, including Bitcoin and Monero. The cybersecurity researchers have detected Prometei backdoor together with XMRig for the first time in February 2020.
This time the backdoor was divided unusually, and through ordinary attacks, the cybercriminals gain server access by various exploits. Not only this, even this time, the backdoor also used brute-force attacks.
According to Kaspersky’s report, there were over 5,000 trials performed to install the XMRig on users’ computers in August 2020. That’s why the users can apply some protection methods to improve the situation. Moreover, the developers of miners have had to enhance their productions, usually converting to non-trivial solutions.
Indicators of compromise (IoC)
Domains
taskhostw[.]com
svchost[.]xyz
sihost[.]xyz
srhost[.]xyz
2fsdfsdgvsdvzxcwwef-defender[.]xyz
Cryptowallets used for substitution
LTC: LPor3PrQHcQv4obYKEZpnbqQEr8LMZoUuX
BTC: 33yPjjSMGHPp8zj1ZXySNJzSUfVSbpXEuL
ETH: 0x795957d9753e854b62C64cF880Ae22c8Ab14991b
ZEC: t1ZbJBqHQyytNYtCpDWFQzqPQ5xKftePPt8
DODGE: DEUjj7mi5N67b6LYZPApyoV8Ek8hdNL1Vy
MD5
1273d0062a9c0a87e2b53e841b261976
16b9c67bc36957062c17c0eff03b48f3
d202d4a3f832a08cb8122d0154712dd1
6ca170ece252721ed6cc3cfa3302d6f0
1357b42546dc1d202aa9712f7b29aa0d
78f5094fa66a9aa4dc10470d5c3e3155
