Check Point Forensic Files: Monero CryptoMiner Campaign Adapts APT Techniques (Mar 19, 2019)
A cryptomining campaign has been discovered utilizing Tactics, Techniques, and Procedures (TTPs) similar to Advanced Persistent Threat (APT) style of malicious activity, according to Check Point researchers. This "Monero" cryptocurrency campaign was identified in mid-January 2019 and was observed to utilize two different malware in tandem to accomplish its objectives. APT TTPs similarities include: achieving persistence, lateral movement, and use of different malware in combination, among others. The actors use two variants of trojan tracked as "Trojan.Win32.Fsysna," and a variant of a Monero cryptominer. As of this writing, it is unclear how actors first infect a target machine, however, the malware does utilize the "Mimikatz" credential-stealing malware to move laterally on a network.
Recommendation: Slow response and run time on a device may be an indication of cryptocurrency malware, and installed applications should be reviewed. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.