Monero Cryptocurrency Miner Uses 17-year Old Open Source Tool (Jul 19, 2019)
Analysts at Trend Micro have detected a threat infecting devices with both a Monero cryptocurrency miner and a Perl-based internet relay chat (IRC) backdoor. The threat propagates by scanning for open ports and brute forcing weak credentials and then send a command that will download the backdoor, called “Shellbot,” and the miner. The miner process is hidden using “XHide Process Faker,” a 17-year old open-source tool used to fake the name of a process. Despite these techniques and tools having been known and available for some time, the mix of these routines can still be effective if the targeted systems have weak or default usernames and passwords that can be brute-force attacked.
Recommendation: Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring. Additionally, one of the best ways to secure your cryptocurrencies against theft is by using hardware wallets. Hardware wallets are a type of cryptocurrency wallet that stores the owner’s private keys on a hardware device that is secure from hacking attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.