Carbon Black’s (CB) Threat Analysis Unit (TAU) has uncovered a secondary component in a well-known cryptomining campaign. The malware has been enhanced to also steal system access information for possible sale on the dark web. Combined together, this attack is being classified as “Access Mining.”
This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.
The discovery was made after the CB ThreatSight™ team alerted Carbon Black’s TAU about unusual behavior seen across a handful of endpoints. The ensuing investigation revealed sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark web.
Access Mining is a tactic where an attacker leverages the footprint and distribution of commodity malware, in this case a cryptominer, using it to mask a hidden agenda of selling system access to targeted machines on the dark web. This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will likely catalyze a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.
Among the report’s key findings:
At least 500,000 machines affected
Victims have been predominantly located in Asia Pacific, Russia and Eastern Europe.
Threat actors are increasingly using repurposed tools, modified exploits and stolen infrastructure
In previous campaigns, this threat actor used a modified version of XMRig to perform Monero mining. In addition to the modified XMRig, our research showed that the group now uses readily available malware and open source tooling, such as Mimikatz and EternalBlue, which have been modified for purposes to pivot from infected systems and expand their campaign’s reach.
Newly uncovered link between Smominru and MyKings
This investigation highlights an unexpected link between Smominru cryptomining campaign and the MyKings botnet, which is outlined in the full report.
Rapid evolution thanks to open source exploits
Modified versions of Cacls, XMRig and EternalBlue were used in this campaign. Obtaining the bulk of the code via open source sites like GitHub likely sped up the innovation to Access Mining, the researchers found.
Combining commodity malware with access-for-sale is lucrative at scale
The business model for Access Mining typically combines a profit stream from cryptomining with a profit stream from selling system access. Both can be highly lucrative (from some estimates on the latest discoveries, profit can be as much as $1.6 million annually) if done at scale.
This discovery demonstrates how virtually any company could be leveraged in a targeted attack—even if that company lacks a worldwide brand, known intellectual property assets, or a Fortune 1000 listing,” the researchers said. “Access Mining represents a scalable and economical approach for an adversary to find valuable targets.