A known type of cryptojacking malware known as Smominru has been altered in a cryptomining campaign to start hijacking victims’ devices not to just mine Monero (XMR), but also to steal access data.
According to ZDNet, researchers from Carbon Black’s Threat Analysis Unit (TAU) noticed the cryptojacking malware stopped merely ‘enslaving’ devices to form a XMR mining botnet, and started to steal access data as well.
Per ZDNet most cryptojacking campaigns usually follow a similar pattern: the attackers infiltrate a system through a vulnerability or by brute-forcing weak credentials, to use the system’s CPU power to mine cryptocurrency, which is then sent to a wallet they control.
The Smominru cryptojacking malware has now, however, been upgraded to steal system data in what researchers are calling “access mining,” meaning a data harvesting module is being introduced to the cryptocurrency mining code to steal access credentials and other information.
The attackers, the news outlet adds, are using a modified version of XMRig to mine Monero, while deploying commercially-available malware and modified open-source code to steal data from the victims.
This way cybercriminals are able to sell Monero on cryptocurrency exchanges, as well as compromised server data in “access marketplaces,” for as low as $6.75. TAU wrote in its report:
Now, instead of relying solely on revenue from Monero mining, they have supplemented that revenue with the sale of remote system access at scale.
The botnet, researchers note, has been active for at least two years and spreads using an exploit that was also used during the global WannaCry ransomware campaign. Most victims are located in the Asia Pacific region, and while it hasn’t yet been confirmed are likely seeing access to their systems be sold on the dark web.