Carbon Black, the cloud-native endpoint protection specialist, has issued a threat report outlining how a well-known cryptomining campaign has been enhanced to steal system access information for possible sale on The Dark Web. Dubbed ‘Access Mining’ by Carbon Black researchers, this particular attack stands to affect more than 500,000 computers around the world. The methods used could pave the way for more dangerous and far-reaching attacks as threats considered lower priority can open the door for more advanced and targeted attacks, the gains from which can be sold to the highest bidder.
The discovery was made after the Carbon Black ThreatSight team alerted Carbon Black’s Threat Analysis Unit about unusual behaviour seen across a handful of endpoints. The ensuing investigation revealed sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers, presumably for the purposes of re-sale on one (or many) remote access marketplaces across The Dark Web.
Carbon Black Threat Analysis Unit researchers Greg Foss and Marina Liang have presented their research in a report entitled ‘Access Mining: How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model’. The duo presented their informative research results live at the Black Hat USA 2019 Conference in Las Vegas on Thursday 8 August.
“Access Mining is a tactic whereby an attacker leverages the footprint and distribution of commodity malware, in this case a cryptominer, using it to mask a hidden agenda of selling system access to targeted machines on The Dark Web,” explained Foss and Liang. “This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will likely catalyse a change in the way cyber security professionals classify, investigate and protect themselves from threats.”
As stated, at least 500,000 machines have been affected, with the victims predominantly located in the Asia Pacific region, Russia and Eastern Europe.
Threat actors are increasingly using re-purposed tools, modified exploits and stolen infrastructure. In previous campaigns, this threat actor used a modified version of XMRig to perform Monero mining. In addition to the modified XMRig, the research at Carbon Black showed that the group now uses readily available malware and open source tooling, such as Mimikatz and EternalBlue, which have been modified for purposes to pivot from infected systems and expand their campaign’s reach.
This investigation highlights an unexpected link between the Smominru cryptomining campaign and the MyKings botnet, which is outlined in the full report.
Modified versions of Cacls, XMRig and EternalBlue were used in this campaign. Obtaining the bulk of the code via open source sites like GitHub likely sped up the innovation to Access Mining, the researchers found.
The business model for Access Mining typically combines a profit stream from cryptomining with a profit stream from selling system access. Both can be highly lucrative (from some estimates on the latest discoveries, profit can be as much as $1.6 million annually) if conducted at scale.
“This discovery demonstrates how virtually any company could be leveraged in a targeted attack, even if that company lacks a worldwide brand, known Intellectual Property assets or a Fortune 1000 listing,” explained Foss and Liang. “Access Mining represents a scaleable and economical approach for an adversary to find valuable targets.”
*Click here to download the full report from Carbon Black