Threat Management, Threat Management, Malware, Ransomware

VenusLocker ransomware extortionists switch m.o., pursue Monero cryptomining

Share

A threat group that was responsible for extorting victims with ransomware known as VenusLocker last year has now shifted its attention to cryptocurrency mining, according to new research.

In a Dec. 20 blog post, Fortinet's FortiGuard Labs division reports that the attackers are actively mining Monero by using the miner XMRig v2.4.2 to leverage the computing power of infected machines in South Korea.

Victims are infected via phishing emails that trick them into opening a malicious attachment that's compressed in EGG archive format. On such email purports to be from a garment merchant, warning recipients that their information leaked due to a breach, while another claims that the recipient's website liable for images that were abused without consent, Fortinet reports.

“As a basic attempt to hide this resource hogging operation, the miner is executed as a remote thread under the legitimate Windows component wuapp.exe, which is executed beforehand to avoid raising suspicions,” states blog post author and threat researcher Joie Salvio. But even if this miner is discovered and subsequently terminated, the parent process establishes persistence by immediately opening it back up – meaning the parent process itself was be terminated, Fortinet explains.

Fortinet analysts conclude that the miner targets Monero, instead of Bitcoin, whose value has been surging, because the Monero mining algorithm is designed for ordinary computers, and therefore the potential pool of victims is much larger. Moreover, Monero transactions are even more anonymous than Bitcoin transactions because they use stealth addresses.

VenusLocker ransomware extortionists switch m.o., pursue Monero cryptomining

The same threat group that was responsible for extorting victims with VenusLocker ransomware last year has now shifted its attention to cryptocurrency mining, according to new research.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.