RIG EK covertly delivers cryptocurrency miners

Malware peddlers have been quick to react to the cryptocurrency boom and to take advantage of every possible way to make other people and organizations mine coins for them.

They trick victims into installing mining software, hijack their CPU’s power via in-browser cryptojacking, and exploit organizations’ unsecured cloud computing environments. They are also using exploit kits and drive-by downloading to covertly deliver mining malware to unsuspecting users.

Sometimes users get more than one miner

In a recently analyzed malvertising campaign, researchers found the RIG exploit kit delivering a rather hefty dropper. This is not unusual, it seems, as they often contain more that one coin miner: usually one for mining Monero, and the other for mining a less popular cryptocurrency.

malware cryptocurrency miners

In this particular campaign, the Monero miner is downloaded after a convoluted process that also aims at registering it permanently as a running service.

“The extracted binary from the RIG EK payload is an installer that drops several .NET modules,” Malwarebytes’ Jérôme Segura explained.

One of them uses an exploit copied from this GitHub repository to elevate privileges; another contains to sub-modules for protecting and managing the running services, and a third one downloads and manages the Monero miner.

The Electroneum miner is delivered through a second redirection chain that involves the Bit.ly URL shortener and a fake PNG image containing instructions for downloading and launching the malware.

This is just the beginning

“We have noticed an increase in malware payloads from EKs that are coin miners, and we think this is going to be something to follow for 2018,” Segura noted.

“As the mining process has become cross-platform and achievable using regular computers, this has opened new possibilities for threat actors. Indeed, they can put hundreds of thousands of compromised machines to work mining for the latest and hottest digital currency around.”

But while getting saddled with one or two coin miners seems a less dangerous proposition than getting infected with a banking Trojan, users should still aim to keep their machines for themselves.

Luckily, in this particular case, they are likely to notice something is wrong almost immediately: when both miners are running, the CPU usage on the computer reaches 100 percent, and this will make the machines practically unusable for its legitimate owners.