Unauthorized Monero Mining Campaign Impacting Up to 30M Systems

The Palo Alto Networks Unit 42 security research team reveals a new cryptocurrency attack that makes use of URL shorteners to trick users into installing Monero mining software.

Monero XMRig

Palo Alto Networks is warning of a new cryptocurrency mining attack that is using URL shorteners as a way to infect victims' systems.

In a Jan. 24 report, the Palo Alto Networks Unit 42 security research group revealed that up to 30 million systems may be impacted by the attack, which has been ongoing since October 2017. The attack payload installs the open-source XMRig mining software on a victim's machine to consume CPU resources and mine the Monero cryptocurrency. It's currently not known who is behind the new attack.

"We can't go into attribution, but the evidence is suggestive of a single threat actor or group," Josh Grunzweig, senior malware researcher at Palo Alto Networks, told eWEEK. "We saw evidence of the Russian language being used when we analyzed the malware."

What's also not known is how much Monero the attackers have been able to obtain via the attack. Monero is a popular cryptocurrency for mining operations, as it does not require purpose-built hardware and can be mined with regular system CPUs. Different attacker groups, according to security research reports, have found varying levels of success for cryptocurrency mining attacks. F5 Networks reported earlier this month that attackers using an SSH vulnerability were able mine $46,000 in Monero cryptocurrency. ISC SANS reported on another group of attackers that used an Oracle vulnerability to mine approximately $250,000 of Monero.

In the attack revealed by Palo Alto Networks, rather than abusing a software vulnerability, attackers are using URL shorteners as the delivery mechanism for XMRig mining code. "What's happening is users are being presented with AdFly ads, and those ads have the shortened URLs within them," Grunzweig said. "The URLs are being presented in a way that makes the user expect to download something."

When the users click on the links, they get the download as expected, but the contents of the download are not what they expected, he said. The XMRig software is installed on the victim's system and then made available as part of the attackers' pool of mining systems that is then placed on the Nicehash mining marketplace. Nicehash provides a marketplace where individuals can buy and sell mining capacity. In a typical botnet, there is a command and control node that sends instructions to victimized systems. Grunzweig said that in the new cryptocurrency mining attack, Nicehash isn't actually working as a command and control node.

"We wouldn't say Nicehash is being used for command and control. There's no evidence that Nicehash is actively controlling any of these systems in a malicious way," he said. "Instead, the victim systems are being put into the Nicehash mining pool by connecting the XMRig software with Nicehash."

What Should Users Do?

There are multiple ways that attackers are mining cryptocurrency on user systems. In an October 2017 report, Palo Alto detailed one of the most common methods, which is unauthorized coin mining inside of web browsers. Those types of attacks can be mitigated by the use of ad-blocking browser software.

The new attack detailed by Palo Alto involves a download coming from a malicious URL.

"This particular operation uses tactics that are known and for which best practices are known to apply," Grunzweig said. "Blocking access to untrusted sites and using prevention-focused security can definitely help prevent successful attacks like this."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.