Cybercrime groups seem to be leaving ransomware behind in favor of cryptominer malware that can be surreptitiously installed for the purpose of stealing network resources and mining digital currencies such as Monero.
Cryptominer malware is a relatively new cybercrime trend that started off with Bitcoin miners delivered by means of Trojan attacks; however, the vast resources needed to mine the original cryptocurrency has prompted hackers to focus their efforts on Monero, a digital currency that provides a very high degree of anonymity and obfuscation, two characteristics that are particularly useful to cybercrime groups. Monero is quickly becoming the de facto currency of the digital underground.
According to reports by information security firm F5, a new global malware attack dubbed “Zealot Campaign” is rapidly spreading across enterprise networks powered by Windows and distributions based on the open source Linux kernel. In some cases, powerful Windows desktops that enjoy very fast broadband connections are also being targeted. Personal computers that run non-server Linux distributions are safe for the most part.
What is worrisome about the Zealot Campaign is that it is being carried out with the assistance of two exploits developed by the United States National Security Agency; these two cyber warfare weapons were stolen by mysterious hacker group known as “Shadow Brokers,” who have been leaking the source code of these exploits to the public over the last two years. Intelligence analysts believe that the Shadow Brokers may be associated with Russian political interests that seek to destabilize the U.S. government.
Now that NSA cyber weapons are available to just about anyone who wishes to use them, enterprise networks are being targeted with various attacks. In 2016 and 2017, global ransomware attacks crippled public health and transportation systems in nearly a dozen countries, but the focus will largely shift to cryptocurrency mining from now until the end of the decade.
One of the exploits used in this attack targets database parsers while the other looks for vulnerabilities in content management systems. The attack unfolds in more than one stage; on Windows servers, it aims to inject dynamic link libraries files while on Linux servers it tries various Bash terminal commands to establish a remote connection and install the cryptominer.
Information security analysts have commented that the Zealot campaign features a high level of sophistication and stealth that could make the attacks difficult to prevent; however, network administrators should keep an eye on their traffic and bandwidth reports.