Criminals behind the VenusLocker ransomware have switched to cryptocurrency mining in their latest campaign targeting computer users in South Korea. Instead of attempting to infect targeted computers with ransomware, the group is now trying to install malware on PCs that mines for Monero, an open-source cryptocurrency.
The shift was spotted by FortiGuard Labs, which said the group behind the attacks is attempting to capitalize on a surging cryptocurrency market.
“With more and more people realizing that cryptocurrency is potentially a significantly profitable investment, this rise is likely to continue for the foreseeable future. And where there is profit, that is where malware attacks will gather,” wrote FortiGuard in a report Wednesday.
Researchers said the shift by threat actors is also spurred by anti-ransomware mitigation efforts that have made infecting systems with malware harder.
“This past October Microsoft added a Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) alteration of important files. Features such as this can effectively thwart ransomware attacks. Which is probably part of the reason why the threat actors behind VenusLocker decided to switch targets,” researchers said.
Why Monero crypto currency, and not the surging Bitcoin? According to FortiGuard, Monero’s mining algorithm is designed for ordinary computers. Bitcoin, on the other hand, requires higher-end systems equipped with Application-Specific Integrated Circuits or high-end GPUs, according to researchers.
“The second reason is Monero’s promise of transaction anonymity. With Bitcoin, a wallet is a public record,” researchers wrote. Monero’s wallet uses “stealth addresses” along with “transaction mixing” allowing criminals to cloak account activity.
Those behind VenusLocker, and now Monero mining malware, are targeting South Korean users via phishing campaigns. Emails contain malicious attachments compressed in EGG archive format, developed by ESTsoft, a South Korean tech firm.
Ploys range from fake messages from a website insisting recipients open an accompanying attachment that contains important personal breach information pertaining to a recent website hack. Another message insists a recipient open the malicious attachment in order to view copyright protected images illegally used on the target’s website.
“Once the malware is executed, an embedded binary of the Monero CPU miner XMRig v2.4.2 is executed. As a basic attempt to hide this resource hogging operation, the miner is executed as a remote thread under the legitimate Windows component wuapp.exe, which is executed beforehand to avoid raising suspicions,” researchers describe.
Researchers also noted many similarities between the hidden file attribute and shortcut files used to trick users in the VenusLocker malware and the mining malware.
“An interesting observation is that this same scheme has been used by VenusLocker in the past. To confirm this assumption, we had to take a closer look at the shortcut files’ metadata, and sure enough, we found a direct relation to the ransomware. Aside from the target paths, the shortcut files used during the VenusLocker ransomware period are practically identical to the ones being used in this campaign,” researchers said.
FortiGuard researchers say the switch to crytocurrency mining by ransomware crooks is a growing trend that could extend into 2018. “With cryptocurrency values being more enticing than ever, it is a real possibility,” they said.