Monero mining malware linked to Turkish telecom company

Turkish Internet provider implicated in recent Monero mining virus epidemic in Middle East, says Citizen Lab in its report
12 March 2018   1708

Recently there was a flood of Windows applications infected with Monero miner in Turkey and Syria. University of Toronto's Citizen Lab took an interest in this case and made a report. The results are surprising, to say the least.

The culprit was connected to to Türk Telekom – a formerly governmental Turkish telecommunications provider. According to the report, the ties to miner virus are connected to an unknown party with the access to provider's middleboxes, associated with government surveillance in Turkey and Syria. All this raises questions whether or not the virus itself is a product of some governmental effort at mining.

The infection scheme, called “AdHose”, is explained further in the report. The users are unknowingly redirected to infected copies of legitimate software while trying to download Windows applications such as Avast Antivirus, Ccleaner, 7-Zip or Opera, for example.

The spokesperson for the Türk Telekom reacted to the accusations and published a stetement, calling Citizen Lab allegations technically inaccurate and intentionally misleading. He also said that the company is currently investigating the issue, because they are “deeply commited to ethical technology development”.

The idea itself of government-controlled cryptocurrency mining malware is a little far-fetched in the expert's opinion, but the similar cases have already been reported by Open Observatory of Network Interference in 2016. At that time the Egyptian internet provider has been implicated in similar MITM-type attacks with malware and advertising present, minus the mining element.

BlackSquid Hidden Miner to Attack US & Thai PCs

The malware is distributed through malicious websites, compromised web servers, network drives, and USB drives; it uses different exploits and vulnerabilities
05 June 2019   211

Trend Micro researchers have discovered a new malware that mines the Monero cryptocurrency on users' devices, reports ZDNet.

Most of all, a new malware miner called BlackSquid is popular in Thailand and the United States. The maleware is distributed through malicious websites, compromised web servers, network drives, and USB drives. BlackSquid uses EternalBlue, DoublePulsar, server vulnerabilities CVE-2014-6287, CVE-2017-12615, CVE-2017-8464 and errors in the ThinkPHP web application.

BlackSquid uses various tricks to keep the program unnoticed. For example, if a program detects that it was running in a virtualization environment, or finds debugging tools, then the malicious functions will not be activated.

Unnoticed, the malware installs the XMRig mining script. The attack does not end there - the program also scans the system for the a video card in order to extract coins more efficiently. After infecting one computer on the network, the virus tries to spread to other systems.