AhnLab ASEC has uncovered a cryptocurrency-mining malware operation in South Korea exploiting USB drives for distribution. The malware, which exploits system resources without consent, modifies security settings to optimize mining performance while evading detection. This has resulted in significant unauthorized profits for the threat actor. Affected: South Korea, USB devices, cryptocurrency, Windows systems
Keypoints :
- Cryptocurrency-mining malware distributed via USB in South Korea.
- The malware mines cryptocurrencies using PC resources without user consent.
- Installation of mining programs deemed illegal if they degrade system performance without permission.
- Monero-mining malware was identified in the attack.
- Threat actors modified system settings to evade detection by Windows Defender.
- Malware includes C&C communication using PostgreSQL for data exchange.
- Automatic propagation through USB facilitated rapid spread of the infection.
- Threat actor utilized unauthorized CPU and GPU resources, generating over 1 million won daily.
- Users are advised to keep security programs updated to prevent such attacks.
MITRE Techniques :
- T1071.001 β Application Layer Protocol: C&C communication using PostgreSQL DB.
- T1218.011 β Signed Binary Proxy Execution: DLL sideloading to execute malware.
- T1089 β Disabling or Modifying Security Tools: Bypassed Windows Defender protection settings.
- T1059.003 β Command and Scripting Interpreter: Executed commands via malware scripts.
- T1203 β Exploitation for Client Execution: Used USB automatic execution to propagate malware.
Indicator of Compromise :
- MD5 0b9a4d59dacfe88f2046c8128275cf24
- MD5 0c0195c48b6b8582fa6f6373032118da
- MD5 101b0a40228752f533e95d0bb2371a71
- MD5 1ab2548e89e865f83bce578b8aff8512
- MD5 1c138d300c371dac1241f67a5cc496a1
- URL http[:]//rootunvdwl[.]com/un1/uhard[.]dat
- URL http[:]//rootunvdwl[.]com/un1/unvurestorehard[.]dat
- URL http[:]//unvdwl[.]com/un1/uhard[.]dat
- URL http[:]//unvdwl[.]com/un1/unvurestorehard[.]dat
- URL https[:]//github[.]com/unvcosmos/dw/raw/refs/heads/main/cmn/uamd[.]dat
Full Story: https://asec.ahnlab.com/en/86221/