New Struts 2 Campaign Compiles Its Own C# Downloader, Leverages a User Profile Page as Its C&C Server
Figure 14: Statistics of the Monero mining payment address belonging to the attacker
The attacker has earned 8.76 Monero coins by now,4 with a current price of 110.79 USD per a Monero coin,5 which totals to 970.52 USD.
According to the information provided on the mining server website, this operation began around June 1.
For reference, a slow mining device with 2 GB DDR3 memory, and an NVIDIA GEFORCE GT 710 graphic card can reach to about 50H/s whereas a top-of-the-line custom rig costing around $12,000 USD can reach rates of 24,000H/s or 24KH/s.6 With the average hash rate of around 60KH/s for this mining operation, we can conclude that there are multiple devices participating in the mining action.
Kill Opponents and Avoid Monitoring
In addition to the functionality already listed, this malware has some more tricks up its sleeve.
The “CheckProcess” function kills fake “taskmgr” processes that don’t have “Microsoft Corporation” in the version information. This is probably done to remove the competition and, in general, any process taking valuable mining resources. The “CheckProcess” function also validates “svchost” and “csrss”.
If any of these processes are found illegitimate they will be forcefully terminated, denied from all permissions and their relevant files will be changed to super hidden.
Source link
lol
Figure 14: Statistics of the Monero mining payment address belonging to the attacker The attacker has earned 8.76 Monero coins by now,4 with a current price of 110.79 USD per a Monero coin,5 which totals to 970.52 USD. According to the information provided on the mining server website, this operation began around June 1.…