Cybersecurity researchers at Cisco Talos discovered a new threat actor dubbed Vivin, that has been raking thousands of dollars through Monero crypto-mining malware. The attack has made cybercriminals lots of money through large scale crypto-mining campaigns. Therefore, it is likely that the threat is here to stay.
Researchers noted that the attack was unique but pointed out that it had been active since 2017. The privacy coin, monero has been associated with frequent malware threats and attacks since the rise of crypto-jacking malware. Monero’s loss of value in the past months hasn’t waned cyber-criminal interests. In fact, Vivin comes just after Chainalysis released a report of how North Korean hackers, the Lazarus Group were executing crypto phishing schemes through front businesses.
However, during a podcast with Cisco Talos -; a threat researcher Nick Biasini told Threatpost that in the best-case scenario, money is still a guarantee. Biasini did not hesitate that despite the dwindling value of Monero, money and revenue were still the goal of all hacking schemes. He stated:
“ even though it’s not generating a huge amount of revenue, it’s guaranteed money. And for a lot of these actors, that’s really all their goal is, is to make money. So this remains a very viable way to do that.”
Vivin Executes XMrig Miner Installations
Biasini pointed out that the malware found itself in a host of computers following installations of pirated software. The infected software would later open a backdoor on the computers for installing the XMrig. A high-performance GPU/CPU crypto mining software.
While the scheme does not feature an elaborate brilliant crypto hacking attempt, it is worth noting that the malware has gone unnoticed for at least 3 years now. Biasani suggested that the popularity of cryptojacking malware had not just but evolved.
He described that the first wave of concern was a barrel of spam campaigns delivering infected with malware through documents. While cybersecurity firms pointed out this risks and advised firewalls to proof such attacks; Biasini noted that it was easy to think this move would dissuade cybercriminals.
However, what followed was a second wave of brute-forcing hacks and phishing schemes. Both activities have kept crypto-jacking activities going for the better part of 2017, 2018 and 2019. He said:
” You don’t have to maintain a lot of command and control infrastructure necessarily. Once the system gets up and running, it kind of just keeps going on its own. So it’s an attractive threat from that avenue more than anything else.”