Five thousand computers turned into "black labor" for mining

Text | Kyle

Editor | Wen Dao

The rise of the cryptocurrency industry has not only brought about an emerging market, but also attracted profit-seeking black market gangs, one of which is mining Trojans.

Recently, Tencent Security's Threat Intelligence Center published a post saying that they have detected the "LaofuMiner" mining Trojan spread through social engineering scams. Attackers disguised the remote control Trojan program as "hot news" or "pornographic content" and spread it on the Internet. Those who accidentally click on it will be immediately infected, and their computers will become abnormally slow, becoming miners for the black industry gangs.

According to statistics, the "Tiger" Trojan has infected more than 5,000 computers. Through tracing back to the source, it was found that the predecessor of "Tiger" was the "Grizzly" Trojan that appeared in 2018. At that time, "Grizzly" had infected nearly 100,000 hosts and obtained at least 380,000 yuan of illegal income by mining Monero.

In addition to "Grizzly" and "Tiger", other Trojan mining programs such as KingMiner, BlueHero, and "Fast Go Miner" are common. A security expert revealed that since some Trojans have been open sourced in the black industry, the cost of doing evil has been reduced, the harm of the virus has increased, and everyone may become a "victim".

Industry insiders have called for industry builders to jointly resist malicious behavior, strengthen security popularization, and improve safety factors when developing the cryptocurrency industry.

Tencent Yujian's source tracing query found that the file server baihes.com of the "Tiger" mining trojan points to the IP address 46.4.156.44. This IP address attracted the attention of security experts in 2018, when a mining trojan named "Grizzly Bear" BearMiner, whose domain name miner.gsbean.com was also directly related to the above IP address.

Tencent Yujian speculates that "Grizzly" and "Tiger" belong to the same group, and "Tiger" has replaced the "Grizzly" mining Trojan, showing a new active trend.

In July 2018, Sangfor security experts (hereinafter referred to as "Sangfor") first exposed the "Grizzly" mining virus. The disguise method of "Grizzly" is similar to that of "Tiger", which can bypass mainstream antivirus software and lurk for several months.

"Grizzly" is more harmful. According to Sangfor statistics, "Grizzly" has infected nearly 100,000 hosts. Most of the poisoned hosts show abnormal lag, which seriously affects the host performance.

Sangfor classified the virus's hazard level as "high risk" and the difficulty of detection and killing as "difficult". It was revealed that the coins mined by "Grizzly" at that time were mainly anonymous coins Monero (XMR). Unlike Bitcoin, Monero has a low threshold for mining and is easy to use. You can use a home computer to mine through the CPU and graphics card.

In addition, since all Monero transactions use hidden addresses to protect the privacy of the recipient, it is difficult to track the whereabouts of the coins mined by the black market gangs.

According to the statistics of Sangfor in July last year, the Grizzly virus mined 420 Monero coins at that time. Based on the currency price of 927 yuan at that time, the attacker earned more than 380,000 yuan through illegal mining by the Trojan virus, and the cost was not high.

In the black market, the remote control Trojan named "Big Bad Wolf" is a popular remote control tool. The "Tiger" virus also implants viruses into the victim's computer through this remote control tool.

It is said that the original author of "Big Bad Wolf" has passed away, but the relevant code has been circulated in the black industry circle and shared as open source. After different virus and Trojan horse gangs customized and modified it, many variants were derived, which invisibly reduced the cost of black industry gangs to develop viruses.

In addition to "Grizzly" and "Tiger", in recent years, KingMiner mining Trojan, BlueHero mining worm virus, "Quick Go Miner" and other Trojan programs are common. At the end of 2018, the Shigu Branch of the Hengyang Public Security Bureau in Hunan Province also cracked a virus mining case. A computer science graduate installed Trojans on Internet cafe computers and made a profit of over 100 million yuan through remote mining.

In today's social network, people are exposed to a large amount of information every day. If you are not careful, you may become a "mining coolie" for hackers. When you find that your computer suddenly freezes severely, your computer may be busy creating improper profits for others.

Security experts advise Internet users not to open files of unknown origin at will. Before opening a file, it is recommended to open the Explorer folder option and "view known file extensions". When you find that the file icon is an Office, music, or video file, and the file extension is "exe, com, pif, bat", you can immediately identify it as a dangerous file and delete it immediately and use antivirus software to kill it.

The rise of blockchain and digital currency has made mining a new industry that is gradually prospering. Profits often breed evil, and mining Trojans, hackers stealing coins, dark web transactions and other incidents are emerging one after another. "Black industry" is also the "back side of the coin" of this emerging industry.

Industry insiders have called for industry participants to jointly improve their security technology reserves and jointly resist the evil activities of hackers and black industries when new technologies and new industries are first born. Professional security teams may wish to set up a security alliance to popularize basic cybersecurity knowledge to the public, strengthen the publicity and early warning of new viruses, so as to prevent the public who do not understand cryptocurrencies from becoming "black laborers" in mining.