Increasing Number of Malicious Codes Targets S. Korean Cryptocurrency Miners

The number of malicious codes targeting South Korean cryptocurrency miners is on the increase. As digital currencies fluctuate in price, hackers, which spread ransomware, seem to take turns to malicious mining codes.

South Korean cybersecurity firm ESTsecurity said that hackers, who had attacked South Korea with “Venus Locker” ransomware from 2016, have continuously spread a malicious code that mines the cryptocurrency monero from the end of November last year. Hauri and Bitscan have warned over digital currency mining malware from the end of last year.

Hackers targeting South Korea spread cryptocurrency mining malware using spear phishing. They send emails written in fluent Korean. The latest attacks aimed at particular medical facilities. Hackers sent emails to hospitals posting an opening for nurses on the websites. The emails seemed to be resumes or application forms but they contain mining malware with a .lnk file and an .exe file attached. The .lnk file seemed to be jpg images and Word doc files but it executes the .exe file.

Hackers are targeting not only hospitals but also companies to spread mining malware. Most attacks are spear phishing emails that seemed to be a job application at the recruitment season. There are also attacks using social technology such as used goods sales and shipping delivery.

Hackers contained an anti-virtual machine function to interrupt the analysis of malicious codes. When computers are infected with malware, they start mining monero by using a particular deciphering routine function. The infected computers become much slower in processing speed due to a lack of system resource.

The mining malware target the cryptocurrency monero. Monero guarantees anonymity since it is untraceable compared to other virtual currencies, including bitcoin. When a person receives bitcoin, he can see who the sender is through a key. When transactions are made with monero, the details become mixed up within specific groups and it is hard to figure out who sends assets. The Shadow Brokers, a hacker group which claimed to hack into the National Security Agency (NSA) of the U.S., received a monthly fee with monero when launching a service publishing its hacking data every month.

An official from ESTsecurity said, “As the price of digital currencies has recently increased, hackers who spread ransomware seem to have turned their eyes to mining malware. As there are less people who are willing to pay money even when their computers infected with ransomware, more and more hackers are seeking to spread mining malware that consume PC resources.”