Monero cryptomining bugs infest Microsoft Windows machines

Don Sharpe
by Don Sharpe
Author
0 Comments
Download PDF
Affiliate Disclosure

  • Cybersecurity firm Red Canary observed Monero cryptomining bugs infesting Windows machines at multiple organizations.
  • You can protect your Windows PC by patching or installing a cryptomining blocker.
  • Visit the Security & Privacy page to learn more about securing your machine.
  • For extensive coverage of Windows 10 news and troubleshooting guides, check out our Windows 10 hub.
Monero cryptominers

Cybersecurity firm Red Canary reported Monero cryptomining bugs that attacked Windows machines at multiple organizations. It has given the name Blue Mockingbird to this type of malware activity it has been following for some time.

Cryptomining is a growing but an unstable sector. According to Statista, it generated $5 billion in revenue between 2010 and 2019.

The Blue Mockingbird Monero cryptomining payloads

The science of cryptomining is costly and computing resource-intensive, making it unattractive to many folks. But malicious actors have found a shortcut to making cryptomining money without having to buy powerful computers.

They illegally deploy cryptomining payloads on the computers of unsuspecting users to take advantage of the free processing power. That is the same reason hackers are delivering Monero cryptominers on Windows PCs.

In the incidents that Red Canary reported, the hackers launched multi-level attacks from numerous fronts to deliver the miners on Windows systems.

The bad actors would start by breaching web-facing applications. It appears they were taking advantage of Telerik UI vulnerabilities in ASP.NET apps.

After breached a targeted system, they would persistently launch multiple attacks using different techniques to deliver their malware.

We’ve observed involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. They achieve initial access by exploiting public-facing web applications, specifically those that use Telerik UI for ASP.NET, followed by execution and persistence using multiple techniques.

Such actors have used proxying software for this purpose before. Also, they have worked with multiple types of reverse shell payloads to breach external systems.

According to Red Canary, the Telerik UI exploit in question, CVE-2019-18935, has been around for some time. That also means it is not going away anytime soon.

Therefore, you may want to patch your Windows systems right away before you are targeted for the next Monero cryptomining attack. That is very imperative especially if your organization uses any web-facing applications.

Alternatively, install a cryptomining blocker on your Windows 10 PC.

We’re on call to respond to any questions or suggestions. Feel free to share yours by writing us a message in the comments section below.