Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
How did a regular feature become a security nightmare?
F.A.C.C.T. experts have discovered a non-standard method of distributing the Xmrig malware. The attackers used the automatic replies feature on email inboxes to deliver a miner designed for discreet cryptocurrency mining.
Attacks using this scheme began at the end of May and were aimed at large Russian online platforms, retail chains, marketplaces, as well as companies from the insurance and financial sectors. Hacked email accounts were used to send malicious autoreply messages. According to analysts, about 150 such malicious emails have been recorded since the end of May.
All emails were sent using the standard mail autoresponder feature, which automatically forwards prepared messages to incoming emails. Inside the email was a link to a cloud service where an archive with the malicious Xmrig miner was stored.
Analysis of email addresses showed that they had previously been used for legitimate purposes, but after being compromised, they were involved in the attack. Attackers could gain access to these accounts through databases that got into the network. These databases contain both public credentials and hashed passwords that can be cracked using rainbow table techniques.
The analysis also showed that many users of compromised mailboxes used the same passwords in different services, which greatly simplified the task of attackers.
In the first half of 2024, data from 150 databases of Russian companies became publicly available. More than 200.5 million lines of data were collected in these leaks, including names, addresses, passwords, dates of birth, passport data, and phone numbers. About 30% of leaks affected companies specializing in online retail. Among the users whose mailboxes were compromised were both individuals and representatives of various companies, including arbitration managers, small trading companies, construction firms and farms.
The emails containing malware contained a link to an archive in the cloud service where the Xmirig miner was hosted. Xmrig is a cross-platform cryptocurrency mining software that is compatible with graphics cards from AMD and Nvidia. It supports several popular algorithms for cryptocurrency mining and is most commonly used to mine the Monero coin. Attackers often use it to make additional money during attacks.
To conceal their actions, the attackers attached a fake scan of the invoice for equipment to the letters, which was not related to the content of the letter. This increased the likelihood that both companies and ordinary users interacting with compromised mailboxes could become victims.
Experts warn that this method of distributing malware is dangerous because the victim initiates communication himself, waiting for a response letter. This is fundamentally different from mass mailings, which are often ignored by recipients.
To protect themselves, users are advised to follow the rules of digital hygiene: use complex and unique passwords, do not save them in the browser, avoid using unlicensed software and do not click on dubious links. It is also important not to enter your data on suspicious sites and not to authenticate through messengers, especially in the case of suspicious requests or winnings.
Companies are advised to regularly train employees on information security issues, implement multi-factor authentication, and monitor compromised accounts.
Source
F.A.C.C.T. experts have discovered a non-standard method of distributing the Xmrig malware. The attackers used the automatic replies feature on email inboxes to deliver a miner designed for discreet cryptocurrency mining.
Attacks using this scheme began at the end of May and were aimed at large Russian online platforms, retail chains, marketplaces, as well as companies from the insurance and financial sectors. Hacked email accounts were used to send malicious autoreply messages. According to analysts, about 150 such malicious emails have been recorded since the end of May.
All emails were sent using the standard mail autoresponder feature, which automatically forwards prepared messages to incoming emails. Inside the email was a link to a cloud service where an archive with the malicious Xmrig miner was stored.
Analysis of email addresses showed that they had previously been used for legitimate purposes, but after being compromised, they were involved in the attack. Attackers could gain access to these accounts through databases that got into the network. These databases contain both public credentials and hashed passwords that can be cracked using rainbow table techniques.
The analysis also showed that many users of compromised mailboxes used the same passwords in different services, which greatly simplified the task of attackers.
In the first half of 2024, data from 150 databases of Russian companies became publicly available. More than 200.5 million lines of data were collected in these leaks, including names, addresses, passwords, dates of birth, passport data, and phone numbers. About 30% of leaks affected companies specializing in online retail. Among the users whose mailboxes were compromised were both individuals and representatives of various companies, including arbitration managers, small trading companies, construction firms and farms.
The emails containing malware contained a link to an archive in the cloud service where the Xmirig miner was hosted. Xmrig is a cross-platform cryptocurrency mining software that is compatible with graphics cards from AMD and Nvidia. It supports several popular algorithms for cryptocurrency mining and is most commonly used to mine the Monero coin. Attackers often use it to make additional money during attacks.
To conceal their actions, the attackers attached a fake scan of the invoice for equipment to the letters, which was not related to the content of the letter. This increased the likelihood that both companies and ordinary users interacting with compromised mailboxes could become victims.
Experts warn that this method of distributing malware is dangerous because the victim initiates communication himself, waiting for a response letter. This is fundamentally different from mass mailings, which are often ignored by recipients.
To protect themselves, users are advised to follow the rules of digital hygiene: use complex and unique passwords, do not save them in the browser, avoid using unlicensed software and do not click on dubious links. It is also important not to enter your data on suspicious sites and not to authenticate through messengers, especially in the case of suspicious requests or winnings.
Companies are advised to regularly train employees on information security issues, implement multi-factor authentication, and monitor compromised accounts.
Source
