cryptocurrency mining Archives

Tech Optimizer

April 2, 2025

Ongoing cryptomining campaign hits over 1.5K PostgreSQL servers

Over 1,500 PostgreSQL instances exposed to the internet have been targeted by a cryptocurrency mining malware campaign called JINX-0126. Attackers exploit weak credentials to access PostgreSQL servers and use the "COPY ... FROM PROGRAM SQL" command for arbitrary command execution. They deploy a shell script to terminate existing cryptominers and deliver the pg_core binary. A Golang binary, disguised as the PostgreSQL multi-user database server, is then downloaded to establish persistence and escalate privileges, leading to the execution of the latest XMRig cryptominer variant. JINX-0126 employs advanced tactics, including unique hashes for binaries and fileless miner payload execution, to evade detection by cloud workload protection platforms.

TrendTechie

March 13, 2025

Создатель легендарного пиратского трекера The Pirate Bay погиб в авиакатастрофе

Karl Lundström, co-founder of The Pirate Bay, died in an aviation accident in Slovenia while piloting a Mooney M20 aircraft from Zagreb to Zurich. The plane crashed in northern Slovenia due to adverse weather conditions, and his body was recovered the following day. He was 64 years old at the time of his death.

Winsage

March 6, 2025

Cybercriminals Exploit YouTubers to Spread SilentCryptoMiner on Windows Systems

A malware campaign has emerged, exploiting the popularity of Windows Packet Divert drivers. The SilentCryptoMiner malware, disguised as legitimate tools, has affected over 2,000 victims in Russia. Cybercriminals manipulate YouTubers to share malicious links, with one YouTuber having 60,000 subscribers attracting over 400,000 views on infected videos. Compromised files were hosted on gitrok[.]com, with over 40,000 downloads. Attackers issue copyright strikes to content creators, threatening channel shutdowns to propagate malware. The infection begins with a modified script that executes an executable via PowerShell, using a Python-crafted loader to fetch the payload. SilentCryptoMiner, based on XMRig, mines various cryptocurrencies stealthily, employing techniques to evade detection and dynamically adjust its behavior. This campaign highlights the evolving tactics of cybercriminals, leveraging demand for bypass tools to distribute malware. Users are advised to be cautious when downloading tools from untrusted sources.

TrendTechie

February 19, 2025

Вместо подарков – майнер: новогодняя ловушка на торрентах унесла ресурсы компьютеров по всему миру

A campaign known as StaryDobry, identified by Kaspersky Lab, began on the last day of 2024, targeting users of popular torrent trackers during the holiday season. The attack affected users globally, particularly in Russia, Belarus, Kazakhstan, Germany, and Brazil. Cybercriminals distributed trojanized versions of popular games like BeamNG.drive and Garry’s Mod, which contained hidden cryptocurrency mining software. The malware used in this campaign included XMRig, designed for mining Monero (XMR) without user consent. The installation process involved multiple layers of evasion, including checking for debugging tools and system parameters. The malware extracted files using RAR libraries, sent system fingerprints to a command server, and launched a loader that disguised itself as system files. XMRig operated in the background, utilizing the victim's CPU for mining while avoiding detection by terminating itself if analysis tools were present. The attack poses risks not only to individual users but also to corporate systems through compromised devices. No information is available about the attackers behind this campaign.

Winsage

November 8, 2024

Windows PCs targeted by new malware hitting a vulnerable driver

Researchers have identified a new threat campaign called SteelFox, which uses counterfeit software activators and cracks to infiltrate Windows systems. The campaign deploys a vulnerable driver, information-stealing malware, and a cryptocurrency miner, compromising sensitive data and exploiting system resources for illicit mining. Victims are reported globally, including regions from Brazil to China, affecting users of commercial software like Foxit PDF Editor, JetBrains, and AutoCAD. Cybercriminals continue to advertise these fake software solutions, increasing the potential for further infections.

Tech Optimizer

November 8, 2024

New malware SteelFox targets Windows users through fake software activators

A new malware named "SteelFox" is targeting Windows users by using counterfeit software activators to infiltrate systems, leading to cryptocurrency mining and data theft. Since February 2023, it has spread rapidly, primarily through torrent sites and online forums, masquerading as legitimate software cracks for programs like AutoCAD and Foxit PDF Editor. Upon installation, it deploys a risky driver called WinRingO.sys, exploiting vulnerabilities CVE-2021-41285 and CVE-2020-14979, which allows attackers to gain full access to the infected computer. The malware uses XMRig for crypto mining, causing performance issues and increased utility bills, while also stealing sensitive data from over 13 web browsers. Countries with high infection rates include Mexico, Brazil, Russia, China, and India. Kaspersky has blocked over 11,000 attempted attacks, but the actual number of infections may be much higher. To protect against SteelFox, users are advised to download software only from verified sources, maintain updated antivirus software, avoid pirated software, and keep systems current with security patches.

Tech Optimizer

October 13, 2024

Securing PostgreSQL from Cryptojacking Campaigns in Kubernetes

Recent findings indicate significant vulnerabilities in PostgreSQL due to misconfigurations that can enable unauthorized shell command execution on the operating system. The COPY SQL command combined with the pg_execute_server_program role facilitates these vulnerabilities, especially when PostgreSQL services are exposed via Kubernetes ingress. PostgreSQL is the third most targeted application among Google customers, with weak passwords being a common vector for initial access in 41% of observed compromises. Misconfigured instances, particularly manual deployments, often lack proper authentication controls, user roles, and permissions. The use of “trust” authentication allows users from any IP to connect without a password, potentially granting superuser privileges. This vulnerability can be exploited by attackers to execute malicious commands, such as downloading cryptocurrency mining software. CrowdStrike's Falcon platform provides protection against threats targeting PostgreSQL by detecting and preventing malicious activities. Best practices for securing PostgreSQL include using strong passwords, securing configuration files, enabling SSL/TLS, auditing user roles, and adopting a Zero Trust approach to access control.

Tech Optimizer

August 26, 2024

Cryptomining Malware Targets PostgreSQL Databases

PG_MEM malware poses a significant security threat to over 800,000 PostgreSQL databases protected by weak passwords, enabling unauthorized cryptocurrency mining. Attackers use brute-force techniques to guess database credentials, establish a superuser role for continued access, and gather system information to download cryptomining software and other malicious payloads. They modify system configuration files, create cron jobs for persistence, and relocate logs to evade detection. Recommendations for organizations include strengthening threat monitoring and authentication protocols, implementing advanced threat detection tools, and isolating databases from broader network access.

Tech Optimizer

August 25, 2024

PG_MEM – A Malware Hide in Postgres Processes to Steal Data

Cybersecurity researchers at Aqua Nautilus have identified a malware strain called PG_MEM that targets PostgreSQL databases. PG_MEM uses brute force techniques to gain access to these databases, disguises itself within legitimate PostgreSQL processes, and facilitates data theft while mining cryptocurrency. The attack involves several stages: 1. **Brute Force Attack**: Attackers attempt multiple login attempts to guess database credentials. 2. **Gaining Persistence**: After gaining access, attackers create a superuser role to maintain control. 3. **System Discovery and Payload Delivery**: Attackers gather system information and deliver malicious payloads, including the PG_Core malware, which is used for cryptocurrency mining. PG_MEM acts as a dropper for the XMRIG cryptocurrency miner and maintains persistence through cron jobs. There are over 800,000 publicly accessible PostgreSQL databases, highlighting vulnerabilities that need addressing. The attack employs techniques from the MITRE ATT&CK framework, emphasizing the need for strong security measures, including robust password policies and regular security audits.

Tech Optimizer

August 24, 2024

Malware Infects Databases With Vulnerable Passwords to Install Crypto Mining Software | Live Bitcoin News

A new strain of malware, PG_MEM, is targeting PostgreSQL-enabled internet-connected devices, capable of infecting around 800,000 databases, primarily in the United States and Poland. It exploits weak passwords to gain unauthorized access, installs files to commandeer database resources for cryptocurrency mining, and evades detection. Attackers use brute-force methods to guess passwords, highlighting vulnerabilities in password management. Many organizations expose their PostgreSQL databases to the internet due to misconfigurations and inadequate identity controls. The first half of 2024 has seen a 400% increase in such cryptojacking attacks, indicating a growing trend in exploiting database vulnerabilities.