Security Week 10: where to hide the miner and a brief digression into darknet marketing
News 1, News 2
Lovers of free cryptocurrency, it seems, amicably puzzled by the question of where to hide the miner so that they would not find it any longer. As you know, where everything banal has already been tried, opens up scope for creativity. So, some craftsmen found a source of inspiration in the beautiful face of the Hollywood star Scarlett Johansson.
Monero hunters entered the miner code directly into the star's photo in PNG format. This allowed the fraudsters not only to express themselves, but also to use imagehousing.com legal photo hosting to store the malware. And at the same time to deceive a part of antiviruses.
The target for attack by cybercriminals was PostgreSQL database servers. Before deploying mining on the server, legible fans of Johansson explored the computing power in order not to mine anywhere (or rather, where it is not profitable).
After making sure that the server is suitable, fraudsters uploaded a picture from the photo hosting service to it, and then extracted malicious code from it using the standard Linux dd utility. Next, the file was given full rights, and at startup it created the actual getter program.
When the campaign was discovered, this particular work of art was removed from the hosting, but no one knows how many more muddy photos contain the same (or different) code.
The authors of another Monero miner have found a way to conveniently hide their brainchild, one might say, on the surface. Cryptocurrency hunters decided to use GitHub to store the installer. Where else to hide malicious code, if not among other code?
For greater reliability, cryptocurrency hunters created a lot of forks of projects that are in the public domain, and the installer was placed in each: indeed, a lot - not a little. At the same time, they did not begin to originalize in the spread of the malware by choosing fake Adobe Flash Player updates that were time-tested.
In response to an attempt to cleanse GitHub from infection, the criminals used the tactics of the Lernean hydra: while some infected pages were deleted, the miner appeared on others. As the greats said, the key to success is the ability to go to one’s goal, regardless of failures.
News
But the cybercriminal is not fed up with miners alone. Since the beginning of the year, at least three campaigns involving the Qrypter Trojan have been recorded, the authors of which prefer leasing their software to independent attacks. So to say, Malware-as-a-Service. Moreover, like the rest of the heroes of our collection, they approach the matter with the soul.
Malicious dealers have relied on active marketing: they advertise their brainchild, offer favorable rates to those who wish to resell it, and provide user support through the Black & White Guys forum.
Among the advantages of the Trojan, colorfully painted by the authors, are remote control over the infected device, including access to webcams, unlimited manipulation of files and programs, and the ability to control the task manager. In addition, the malware monitors the firewalls and antiviruses running on the computer.
However, advertising their services, they were not limited to descriptions of the merits of the “product”. To finally convince potential customers of the exclusivity of their program, craftsmen demonstrate the shortcomings of competing solutions. And not in theory, but in practice: developers periodically upload hacked versions of other trojans to the darknet.
So the malware owners not only spread their malware, but also provide an opportunity for completely unauthorized attackers to use the achievements of their competitors. Enchanting nursery of infection.
Yanshort Family The
viruses in the family routinely infect EXE files in all directories of the current drive. Not dangerous. The infected files contain the line “motherfucker”, by which the virus distinguishes between infected and uninfected files. The Yanshort-1961 virus manifests itself by playing the Yankee Doodle Dandy melody when an infected program is launched. Under certain conditions, programs affected by the Yanshort-1624 virus freeze upon startup.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Here it’s how lucky.

Monero hunters entered the miner code directly into the star's photo in PNG format. This allowed the fraudsters not only to express themselves, but also to use imagehousing.com legal photo hosting to store the malware. And at the same time to deceive a part of antiviruses.
The target for attack by cybercriminals was PostgreSQL database servers. Before deploying mining on the server, legible fans of Johansson explored the computing power in order not to mine anywhere (or rather, where it is not profitable).
After making sure that the server is suitable, fraudsters uploaded a picture from the photo hosting service to it, and then extracted malicious code from it using the standard Linux dd utility. Next, the file was given full rights, and at startup it created the actual getter program.
When the campaign was discovered, this particular work of art was removed from the hosting, but no one knows how many more muddy photos contain the same (or different) code.
The authors of another Monero miner have found a way to conveniently hide their brainchild, one might say, on the surface. Cryptocurrency hunters decided to use GitHub to store the installer. Where else to hide malicious code, if not among other code?
For greater reliability, cryptocurrency hunters created a lot of forks of projects that are in the public domain, and the installer was placed in each: indeed, a lot - not a little. At the same time, they did not begin to originalize in the spread of the malware by choosing fake Adobe Flash Player updates that were time-tested.
In response to an attempt to cleanse GitHub from infection, the criminals used the tactics of the Lernean hydra: while some infected pages were deleted, the miner appeared on others. As the greats said, the key to success is the ability to go to one’s goal, regardless of failures.
Black Marketing Among Cybercriminals
News
But the cybercriminal is not fed up with miners alone. Since the beginning of the year, at least three campaigns involving the Qrypter Trojan have been recorded, the authors of which prefer leasing their software to independent attacks. So to say, Malware-as-a-Service. Moreover, like the rest of the heroes of our collection, they approach the matter with the soul.
Malicious dealers have relied on active marketing: they advertise their brainchild, offer favorable rates to those who wish to resell it, and provide user support through the Black & White Guys forum.
Among the advantages of the Trojan, colorfully painted by the authors, are remote control over the infected device, including access to webcams, unlimited manipulation of files and programs, and the ability to control the task manager. In addition, the malware monitors the firewalls and antiviruses running on the computer.
However, advertising their services, they were not limited to descriptions of the merits of the “product”. To finally convince potential customers of the exclusivity of their program, craftsmen demonstrate the shortcomings of competing solutions. And not in theory, but in practice: developers periodically upload hacked versions of other trojans to the darknet.
So the malware owners not only spread their malware, but also provide an opportunity for completely unauthorized attackers to use the achievements of their competitors. Enchanting nursery of infection.
Antiquities
Yanshort Family The

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Here it’s how lucky.