Thursday, May 15, 2025
HomeCryptocurrency hackA Group Behind the VenusLocker Ransomware Switch into Secretly Mining Monero Cryptocurrency

A Group Behind the VenusLocker Ransomware Switch into Secretly Mining Monero Cryptocurrency

Published on

SIEM as a Service

Follow Us on Google News

A new malware attack distributing to mine Monero cryptocurrency by the group Behind the VenusLocker Ransomware.

VenusLocker Ransomware discovered in mid of this year which encrypts user files, renames them and changes their extensions to .Venusf or .Venusp.

The virus creators require a $100, $500 or another amount to be paid in BitCoin in order to recover the files and this ransomware creator.

- Advertisement - Google News

Monero Cryptocurrency launched April of 2014 that is currently trading at around $400 USD. one of this malware distribution occurred email and specifically targetting the South Korean users.

Also Read: Bitcoin Exchange YouBit Shutdowns after being Hacked Second Time this Year

How does this Malware Mining Monero Cryptocurrency

Initially distributing through spam email that delivering to target users via social engineering attacks and one of the discovered email spam falsely claims that the recipient’s information from their website has been leaked due to a website hack.

Email content force users to click and open the email attachment by intimating urgency notification that the recipient’s website is legally liable for images being abused.

EGG archive format which is uncommon for malware distribution that used for comprising the email and also the format of the email using an additional layer of evasion technique.

According to Fortinet, EGG archive contains the actual miner malware with hidden file attribute along with several shortcut files, all pointing to the said malware.

The file format of icons and file extensions disguised as images and documents to trick users to show off as a legitimate one but it actually pointed to the malware.

This same functionality has been used by  VenusLocker and it was confirmed by taking a closer look at the shortcut files’ metadata and indication proved that this malware directly related to VenusLocker  ransomware.

the miner is executed as a remote thread under the legitimate Windows component wuapp.exe. Once the malware is executed, an embedded binary of the  Monero cryptocurrency CPU miner XMRig v2.4.2 is executed.

Injected XMRig CPU miner in wuapp.exe memory

“As a simple process persistence mechanism, if the miner is terminated (in this case wuapp.exe), the parent process (pope.exe in the screenshot), acting like a watchdog, simply executes it again. So in order to effectively terminate the malware, the parent process must first be terminated.” Fortinet said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical BitLocker Flaw Exploited in Minutes: Bitpixie Vulnerability Proof of Concept Unveiled

Security researchers have demonstrated a non-invasive method to bypass Microsoft BitLocker encryption on Windows...

Google Chrome Zero-Day Vulnerability (CVE-2025-4664) Actively Exploited in The Wild

Google has rolled out a fresh Stable Channel update for the Chrome browser across...

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in...

Cybercriminals Hide Undetectable Ransomware Inside JPG Images

A chilling new ransomware attack method has emerged, with hackers exploiting innocuous JPEG image...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...