Saturday, January 25, 2025
HomeCryptocurrency hackA Group Behind the VenusLocker Ransomware Switch into Secretly Mining Monero Cryptocurrency

A Group Behind the VenusLocker Ransomware Switch into Secretly Mining Monero Cryptocurrency

Published on

SIEM as a Service

Follow Us on Google News

A new malware attack distributing to mine Monero cryptocurrency by the group Behind the VenusLocker Ransomware.

VenusLocker Ransomware discovered in mid of this year which encrypts user files, renames them and changes their extensions to .Venusf or .Venusp.

The virus creators require a $100, $500 or another amount to be paid in BitCoin in order to recover the files and this ransomware creator.

Monero Cryptocurrency launched April of 2014 that is currently trading at around $400 USD. one of this malware distribution occurred email and specifically targetting the South Korean users.

Also Read: Bitcoin Exchange YouBit Shutdowns after being Hacked Second Time this Year

How does this Malware Mining Monero Cryptocurrency

Initially distributing through spam email that delivering to target users via social engineering attacks and one of the discovered email spam falsely claims that the recipient’s information from their website has been leaked due to a website hack.

Email content force users to click and open the email attachment by intimating urgency notification that the recipient’s website is legally liable for images being abused.

EGG archive format which is uncommon for malware distribution that used for comprising the email and also the format of the email using an additional layer of evasion technique.

According to Fortinet, EGG archive contains the actual miner malware with hidden file attribute along with several shortcut files, all pointing to the said malware.

The file format of icons and file extensions disguised as images and documents to trick users to show off as a legitimate one but it actually pointed to the malware.

This same functionality has been used by  VenusLocker and it was confirmed by taking a closer look at the shortcut files’ metadata and indication proved that this malware directly related to VenusLocker  ransomware.

the miner is executed as a remote thread under the legitimate Windows component wuapp.exe. Once the malware is executed, an embedded binary of the  Monero cryptocurrency CPU miner XMRig v2.4.2 is executed.

Injected XMRig CPU miner in wuapp.exe memory

“As a simple process persistence mechanism, if the miner is terminated (in this case wuapp.exe), the parent process (pope.exe in the screenshot), acting like a watchdog, simply executes it again. So in order to effectively terminate the malware, the parent process must first be terminated.” Fortinet said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of...

BASHE Ransomware Allegedly Leaked ICICI Bank Customers Data

A major cyber threat looms over Indian financial giant ICICI Bank as the notorious...

North Korean IT Workers Steal Companies Source Codes to Demand Ransomware

The Federal Bureau of Investigation (FBI) has issued fresh warnings about malicious activities by...