Hackers deliver popular crypto-miner through malicious email auto replies, researchers say
Cybercriminals compromised email accounts and set up seemingly innocuous automatic replies that contained links to cryptocurrency mining malware, according to a new report.
Researchers from Russian cybersecurity firm F.A.C.C.T. said the novel tactic was used to deliver the Xmrig crypto-miner to workers at Russian tech companies, retail marketplaces, insurance firms and financial businesses. F.A.C.C.T. said it has identified about 150 emails containing Xmrig since the end of May.
“This method of malware delivery is dangerous because the potential victim initiates communication first," said Dmitry Eremenko, senior analyst at F.A.C.C.T. "This is the main difference from traditional mass mailings, where the recipient often receives an irrelevant email and ignores it.”
Emails sent through auto replies would likely not arouse particular suspicion even if they do not look convincing, Eremenko added.
Xmrig is an open-source cryptocurrency mining software primarily used for mining Monero (XMR). Hackers have consistently devised new methods to deliver Xmrig to victims’ devices — in one campaign, they used pirated versions of the video editing software Final Cut Pro to install the crypto-miner on Apple computers.
F.A.C.C.T. did not provide details on whether the latest attacks were successful and who was behind them.
But the researchers did say that the compromised email accounts had all previously had their credentials leaked on the darknet, along with some personal data. Compromised accounts included ones linked to small trading firms, construction companies, a furniture factory and a farm.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.