Hidden mining Trojans are making a comeback. How can we avoid becoming a hacker’s “mining machine” or ATM?

Original title: "Phishing scams and hidden mining Trojans are making a comeback. Don't become a mining machine or ATM for hackers."

When you are playing "Grand Theft Auto 5" comfortably on your computer, can you imagine that your computer is being controlled by a Trojan program, "mining" for a technology company thousands of miles away and earning cryptocurrency for them?

When you are browsing the web, have you ever noticed an ad page popping up on the website - "Musk's Crypto Airdrop"? Can you imagine that if you click on the ad, the cryptocurrency assets in your wallet may be stolen in an instant?

No, this is not a fantasy, this is real. The former is called "hidden mining Trojan" and the latter is called "phishing scam".

Hidden mining trojan

In 2018, Chinese public security authorities uncovered a mining Trojan case involving millions of computers.

The "PlayerUnknown's Battlegrounds" game, commonly known as "Chicken Eating", has become popular on the Internet and a favorite of many gamers. In order to be "invincible" in the game, many players use plug-in programs for this game, which give them more abilities, such as "auto-aim", "perspective", "bullet acceleration", etc. Most of these plug-ins are claimed to be free, but in fact they are memory scams.

On December 20, Tencent's Guardian Program security team discovered that a plug-in called "Chicken Eating Mini Program" in the "PlayerUnknown's Battlegrounds" game contained a Trojan program with the function of silent background mining. Preliminary statistics show that the Trojan program has infected hundreds of thousands of user machines.

Afterwards, the clues were handed over to the Weifang Public Security Bureau's Cyber ​​Security Brigade for investigation. After continuous investigation by the public security organs, it was found that the "mining Trojan" was actually a regular Internet company.

The cause of the incident was that since 2014, mainstream cryptocurrencies represented by Bitcoin have become popular, resulting in the emergence of numerous cryptocurrencies. Seeing this "trend", Dalian Shengping Network Technology Co., Ltd. has been recruiting agents across the country since 2015 to promote software clients bundled with mining Trojans. Once the client is implanted in the computer host, it will silently download mining monitoring software and mining programs to run, and the mined coins will be transferred to the cryptocurrency wallet of the company's controller He.

He explained:

“Once a Trojan is implanted in a host, as long as the host is turned on, its monitoring software will analyze the CPU utilization of the computer. Once it is below 50%, the ‘mining’ program will be started to ‘mine’. If the CPU utilization is high, the ‘mining’ will be stopped to prevent detection.”

According to statistics, since 2015, He and others have illegally controlled 3.89 million computer hosts to generate advertising value-added income, and silently installed mining programs on more than 1 million computer hosts. In the past three years, they have mined more than 26 million DGB coins ("DGB"), DCR coins ("Desay Coin"), and SC coins ("Cloud Coin"), making an illegal profit of more than 15 million yuan.

The police officers in charge of the case said that criminals usually conduct advance research on cryptocurrencies on the market that are less difficult to mine, illegally control users' computer hosts, implant mining programs for these cryptocurrencies to mine, and quickly cash out after mining a large amount of coins to make huge profits. User computers that have been implanted with mining Trojans will have their graphics cards, motherboards, memory and other hardware scrapped prematurely if they often run at high load for a long time, seriously damaging the rights and interests of Internet users.

Hidden mining Trojans are spreading again

Not long ago, Internet security company Avast released its latest research report, saying that it has detected as many as 11 pirated well-known game titles that contain malicious mining software that steals computer resources. When users unknowingly download and install these free pirated game software distributed by forums and unofficial platforms, the device will automatically be implanted with a malicious software launcher called "Crackonosh", which will use the user's computer computing resources to secretly mine the cryptocurrency "Monero". Not only can it cleverly bypass the detection and interception of security and antivirus software, but it will also make the computer device run slower and slower, and users may even have to pay huge electricity bills for it.

So far, according to Avast researchers' detection, over the past six months, a total of about 220,000 Windows PCs in more than 12 countries around the world have been infected by the Crackonosh malware.

As of May this year, thousands of computers were hacked every day. The cumulative value of Monero generated by mining is estimated to be as high as 2 million US dollars (about 12.91 million RMB). The affected countries and regions are mainly concentrated in North America, Brazil, India, the Philippines and Germany, especially in Brazil, India and the Philippines, where PC users' devices were most seriously infected by malicious software.

The 11 pirated free games infected with malicious mining software include: "NBA 2K19", "Jurassic World Evolution", "Grand Theft Auto V", "Far Cry 5", "The Sims 4" and "Fallout 4".

Phishing scams are rekindled

Recently, Avast released another research report. Since the beginning of this year, Avast's Threat Lab researchers have intercepted and protected users from an increase in encryption-related phishing sites, most of which impersonate legitimate custodial wallets. The rise of these sites is even higher in countries where cryptocurrency adoption is most common. The United States, Brazil, and Nigeria are the biggest targets of these encryption scams, and the United Kingdom, France, Russia, and India also have high levels of scams. In this study, Avast Threat Lab monitored 37 samples. The global heat map below shows where global users accessed encryption-related phishing in the first six months of 2021:

“The crypto market is booming right now,” said Peter Kovac, senior researcher at Avast. “Bitcoin got a boost following recent news from El Salvador that it will be recognized as legal tender in the country — with other countries in the region following suit.”

“This surge in Bitcoin is having a knock-on effect on the wider crypto space, with some analysts even predicting 2021 will be a record-breaking year for cryptocurrency. However, as it grows in popularity, it’s also become a more lucrative target for hackers – our researchers found that crypto-related scams are most prevalent in regions where cryptocurrencies are growing in popularity.”

How to avoid becoming someone else's "mining machine" and a hacker's ATM?

First, the best way to prevent hidden mining Trojans is to avoid it altogether by only downloading games and other software from official websites and stores. Users are advised to beware of illegal sources that offer free paid games and avoid unofficial vendors.

Try not to click on unknown links or files on the Internet; try not to connect to unknown networks or USB flash drives; try some special software such as MinerBlock, Anti-webminer and Adblock Plus, which can prevent the invasion of mining viruses. In addition, regularly backing up your computer is also very effective to reduce losses after various viruses are infected in your computer.

Early mining Trojans did not limit the consumption of system resources. When the mining Trojans were running, the computer's resource consumption would increase, the CPU usage would increase significantly, the computer would become hot, and the running speed would slow down. Restarting the computer could not solve the problem. These obvious symptoms made early mining Trojans easier for users to find and remove. After evolution, in order to avoid being discovered by users, mining Trojans have adjusted their mining behavior. When it detects that the CPU usage on the user's computer is high, it will automatically suspend mining. When the user's computer is idle, it will mine at full capacity. In this way, the evolved mining Trojans can survive on the user's computer for a longer time, making it difficult to find any abnormalities even if your computer has been infected. In this case, you can often only rely on antivirus software to check, alarm, and remove it.

If you can clearly feel that your computer is slow, you should immediately check the CPU usage, close any suspicious processes in time, and check whether there are any suspected unknown public key files. (such as /tmp/ddg/tmp/AnXq, /tmp/AnXqV)

Avast reminds users that phishing scams can appear in many forms online, ranging from “Elon Musk’s crypto giveaway” to “We’ll invest your money and earn XYZ% every month.” If it sounds too good to be true, it probably is.

Crypto owners should:

• Beware of unsolicited private messages: Whether on WhatsApp/Telegram or any other social media forum, people should immediately block any unsolicited messages that could be scams. For example, if a message comes from an unknown number, or if it comes from a contact but is unusual and could be an urgent message from that contact, the contact's phone could have been hacked. It is recommended to contact the contact, for example by phone, and verify that they really sent this message before taking any further action. Even if the message is not encryption related, the intention could be phishing and ultimately spying on the user's data.

• Beware of mobile phishing: Hackers are increasingly targeting mobile devices to steal cryptographic credentials. These attacks can come from anywhere on a mobile device, including text, social media, third-party messaging platforms, or email. In addition to phishing, malicious mobile apps are also on the rise, with hidden features that log keystrokes and monitor people's on-screen activity. To prevent mobile phishing attacks, users can use some cybersecurity software that offers anti-phishing features that can block dangerous websites on Android devices. Browser anti-phishing features are also available for Windows and Mac devices.

• Rely on services that use strong security measures: When choosing a custodian or software wallet, one should ensure that one chooses a provider that offers strong security measures, including two-factor authentication methods. For added security, there are also platforms that encourage users to set up separate passwords to log into the platform and make transfers. People who want complete confidentiality may choose a platform that does not require them to submit their ID, but these platforms usually offer poor security measures. Some platforms can offer this because they only allow trading in cryptocurrencies, not in fiat currencies such as the Euro or the US dollar, which is why they are not obliged to comply with anti-money laundering and know your customer (KYC) regulations.

• Install antivirus software: Cryptocurrency owners should ensure that all of their devices have strong antivirus protection. For example, many people have antivirus software installed on their PCs, but not on their mobile devices or tablets — which is why malicious mobile phishing and malware campaigns are so effective against hackers. Crypto accounts can be worth a lot of money, so it is critical for users to ensure they have strong internet security on any device that stores encrypted information or accesses accounts.