Cybercriminals Use Autonomous Email Responses to Install Crypto Mining Malware

The attackers aim to install the XMRig miner on victims’ devices.

Automated email responses are being used by cybersecurity researchers to break into systems and distribute crypto mining malware covertly.

According to a report by the threat intelligence firm Facct, hackers have been leveraging auto-reply emails from compromised accounts to target organizations in Russia, including companies, marketplaces, and financial institutions.

The attackers want to secretly mine digital assets by installing the XMRig miner on the victims’ devices.

150 Emails Containing XMRig Miner Identified

According to Facct’s investigation, since late May, about 150 emails have been found to contain the XMRig miner.

But before these malicious emails could reach their clients, the company’s business email protection system effectively stopped them.

Senior analyst at Facct Dmitry Eremenko emphasized the special risk this attack vector poses.

In contrast to conventional mass phishing campaigns, which target recipients’ expectations, this technique preys on their ability to ignore suspicious emails.

The victims are more likely to believe the auto-reply they receive because they started the communication by sending an email, even though they are unaware that the email account they used to contact is compromised.

“In this case, the recipient is more likely to interact with the malicious attachment even if the email does not seem convincing because of the established communication chain that may lower suspicion.”

Organizations are encouraged by Facct to improve cybersecurity measures by providing employees with regular training on best practices and current threats.

To protect against these kinds of attacks, they also suggested using multi-factor authentication and strong passwords.

XMRig has been used by hackers in the past for similar purposes.

Since 2020, XMRig, an open-source program made to mine the cryptocurrency Monero, has been included in numerous malicious campaigns.

A malware known as “Lucifer” released XMRig in June 2020 by taking advantage of out-of-date Windows vulnerabilities.

Later, in August 2020, a botnet known as “FritzFrog” distributed the cryptocurrency mining software by focusing on millions of IP addresses, including financial and governmental institutions.

North Korean Hackers Use Malware to Steal Crypto Keys

Earlier this month, the FBI issued a warning about a sophisticated new Android malware called SpyAgent, discovered by McAfee, which is designed to steal cryptocurrency private keys from users’ smartphones.

By using optical character recognition (OCR) technology to read and extract text from screenshots and stored images on the device, SpyAgent targets private keys.

Malicious links sent through text messages are the means by which the malware is propagated.

The notification followed the discovery of a different malware threat in August.

Similar to this, the “Cthulhu Stealer,” which targets MacOS systems, poses as trustworthy software and steals personal data such as IP addresses, MetaMask passwords, and cold wallet private keys.

In the same month, Citrine Sleet, a North Korean hacker group, discovered a vulnerability in Google Chrome that they used to fabricate false job applications and cryptocurrency exchanges.

As previously noted, August saw a spike in cryptocurrency-related frauds, resulting in the astonishing loss of $310 million due to different scams. This month’s total is the second-highest thus far this year.